|
As
businesses get more competitive, security becomes a critical issue.
In the present times, CIOs/CTOs have to continuously devise means
to fend their information systems from numerous internal and external
threats. In a highly competitive business scenario, lost critical
data/information also means lost opportunities and profits. Training
in information security is overlooked by most organisations, and
this, believe experts, will have disastrous consequences in the
long run.
 Many
companies face security breaches despite implementing a supposedly
foolproof information security and business continuity strategy.
The success of any security programme is largely dependent on the
way it is deployed, how it is integrated into the infrastructure,
and lastly (and most importantly), how it is received by the people
who are responsible for using and maintaining it. What is needed
is a more inward focus for an effective information security policy,
as studies indicate that majority of the attacks originate from
insiders (be it knowingly or unknowingly). According to an Assocham
study, as many as 65 percent of companies perceived insider threats
(from disgruntled employees), to be a much more serious concern
than domestic competition. “People are generally considered
the weakest link in an enterprise’s security. There are threats
posed by staff having information on their computers concerning
pornography, denial of service, software and copyright theft, credit
card fraud, paedophilia and virus creation. All this could result
in civil or criminal litigation involving the company’s business,
loss of reputation, stock value, HR problems with threatening work
environments, loss of productivity and squandering of valuable business
resources,” says Sumit Malik of Assocham. According to him,
the average employee can also unknowingly pose a security risk with
simple, everyday acts like giving out passwords, not logging off
at the end of the day or clicking on virus attachments, despite
multiple warnings. An enterprise should therefore have a clear policy
for the use of IT systems and all the staff should be made aware
of the need to maintain integrity of information resources.
Companies
like Dabur and Ranbaxy have started effective management of their
security systems. “We have professionals to manage security
systems and their skills are regularly updated through training.
Annual budgets are set aside only for security related investments,”
says Gopal Shukla, chief information officer of Dabur. Ranbaxy has
also employed specialists and administrators.
Understanding
the importance of training, Maruti has made considerable investment
on people processes and security technologies to formulate a comprehensive
defence strategy. “Today most of our business partners are
connected online to our network and maximum transactions are made
online. In such a scenario when most of the business information
resides on the network, Maruti realises the importance of adopting
a process driven approach to information security. Information security
training is a major component of this defence strategy. Training
need assessments (TNA) are regularly conducted for roles ranging
from security administration to users of information resources,”
says a company official. Based on these assessments, training and
awareness programmes are conducted in the organisation. Post 9/11,
the company conducted various employee awareness programmes to familiarise
employees across levels with information security policy and procedures.
Besides this, the company also makes sure that IT security personnel
have regular interaction with the physical security personnel. They
also carry out drills to simulate disaster scenarios.
Wipro
Technologies has initiated a ‘security forum’ comprising
the chairman, senior management qualified security experts. The
company has devised different policies to prevent any security breach—Information
Security Policy; Information Classification Policy; Incident Management
Policy; Virus Prevention Policy; Access Control Policy; Physical
and Environmental Security Policy; Security Training Policy and
many more.
Dabur’s
supply chain depends extensively on IT and consequently investment
on security is high. “We have taken great care to institutionalise
policies, standards and procedures to ensure that security is state-of-the-art
in our organisation. IT policies and procedures are regularly audited
by external agencies to ensure that we are the best in class in
each area and that we comply by the set
policies
and procedures,” informs Shukla. With expanding business dimensions
and increased connectivity, more sophisticated security breaches
are expected to happen in the future. “In times to come, there
is going to be an increased dependency on IT and the networks, applications
that are today running on well managed LANs and WANs are likely
to get intranet/extranet enabled and their reach will grow tremendously.
Security threats will therefore increase in the future,” points
out Shukla. Sensing this many companies have engaged security consulting
firms to conduct comprehensive vulnerability and penetration audits,
which can be further used to update their security processes, procedures
and guidelines for the employees to follow. Says Rahul Goswami,
vice president of strategic planning and the chief information officer
of Ranbaxy Laboratories, “We plan to have a continuous review
of threat perception and related defence mechanism.”
Considering
the changing nature of the e-business environment, the need is for
more dynamic policies, which effectively take into consideration
the changing structure, size and potential business model of an
enterprise and external influences such as new technologies, new
types and levels of security threats. Stricter compliance and continuous
monitoring of security policies is expected to become a priority
area in many companies in the next one year. Based on the security
policies, there is going to be increased emphasis on security training,
not only of technical users but all employees.
THE
NECESSARY STEPS
-
Information security policy statement and explanation
-
Training to individual department and projects
-
CBT (computer based training)
-
Policy statement on every desk
-
Video communication by top management
-
Security quiz on company website
-
Intranet portal flash
-
Shredding of confidential documents by users
-
Stop receipt of mails from unknown sources
-
Not to send or receive EXE files through mails
-
Not to copy software outside office
|
