|
An
employee is regarded as the vital key in any organisation and also
the weakest security link. Few employees understand that information
is an asset that needs to be protected. In fact, all the planning
and investment made for information security by the company can
come to naught by an ignorant employee’s careless mistake.
With information security becoming the much debated topic, the focus
is not just about implementing e-security policies within an organisation,
but also making them a part of the work culture. Creating a culture
of internal vigilance within an organisation is much tougher than
it seems in the Indian corporate scenario, as the level of awareness
among employees is abysmally low.
 The
truth however remains that employees have traditionally been viewed
as “trusted users” within a company’s network. However,
in their rush to embrace e-business, companies have opened up their
networks to partners, suppliers and customers, in addition to internal
users. “The parameters are consequently porous, and it is critical
to ensure that only authorised users have access to information
systems. Organisations rely on firewalls to ensure their systems
from external attacks and malicious code, whereas an internal user
can compromise the integrity and security of information systems
in a number of ways,” says Rion Dutta, head of SBU, MIEL eSecurity.
He points out that given that the definition of employee has been
expanded to include trusted business users (contractors, outsourcers,
consultants, business partners such as agents) and because 90 percent
of security breaches are internal, contributing to $295 billion
in 2001 (Secure Computing), today’s business managers cannot
afford to overlook the security risks posed by internal users. This
apart, threats to information assets are not properly communicated
to employees and users. This increases the chances of username/passwords
being compromised, or an attacker using social engineering processes
to gather critical information to launching an attack.
Lack
of management commitment to implementing IT security is a major
issue. Dutta asserts that security should not be seen as a cost
centre, but rather should be considered along with any organisational
change (deployment, rollout, etc.), and incorporated in the planning
and budgeting aspects. Typically, information security should be
championed into the management as well as the organisational level,
so that employees understand information risk and recognise it as
a priority area.
Creating
awareness
Awareness
is the key issue and lack of proper communication the handicapping
factor. Captain Raghu Raman, global practice head–Mahindra
Consulting Special Services Group, acknowledges that most organisations
in India do not spend enough time on training people on security
aspects, not even during the induction process. Employees across
three levels should be targeted for it. Firstly the most senior
levels, as that is where most leaks take place. “They need
to understand that leakage of individual data that seems innocent,
when combined, can be very devastating for the organisation. They
also have to understand that competitive analysts know better than
senior management. It is also imperative for them to be willing
for checking and put their own inconvenience on line,” says
Raghu Raman. The second fundamental level consists of those people
who handle the information, for instance help desk functionaries
of top organisations. Working in low-paid jobs, most of them do
not know how to handle data. Furthermore, documentation is not classified.
The third group is the systems people who need to be more aware
and vigilant. Vigilance is, in fact, needed from all sections of
employees. Raghu Raman cites the example of a blue chip company
in India where a few people were found working who were not on the
rolls and were apparently there for dubious reasons. In another
instance during an SAP training session organised by a Delhi-based
MNC, it was discovered that one of the 20 employees who had attended
the two-month programme was in fact an unknown outsider. This was
also discovered accidentally when his exceptional performance during
the training was reported to his department head who replied that
nobody by that name worked in the division. The man of course disappeared
before being confronted and could not be traced!
“The
best system is when you enter an organisation and within 30 seconds
somebody should ask ‘Who are you?’ This education is ethos
change,” points out Raghu Raman.
The
training
Training
is essential to create a high level of awareness in an organisation.
It is perceived that by and large employees are protective about
their organisation, their training needs to be therefore focused
on their ability to respond to perceived threat. According to Raghu
Raman, the Special Services Group prepares them for this area of
response through formal classes. Different training modules are
designed for different levels. “Companies should invest in
a Security Awareness Training course as part of their Information
Security Policy and Proce-dures (ITSPP). This will give them an
understanding of the need for information security in the enterprise,
and also train them in best practices to be followed. This should
be followed by employees signing an Acceptable Use Policy, which
governs their use of IT systems and penalties that are in place
for non-compliance with official security policies, for example,
using a commonly guessed password, using external media or downloading
malicious code,” says Dutta.
MIEL’s
Information Security Training Institute (ISTI) provides companies
with security awareness training sessions aimed at end-users, IT
administrators and executives. The focus is on communicating IT
security policies, user and management requirements and at creating
awareness of IT security across the enterprise.
“It
is mostly seen that organisations provide some awareness training
at the time of induction and leave it at that, whereas this should
be a continuous process. Employees should be made aware of their
role and responsibilities, the security policy, exercising its impact,
the effect of security breach, and also should be explained its
impact on himself/herself,” says Sunil Chandiramani, partner,
Ernst and Young. He cites the example of a senior company official
who loaned his son his company laptop for doing school project.
The child took it to his friend’s house. The latter’s
elder brother’s friend who happened to be there at that time
and worked for a rival company, was able to access all sensitive
company information. The father only got to know about it after
it was too late.
The
convincing
Most
security experts agree that it is not easy to convince a client,
who are mostly always assured about the invinciblility of their
information system. Indian companies are infact lagging behind their
counterparts in Europe and North America when it comes to implementation
of an IT security policy. This is partly due to lack of regulation
forcing companies to comply (e.g. HIPAA-healthcare; GLB Act-financial
institutions in the US, and the European Data Directive in the EU
and Privacy Act in Australia), informs Dutta.
It
is vital that implementation of a security policy in a company should
not be governed by the money to spend but the resolve. “It
is important to align security with business objectives. From the
grass root level to the top management everybody should be aware
of the price the company is paying day to day by not implementing
information security. We are able to show the connection between
security and savings,” says Ragu Raman.
Ernst
& Young have a wholesome agenda for the organisation, which
ranges from formulating the security policy to holding awareness
training programmes to inculcating in within the work culture. Posters,
movies, leaflets, screen savers, memo pads are specially designed
and distributed. Chandiramani informs that these policies are drafted
on the practical issue being faced in the organisation.
Security
culture
There
are three factors which eventually make it a part of the culture
of the organisation—defining rules; educating the people and
penalising them for lapses. “We do training continuously, do
audits and monitoring. Over three to four years this becomes the
security culture of the organisation,” states Chandiramani.
The
task is far from easy and evidently meets with a lot of initial
resistance from employees who see is it as curbing their freedom.
Geometric Software Solutions which recently implemented a comprehensive
security policy in fact went through the initial resistance phase.
Kalpana Jaishankar, director of Human Resources, Geometric Software
Solutions concedes that there were innumerable questions, checks
and balances, during the implementation stage. “The key here
is internal vigilance, and each employee has to believe in it. Communicating
with them why a security policy should be implemented is very significant
at this stage.” A security committee was formed to carry out
the task. It is led by the head of engineering services, HR representative
and people from different levels of the organisation. In fact the
people who questioned the need for a security policy were invited
to become members of the committee. “Our organisation has source
codes of different clients, so now when they ask about our security
policies and procedures, we can answer them. This is essential for
business.”
This
business focus of information system is the clincher. While it is
true that the level of awareness in India is very low, the truth
remains that if Indian companies have to survive they have to change.
Similar change is also predicted in central and state government
enterprises.
COMMON
LAPSES
-
90 percent of people have one password for all e-mail addresses.
Change your password frequently and keep unusual names.
-
Laptops connected to leased lines of your company should never
be used for dial-up purposes as it allows backdoor entry to hackers.
-
Office laptops should not be used for home computing.
-
A caller claiming to be from your IT department asks your password.
The call can be from anyone wanting to hack into your system.
-
Users should always change first-time or default passwords.
|
