Think beyond anti-virus and firewalls

Viruses and worms are not the only threats and organizations need to consider other protective measures like IDS, Access Control and Identity Management for more complete protection. by Anil Patrick R

Viruses and denial of service attacks bring operations to a standstill, disgruntled employees can cause havoc, and there are other malicious programs that can cause disruption. The Indian corporate is completely aware of these, but it has a long way to go in establishing almost bullet-proof security.

Are we implying that Indian organizations do not invest in security? No. Compared to IS 2003 the number of companies investing in the various security solutions has increased this year. 61 percent of organizations plan to invest in security during 2004-05 as against 55 percent last year.

The average percentage amount of the IT budget spent on Security is 19 percent with an expected likely average spend of 20 percent in the coming year. The difference might be just a point, but

it is an indicator of the increasing levels of security awareness. It is also a pointer to how regulations are driving many organizations (especially BFSI, IT/ITES/Telecom) towards establishing fort-Knox-like security. These verticals have been the biggest investors in Security in the past.

BFSI is likely to spend almost a third (30 percent) of the IT budget on Security in the next one year. But the big surprise is Chemical & Pharma companies—the survey indicates that companies in this vertical are likely to spend 35 percent of the IT budget on Security (the highest among all verticals).

The three most critical security issues according to the organizations surveyed are Viruses (92 percent), Internet security (48 percent) and Hackers (36 percent).

The great disparity in numbers among the critical threats points to the mentality that viruses are usually considered the biggest threats to organizational security while other threats are not perceived to be too serious. It can be attributed to the virus reputation of bringing operations to a halt and causing irreparable damage. The other threats may not usually have such visible effects but often have more serious consequences in the aftermath.

A closer look at the figures throws up more disturbing news. More than half of Indian organizations are vulnerable to Internet attacks. What’s more disturbing, 70 percent of the respondents do not see theft or damage to data as a critical issue. Will you as a customer prefer to deal with such organizations? Or worse still, is your business one of them?

The technology perspective

As might be obvious from the earlier discussion, anti-virus solutions are the most widely deployed security infrastructure components (97 percent organizations). Firewalls are close behind with 82 percent of organizations having these solutions. A similar trend was observed last year when we analyzed results of IS 2003. The findings for IS 2003 showed that 93 percent and 65 percent invested in anti-virus and firewalls.

Clearly, most of India Inc. believes anti-virus and firewall solutions can protect systems from the various kinds of attacks. But in this age when Trojans arrive at the Web/Proxy/Mail server on a daily basis and the tribe of hackers is growing, it makes sense to look at other solutions like IDS and Access Control.

It is surprising to note the lower adoption rate of Intrusion Detection Systems (IDS) at this stage. Only 31 percent of the surveyed organizations go in for these, and just 26 percent plan to invest in an IDS during 2004-2005. Organizations should seriously consider IDS or even the more proactive IPS (Intrusion Prevention System). Firewalls when clubbed together with IDS put up a stronger defense.

Another reason for worry is the low level of importance accorded to Access Control Devices and Identity Management. An adoption rate of 32 percent by organizations for Access Control Devices and 19 percent going in for Identity Management solutions means over 70 percent of organizations are vulnerable to blackhat hackers.

The future scenario looks bleak as only 21 percent and 11 percent of organizations respectively plan to invest in Access Control and Identity Management respectively this year.

The good and the bad

There's good and bad news on the IT security policy front. The good news is that 71 percent of organizations have a security policy. Enterprises are actively involved in framing the security policy with participation of the CEO and functional heads participating actively in 49 percent of the organizations surveyed.

If the investment in other security solutions is not very forthcoming, the awareness is certainly there. Data security (91 percent) is the prime area covered by the security policy. Unauthorized employee access and perimeter security follow with 81 percent, and 53 percent respectively. Regulatory mandates for compliance not withstanding, these along with active participation are good signs.

Next comes the frequency of security policy reviews. This is crucial for having a properly effective policy. It is good to see that 32 percent of the organizations review their security policy once in three months and 22 percent review once in six months. 22 percent review the policy once a year, and the rest have no fixed frequency.

The bad news is that almost two-thirds (63 percent) of organizations do not conduct any kind of security audits. This is an irresponsible approach that can render the entire security infrastructure ineffective. BS7799 (14 percent), ISO 17799 (8 percent) and COBIT (2 percent) are the most widely used security audit standards in India.

Another issue in connection with conducting security audits is the lack of outside involvement in the form of external consultants. Almost two-thirds (62 percent) conduct security audits in-house. Only 38 percent engage the services of an external consultant for this purpose.

This is not a desirable approach since an internal audit might be biased. Also, an external consultant will have a higher level of expertise for detecting vulnerabilities, by using ethical hacking methods. This can be attributed to the fact that as consultants they have experience over different types of infrastructure, something the internal auditors lack. It is in this context that we suggest a combination of the in-house IT team and external consultants for security audits. In fact, many of the best security infrastructures in India use separate audits done by the internal team as well as external consultants. This results in a better quality of audit.

Extinction bound

Chief Security Officers (CSO) are certainly a rare breed in India. Only 25 percent of Indian organizations have a CSO. As for the rest only 9 percent have plans to hire a CSO in the future. The tribe of CSO certainly seems to be heading down the road to extinction.

Regulations seem to drive the need for a CSO in most organizationsespecially in verticals like Telecom/IT/ITES (31 percent) and BFSI (11 percent). A surprising entry on this front is the Auto/Auto components segment with 15 percent of them having future CSO plans. MNCs are considering relocating old manufacturing plants to Indian shores and this could be a driver for better security. Also the increasing competition in the Auto sector calls for tighter data security.

Majority of the organizations with a CSO believe that he should report directly to the CEO (48 percent). And this makes sense since business strategies are formulated by the CEO. Reporting to the CIO (29 percent) and functional heads (19 percent) were preferred by the rest of organizations.

The crossroads

From the results it can be seen that IT security in India still has a long way to go in terms of all proper and all encompassing security measures. Right now, organizations claim to be secure.

This twilight zone between just randomly putting up technology solutions and the stage of proper security awareness has to be crossed over before our organizations can claim to be secure. It is not a difficult task since all that is required is the awareness that security involves more than just technology. Beyond firewalls, and anti-virus solutions for there are other severe threats besides viruses and worms. After all, better late than never, as the old adage goes.

NM Suggests

Organizations should seriously consider IDS or even the more proactive IPS (Intrusion Prevention System). Firewalls when clubbed together with IDS put up a stronger defense. Open source IDS solutions like Snort can be deployed to obtain cost benefits and efficiency. Implement proper access control measures to ensure data security. Conduct security audits regularly. Use a combination of the in-house IT team and external consultants for security audits. A dedicated CSO and a security team are necessary for large infrastructures.