Think beyond anti-virus and firewalls
Viruses and worms are not the only threats and organizations
need to consider other protective measures like IDS, Access Control and Identity
Management for more complete protection. by Anil Patrick R
Viruses and denial of service attacks bring operations to a standstill, disgruntled
employees can cause havoc, and there are other malicious programs that can cause
disruption. The Indian corporate is completely aware of these, but it has a
long way to go in establishing almost bullet-proof security.
Are we implying that Indian organizations do not invest in security? No. Compared
to IS 2003 the number of companies investing in the various security solutions
has increased this year. 61 percent of organizations plan to invest in security
during 2004-05 as against 55 percent last year.
The average percentage amount of the IT budget spent on Security is 19 percent
with an expected likely average spend of 20 percent in the coming year. The
difference might be just a point, but
it is an indicator of the increasing levels of security awareness. It is also
a pointer to how regulations are driving many organizations (especially BFSI,
IT/ITES/Telecom) towards establishing fort-Knox-like security. These verticals
have been the biggest investors in Security in the past.
BFSI is likely to spend almost a third (30 percent) of the IT budget on Security
in the next one year. But the big surprise is Chemical & Pharma companiesthe
survey indicates that companies in this vertical are likely to spend 35 percent
of the IT budget on Security (the highest among all verticals).
The three most critical security issues according to the organizations surveyed
are Viruses (92 percent), Internet security (48 percent) and Hackers (36 percent).
The great disparity in numbers among the critical threats points to the mentality
that viruses are usually considered the biggest threats to organizational security
while other threats are not perceived to be too serious. It can be attributed
to the virus reputation of bringing operations to a halt and causing irreparable
damage. The other threats may not usually have such visible effects but often
have more serious consequences in the aftermath.
A closer look at the figures throws up more disturbing news. More than half
of Indian organizations are vulnerable to Internet attacks. Whats more
disturbing, 70 percent of the respondents do not see theft or damage to data
as a critical issue. Will you as a customer prefer to deal with such organizations?
Or worse still, is your business one of them?
The technology perspective
As might be obvious from the earlier discussion, anti-virus solutions are the
most widely deployed security infrastructure components (97 percent organizations).
Firewalls are close behind with 82 percent of organizations having these solutions.
A similar trend was observed last year when we analyzed results of IS 2003.
The findings for IS 2003 showed that 93 percent and 65 percent invested in anti-virus
Clearly, most of India Inc. believes anti-virus and firewall solutions can protect
systems from the various kinds of attacks. But in this age when Trojans arrive
at the Web/Proxy/Mail server on a daily basis and the tribe of hackers is growing,
it makes sense to look at other solutions like IDS and Access Control.
It is surprising to note the lower adoption rate of Intrusion Detection Systems
(IDS) at this stage. Only 31 percent of the surveyed organizations go in for
these, and just 26 percent plan to invest in an IDS during 2004-2005. Organizations
should seriously consider IDS or even the more proactive IPS (Intrusion Prevention
System). Firewalls when clubbed together with IDS put up a stronger defense.
Another reason for worry is the low level of importance accorded to Access Control
Devices and Identity Management. An adoption rate of 32 percent by organizations
for Access Control Devices and 19 percent going in for Identity Management solutions
means over 70 percent of organizations are vulnerable to blackhat hackers.
The future scenario looks bleak as only 21 percent and 11 percent of organizations
respectively plan to invest in Access Control and Identity Management respectively
The good and the bad
There's good and bad news on the IT security policy front. The good news is
that 71 percent of organizations have a security policy. Enterprises are actively
involved in framing the security policy with participation of the CEO and functional
heads participating actively in 49 percent of the organizations surveyed.
If the investment in other security solutions is not very forthcoming, the awareness
is certainly there. Data security (91 percent) is the prime area covered by
the security policy. Unauthorized employee access and perimeter security follow
with 81 percent, and 53 percent respectively. Regulatory mandates for compliance
not withstanding, these along with active participation are good signs.
Next comes the frequency of security policy reviews. This is crucial for having
a properly effective policy. It is good to see that 32 percent of the organizations
review their security policy once in three months and 22 percent review once
in six months. 22 percent review the policy once a year, and the rest have no
The bad news is that almost two-thirds (63 percent) of organizations do not
conduct any kind of security audits. This is an irresponsible approach that
can render the entire security infrastructure ineffective. BS7799 (14 percent),
ISO 17799 (8 percent) and COBIT (2 percent) are the most widely used security
audit standards in India.
Another issue in connection with conducting security audits
is the lack of outside involvement in the form of external consultants. Almost
two-thirds (62 percent) conduct security audits in-house. Only 38 percent engage
the services of an external consultant for this purpose.
This is not a desirable approach since an internal audit might be biased. Also,
an external consultant will have a higher level of expertise for detecting vulnerabilities,
by using ethical hacking methods. This can be attributed to the fact that as
consultants they have experience over different types of infrastructure, something
the internal auditors lack. It is in this context that we suggest a combination
of the in-house IT team and external consultants for security audits. In fact,
many of the best security infrastructures in India use separate audits done
by the internal team as well as external consultants. This results in a better
quality of audit.
Chief Security Officers (CSO) are certainly a rare breed in India. Only 25 percent
of Indian organizations have a CSO. As for the rest only 9 percent have plans
to hire a CSO in the future. The tribe of CSO certainly seems to be heading
down the road to extinction.
Regulations seem to drive the need for a CSO in most organizationsespecially
in verticals like Telecom/IT/ITES (31 percent) and BFSI (11 percent). A surprising
entry on this front is the Auto/Auto components segment with 15 percent of them
having future CSO plans. MNCs are considering relocating old manufacturing plants
to Indian shores and this could be a driver for better security. Also the increasing
competition in the Auto sector calls for tighter data security.
Majority of the organizations with a CSO believe that he should report directly
to the CEO (48 percent). And this makes sense since business strategies are
formulated by the CEO. Reporting to the CIO (29 percent) and functional heads
(19 percent) were preferred by the rest of organizations.
From the results it can be seen that IT security in India still has a long way
to go in terms of all proper and all encompassing security measures. Right now,
organizations claim to be secure.
This twilight zone between just randomly putting up technology
solutions and the stage of proper security awareness has to be crossed over
before our organizations can claim to be secure. It is not a difficult task
since all that is required is the awareness that security involves more than
just technology. Beyond firewalls, and anti-virus solutions for there are other
severe threats besides viruses and worms. After all, better late than never,
as the old adage goes.
- 61 percent of organizations plan to invest in security during 2004-05
as against 55 percent last year.
- The two biggest investors in Security in the next one year are BFSI
(30 percent of companies) and Chemical & Pharma (35 percent).
- The three most critical security issues according to the organizations
surveyed are Viruses (92 percent), Internet security (48 percent) and
Hackers (36 percent).
- 71 percent of organizations have a security policy
- More than half of Indian organizations are vulnerable to Internet
- 70 percent of the respondents do not see theft or damage to data
as a critical issue.
- Almost two-thirds (63 percent) of organizations do not conduct any
kind of security audit.
- Existing security infrastructure is dominated by the use of anti-virus
(97 percent), firewalls (82 percent) and VPNs (38 percent).
- Organizations should seriously consider IDS or even the more proactive
IPS (Intrusion Prevention System). Firewalls when clubbed together with
IDS put up a stronger defense.
- Open source IDS solutions like Snort can be deployed to obtain cost
benefits and efficiency.
- Implement proper access control measures to ensure data security.
- Conduct security audits regularly. Use a combination of the in-house
IT team and external consultants for security audits.
- A dedicated CSO and a security team are necessary for large infrastructures.