• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

Neha Kapoor

Corporates are getting more focussed about security infrastructure. Some companies are building security awareness by actually including it in the employee appraisals.

IT security is like insurance — no one questions when you take a life insurance policy. Security solutions, then, are like an insurance policy that you take for information critical to your organisation,'' says Jayshree Mukund, Partner, Information Systems Assurance & Advisory Services, Ernst & Young.

From being a mere fad a couple of years ago, IT security has today become a serious issue, a cause of concern for quite a few Indian organisations, she says.

"People are realising that security is not just about technology but about differentiating between the pockets of information across your organisation and deciding what is critical and needs protection,'' she adds.

It's another matter that most companies wouldn't even have an IT security policy in place and, the handful that do would, in all probability, have not implemented it!

Yet, just the fact that more of corporate India is "becoming aware of security threats to their systems" is an achievement of sorts.

Ernst & Young's Global Information Security Survey 2002, conducted across 17 countries, says that 70 per cent of Indian chief information officers (CIOs), IT Directors and business executives surveyed indicate that they expect to experience greater vulnerability as connectivity increases.

A majority of respondents also indicated that critical business systems are increasingly interrupted — 76 per cent experienced unexpected availability. Yet business continuity plans exist at only 47 per cent of Indian companies, as compared to 53 per cent globally, and over half the respondents do not have agreed recovery timescales, the survey says.

Meanwhile, employee awareness of information security policies and procedures is cited by 68 per cent of respondents as a barrier to achieving effective security. Even so, only half of those surveyed have employee awareness and training programmes in place to ensure that security policies underpinning technical solutions are understood and adhered to, the survey says.

Says Jayshree Mukund, "Two years ago, when we advised companies on Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs), many CIOs claimed to have back-ups taken at regular intervals. Once we actually asked one of them to bring in his floppy with the back-up data, it didn't work and only then did he realise that while he was comfortable thinking that regular back-ups were being taken, the fact was that these measures weren't workable in the least. If at all something happened to these floppies, then the company would be at a loss for what to do.''

"But now, especially after 9/11, there is a lot of talk around DRPs and BCPs. Some companies are seriously looking at these,'' she says.

Surprising that companies in India should take the initiative in DRP after 9/11 and not after the devastating Gujarat earthquake in January last year!

The survey says that 70 per cent of organisations stated they plan to enhance business continuity and IT disaster-recovery plans. While this is encouraging, it is disturbing that only 29 per cent treated BCP as a business unit expenditure and 45 per cent said it is within the IT budget, indicating perhaps, that many organisations still perceive business continuity as a responsibility of IT and not the business.

Nonetheless, corporates are beginning to look at security infrastructure in a more focussed manner than ever before, says Jayshree Mukund. "In our 1999 survey, for India specifically, we found that there were no focussed budgets on IT security while there have been budgets for IT implementation. Now, however, the amount doled out for security has increased significantly, though most companies still do not have a specific annual security budget. It's still a part of the overall IT budget.''

Also, organisations have to realise that security is not about technology alone; it also involves building a certain security consciousness among end-users.

The survey found that less than half the respondents have deployed an IT security training and awareness programme, although a further 31 per cent plan to address this key activity. This indicates a critical gap in effective security implementation that's all the more surprising because three quarters of respondents stated they have an explicit and well-understood security strategy.

The survey adds that the highest level of activity seems to take place in what is regarded as the `minimum' of information systems security, e.g.: anti-virus, access management and firewall management. Forty per cent of organisations do not investigate incidents, yet failure to investigate systems incidents increases the likelihood of undetected damage and creation of `back doors' for later malicious use.

"More people-focused security awareness campaigns within organisations are necessary. You have to drive the security aspect into the heads of your employees in terms of how important it is to your business. Some companies, for example, are building security awareness by actually including it in the employee appraisals. So it is a parallel effort on both the tech and people front,'' says Jayshree Mukund.

"The top companies which have gone through the IT implementation stage in a rush are now asking, what next? In a rush to get the systems running, a lot of things were overlooked. But you have to realise that as when technology reaches each and every user in the organisation, it becomes more people-intensive. Hence, any security measure thereafter has to be people-intensive,'' she says.

nehak@thehindu.co.in

Send this article to Friends by E-Mail

Stories in this Section
Don't let this happen to your data

Copyright © 2002, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line