security feature cover story
DESCRIPTION
TRANSCRIPT
Ensuring the security of an organisation’s physical and digital assets is a complex
task! It can't be achieved merely by building high walls of concrete around
critical assets or by installing the latest IT security tools, feel experts. Here are some
solutions that can help businesses keep this problem at bay!
IT Has The Cure For An Insecure Organisation!
“Let us not look back in anger or forward in
fear, but around in awareness.”
— James Thurber
Vandana SharmaBenefIT Bureau
Security
10 / December 2009 / BenefIT
Considering this, information security
has become a necessity for both small
as well as the big business units to
secure itself from such threats.”
But to be on guard and identify
vulnerabilities and threats; or to
look for security breaches and
simultaneously find tools and
solutions to prevent any damage
from happening—isn't easy! To help
our readers, we turned to various
organisations to understand the
strategies that they have adopted to
tackle this challenge. We also spoke to
experts to understand more about the
vulnerabilities and the IT solutions
that are available.
Here are a few instances where security breaches led to grave problems for organisations:
• The infamous stamp paper scam is a major case of a security lapse. “If state revenue departments—which are under constant video surveillance and have a highly trained security staff—could not prevent a class IV staff from taking out the stamp imprint, no amount of security and surveillance can be considered sufficient,” remarks Ghildiyal. This calls for an aware organisation and smart use of technologies to combat the threat.
• Soi shares more: “In June 2006, a security breach at HSBC’s offshore data-processing unit in Bangalore led to $425,000 being stolen from the accounts of the bank’s UK customers.”
Security lapses may cost a fortune!During the normal course of
events, the focus of most
businesses is to manage day-
to-day cash flows, increase market
share, and so on. But there are times
when this equilibrium gets disturbed;
when some crack in the security
system shakes the very foundations
of an organisation—damaging its
reputation, causing loss of data,
assets or money. This leads to a battle
of wits for business heads and CIOs
(chief information officer), as most
often they get caught unaware.
Rajat Agarwal, executive director,
Bhorukha Aluminium, feels that
businesses today are aware of the
security threats; yet it’s just not a
top priority, especially when the
organisation is small. However, if
a small company wants to grow
big in the near future, it must train
its team in the routine security
norms and processes and put in
place technologies, that aren't too
expensive, to automate security
procedures for data and resource
protection, and related to authorised
access, avers Ram Krishna Ghildiyal,
technical head, Sanvei Overseas, an
international IT-based surveillance
company.
Sundar Ram, vice president,
Technology Sales Consulting, Oracle
Asia Pacific, seconds the thought
and adds: “Every organisation today,
needs to cope with the key issue of
securing its data, inventory, human
resource, etc, from security threats.
“Information security has become a necessity for both small as well as the big business units to secure itself from such threats.”Sundar Ram, vice president, Technology Sales Consulting, Oracle Asia Pacific
Advt
BenefIT / December 2009 / 11
Security
The security domain is infinitely vast and
complex and requires considerable planning,
says Ghildiyal. But the key issue here is that
in small to mid-sized companies, security is still not
given due importance and the top management do
not accept it as a challenge that warrants a dedicated
team of experts. Dhruv Soi, chair–OWASP (Open Web
Application Security Project) India, agrees, “There
is a sheer lack of security awareness in most Indian
firms. The security budget is often just 5 to 10 per cent
of the total IT expenditure. Internal reports are often
vulnerable to manipulations. Improper/inadequate
monitoring creates a big hole in security. Since
organisations refrain from spending on regular third-
party security audits, the real security position of the
company is never clear to the top management. In
scenarios like these, one infected system propagates
the infection to all the systems connected into the
organisational network,” he adds.
Agarwal seconds the thought and adds that security
breakdowns are not easy to monitor unless regular
investments are made in IT tools to secure different
aspects of the organisation. “Having an outsourced
IT department with clear KPIs (key performance
indicators)—one of which should be to monitor data
security—can help. Apart from this, a thorough cost-
benefit analysis should be done before choosing the
right combination of tools and technologies. Factors
such as threat level, size of the organisation, budget,
etc, should be factored in,” he adds.
Identifying vulnerabilitiesBefore we move on to exploring ways to deal with
security-related challenges, it is important to identify
and understand the security vulnerabilities that may
exist/affect an organisation at any point. The following
aspects may need attention:
• Sensitive data or
information: Documents
including confidential reports/
credit card information are all
prone to security attacks, either from within the
organisation or from the outside
world.
• Threats from within the
organisation: Employees have
been known to steal sensitive
data from computers, laptops
or over the network using USB
drives. Unsecured confidential
data can also be sent to the outside world, through e-
mails. Without solutions to prevent data leakage, it is
hard to control it, says Soi.
Apart from this, how a company treats its
employees also plays a role, feels Milind Mody, CEO,
eBrandz.com. He
cites a scenraio:
“Companies that
deal with their
employees fairly,
earn their respect.
However, there
are organisations
that delay giving
employees their dues after they leave; that may
sometimes upset an exiting employee, who could then
try to steal data or, in general, act against the interests
of the company.” Mody suggests laying down clear
policies and procedures to deal with such challenges.
• Threats via the Internet: Another threat is from
viruses*, malware*, spyware* attacks, etc, which may
damage, or result in the pilferage of organisational
information.
* •A computer virus is a computer program that can copy itself and infect a computer.
•Malware is a type of software that can harm computers, such as computer viruses and spyware.
Security planning: the issues, and solutions
“ Security breakdowns are not easy to monitor unless regular investments are made in IT tools to secure different aspects of the organisation.”Rajat Agarwal, executive director, Bhorukha Aluminium
Security
12 / December 2009 / BenefIT
•Spyware is software that’s implanted into a computer system to gather information about a person or organisation, without their knowledge.
• Unsecured network access: Intruding on the
organisational network and/or servers* by outsiders or
by disgruntled employees to pilfer sensitive data can
occur at any moment, says Mody.
*A server is a high-end/high-capacity computer that is required to run multi-user applications like organisational e-mail, data back-up, storage, etc.
• Critical/valuable physical assets: Physical
theft of devices like the mouse, headphones, USB
hard disk drives or
even cash can be
another problem
that organisations
confront frequently,
in the absence of
adequate security
systems, adds Mody.
• Employee
poaching: Another area where organisations may need
to be watchful is from competitors or HR agencies on
the look-out to poach
good talent. To deal
with this problem,
Mody suggests: “If
your company has a
board line or EPABX
(electronic private
automatic branch
exchange) system, make sure someone monitors
incoming calls for external HR agencies trying to
poach employees.” But he agrees that there have been
cases where HR managers from competitive firms
have actually stood outside a company’s premises to
poach its employees. In such cases, it is difficult to do
anything to prevent the practice.
• Irregular processes: Non-adherence to security
policies is another vulnerability that a small and mid-
sized company can face. Therefore, all companies
however small they may be, must plan for a periodic
security audit and must invest in automated systems
rather than people driven systems.
Advt
BenefIT / December 2009 / 13
Security
Deploying security tools is important, but,
prior to that, having an organisational culture
where both the management and employees
are aware of the correct security policies and practices,
is equally critical. Experts suggest having the following
practices to help organisations be better prepared for
this challenge:
Plans and policies to counter security breachesA company should have a security policy and a security
plan, to begin with, opines Ghildiyal. “A security policy
must define a company's information and other assets,
its security needs, roles and responsibilities, the rights of
employees, and so on. A security plan on the other hand
may describe the procedures, tools and technologies
that are required to implement the security plan,”
he adds. In fact, a security plan can also include the
anomalies, special rights and data and asset recovery
procedures to reduce the impact of a security lapse.
Employment agreements must be in tandem with security policiesMody feels that it is always good to clearly define the
terms and conditions/policies related to proprietary
or confidential data in the employment agreements.
“Also if an employee is working on projects for which
the company has signed an NDA (non disclosure
agreement), it should make sure that the employee
also signs a similar agreement. Clearly mentioning a
few examples of what is considered as corporate data
theft, makes the agreement more well-defined. Get this
agreement vetted by an attorney. This is a one time cost,
but it has three advantages. First it makes sure that you
have fulfilled your responsibility. Second it deters people
from commiting unethical deeds and makes them think
before they unwittingly create
a security breach. And the third
advantage is, you can pursue
the matter in court in situations
where a serious security
threat has been committed against the company, by an
employee.”
Plan security as per the nature of the businessPlanning for organisational security is another important
task that depends primarily upon the nature of a business.
Ghildiyal agrees and says: “For knowledge-based
companies that have Internet dependent processes,
information is the most valuable asset. Such firms must
consider information security technologies or solutions,
like firewalls*, antivirus* or identity authentication
systems*, etc. Similarly, companies that have large
public assets must invest on surveillance technologies
like video surveillance, threat detection, etc.” However,
some technologies like,
antivirus, biometric*
access and identity
management are
uniformly applicable
to all the companies as
they provide the building
blocks for security process
implementation, he adds.
*•A firewall is a software tool that enables IT managers to block unauthorised access even while allowing authorised communications.
•Antivirus software can be used to make Internet access secure and prevent the computer network of the organisation from getting affected by viruses like malware, spyware, etc.
•Identity authentication systems or devices help authenticate or verify the identity of a person or other entity requesting access under security constraints.
•Biometrics is a technique used to recognise humans based upon one or more physical or behavioural traits, like fingerprints, face recognition, DNA, hand and palm geometry, iris recognition, voice, etc.
Avoid complex policiesIt is one thing to lay down policies and procedures,
and it is quite another to implement those
Management-level solutions
“It is always good to clearly define the terms and conditions/policies related to proprietary or confidential data in the employment agreements.”Milind Mody, CEO, eBrandz.com
Security
14 / December 2009 / BenefIT
successfully. One key deterrent in
policy adherence is the complexity
of policies and procedures,
believes Ghidiyal. He explains:
“For example, most companies
implement a ‘password aging’
policy, which demands all
employees and customers to
change their computer and/or
Internet login passwords every
three months. As the number
of such systems increases, it
becomes more of a hassle for
employees and then they start
using easily breakable dictionary
passwords* that are not only easy
to remember but can be uniformly
applied at all places that require
a password prior to access. Thus
a theoretically sound system of
‘password aging’ actually creates a
security hole in the system.” So it
is best to adopt workable policies
that are simple and effective to
implement and adhere to, in the
long run.
•Dictionary passwords are simple or easily predictable variations of words used as login passwords.]
Train your staffNearly 80 per cent of security
breaches occur due to weak IT
security systems. More than lack
of security products to deal with
this challenge, the problems are
caused by inadequately skilled
or less-aware staff. Soi suggests
conducting training programmes
for IT staff to empower them
to tackle security breaches,
effectively. He says: “Security
awareness training for end-users
(like, people in accounts, HR,
administration departments,
etc) and training for IT/security
staff is required, from time-to-
time, to equip them with the
knowledge to protect themselves
and the organisation from security
threats.” Agarwal suggests having
regular seminars to discuss issues
related to security.
Better safe than sorryAgarwal feels that it is better to
limit the use of e-mails and the
Internet to only those who really
require it. Also, he advises that
the IT managers should always
monitor out-going attachments,
as and when possible. Soi agrees
and adds: “Regular log monitoring
of servers, applications and
network devices is required
to keep an eye on employee
behaviour, and also to take
preventive actions.”
“Security awareness training for end-users (like, people in accounts, HR, etc) and IT/ security staff is required, to equip them with the knowledge to protect themselves and the organisation from security threats.”Dhruv Soi, chair–OWASP (Open Web Application Security Project) India
Advt
BenefIT / December 2009 / 15
Security
It’s Advantage, Unified Threat Management Solutions!
Bangalore-based Wadpack
is one of the pioneers in
manufacturing corrugated
fibre board containers. The
company is quite tech savvy and
is always on the look out for new
concepts and technologies in the
packaging industry.
Wadpack, which uses ESS’s
ERP ebizframe from its multiple
locations, wanted to ensure
secured connectivity between
branches. “ Ensuring the security
of data transacted through the
ERP system was quite critical
for Wadpack, alongwith linking
its various locations. After a
careful analyses we opted for
the Watchguard unified threat
management (UTM)* solution,
suggested by ESS, to secure our
virtual private network or VPN,”
says Sankaran Narayanan, finance
controller, Wadpack. The solution
was implemented by ESS with the
With vulnerabilities in the digital world rising by the minute, keeping organisation networks safe is becoming an acutely challenging task. Wadpack, a manufacturer of corrugated packaging material, opted for a comprehensive threat management solution that has been acting as a shield against the security menace.
help of Medley Marketing, New
Delhi, one of the key Watchguard
Secure Partners in India (WSP).
At Wadpack, ESS also
manages the entire IT
requirements in addition to
managing its ERP system. “Since
the Wadpack management
wanted to focus on growth,
profitability and operational
efficiency, it decided to leave
the task of efficiently managing
the IT function, including IT
infrastructure security, to ESS,”
says Narayanan.
*[A UTM is an all inclusive security system that can perform multiple security functions. It can functions as an all-in-one security tool—acting as a firewall, antivirus, anti-spam solution, VPN security tool, content filtering tool, and a lot more. To know more about a VPN, refer to the box.]
Easy to manage, and economicalThe major benefit of a UTM is
that so many necessary functions
are combined into one solution.
This saves businesses time,
money and hassles, affirms Anil
Bakht, managing director, ESS.
“Maintaining network
security can often become
complex and confusing, but
when all security features are
combined into one system, it is
easy to see how all the functions
are integrated and how they
work together. Also, because
it is coming from a single
vendor, training and support
for the entire system also comes
from a single vendor. A single
window solution helps reduce
the hassles associated with
managing multi-vendor security
systems,” he suggests.
Most organisations work in networked environments these days where all computers are connected, not only in one office, but across branches. This becomes an organisation’s virtual private network or VPN. Apart from this, these machines that’re connected over a VPN also connect with computers in the outside world or public network through the Internet. Organisational networks are vulnerable to attacks as precious data traverses from one end to the other. This can leave a company’s operational resources, customer data, proprietary tools and technologies, and intellectual capital in danger of being stolen, misused, or vandalised by third parties.
IT’s a networked world
“Since the Wadpack management wanted to focus on growth,
profitability and operational efficiency,
it decided to leave the task of efficiently
managing the IT function, including IT infrastructure security,
to ESS.”Sankaran Narayanan,
finance controller, Wadpack
Security
16 / December 2009 / BenefIT
Business units today have begun to look around
for solutions that can help them protect their
software applications, like ERP, CRM, etc, and also
their IT and data infrastructure, observes Ram.
Now, let us take note of a few IT tools that can help
businesses to pro-actively deal with this challenge:
Identity authentication toolsIt is not possible to validate or authenticate the identity
of all staff members or customers,
manually, every time they attempt to
access organisational information. This
is because small firms operate with less
resources, and manual authentication
may lead to transaction processing delays.
To address to this problem, companies can opt for
tools like biometric devices, which can validate the
identity of an employee, by validating physical traits,
like fingerprints, vein patterns, etc and automate the
process of allowing information or network access to only
authorised staff or customers, suggests Ghildiyal. Agarwal
seconds the thought and suggests: “This is a great option
if you want to add an extra layer of security to certain
areas such as server rooms, electrical control panels, etc.”
Mody however feels that while biometric devices are
quite relevant for businesses like jewellery shops that
have precious assets, for a company with more than
100 employees, such devices can be a real problem if
used at the entrance gate. He explains the flip side: “You
will have a long queue of employees while coming in
or going out of the organisation premises, either at the
start of the day or at lunch time. There is a school of
thought that claims that biometric devices help prevent
the buddy system that involved the problem of proxy
attendance. But I would advice keeping biometric devices
only at places where companies store their sensitive
information, which could be
their server room or where the
accounts or sales team sits.
The selective application of
such devices can still be made.
Otherwise biometric devices cost two or three times more
than RFID* (radio frequency identification) card-based
systems, which are also a viable alternative.
*RFID tags refer to small electronic devices that are made up of a small chip and an antenna. The device can carry approximately 2,000 bytes of data. And, just as information can be retrieved or read from bar codes or magnetic strips via a scanner or bar-code reader, RFID devices also require a scanner to retrieve the information stored in them.
Information security toolsCompanies that have online systems or processes and
depend on data and information assets, must consider
information security technologies like firewalls, antivirus
software, information authentication, encryption* tools,
etc.
*Encryption is the process of converting information given in plaintext into an unreadable format, which can be decoded by a person possessing a special key/password to convert the coded text into plain text again.
Mody shares details about solutions that his
company, eBrandz has adopted. “I personally feel that
if an organisation has more than 25 PCs then antivirus
are useless without a hardware firewall. Besides, most
firewalls have the antivirus component built into it. So
you do not need to invest separately on the antivirus.
Not spending on such intrusion prevention systems
(like, firewalls) makes mission critical systems and
information vulnerable to new attack variants, warns
Soi. Agarwal agrees and adds: “This works really well
to control and more importantly monitor the kind
of information your employees have access to and
also what they are doing with it (saving, e-
mailing, copying to USB drives, sending to
competitors, etc).”
Many a time organisations resort to using
pirated software to avoid investing in buying
original software. Soi cautions that use of
pirated software brings spyware to the system
without the knowledge of user, putting the
organisation information at risk.
Technology tools that may help
“Companies that have large public assets must invest on surveillance technologies like video surveillance, threat detection, etc.”Ram Krishna Ghildiyal, technical head, Sanvei Overseas
BenefIT / December 2009 / 17
Security
Considering the kind of threats
that security vulnerabilities expose
an organisation to, it would be wise
for firms to first look within, for
any existing or probable security
loopholes, and then around them
to devise strategies and deploy
tools to address security gaps.
Most importantly, firms should
create a culture of monitoring and
observing safe practices to safeguard
organisational assets.
Tools to safeguard physical assetsMany organisations assign laptops to their workforce
to enable them to keep in touch with the firm from
anywhere, anytime. In such a scenario, the security of
the laptops, which invariably carry crucial work-related
information, is vital.
Organisations can have encryption software installed
on all the desktops and laptops to avoid the risk of data
theft in case a computer is stolen/misplaced, suggests
Soi. There are two types of encryption tools. One type is
used to encrypt files, digital documents or e-mails that
an organisation sends out to people, within or outside
the organisation, over the Internet. The other type of
encryption tool is used to convert the data on the hard
drive of a computer into an unreadable format, in such a
way that it can’t be made readable again unless a password
is entered. This tool is useful to
prevent data loss in the event of theft
or the loss of a laptop.
A RFID (radio frequency
identification) asset tracking system
is another solution, which can help in
safeguarding assets like laptops, or any other expensive
devices. The RFID tracking system keeps track of assets
whether placed within the bounds of the organisation or
even when anyone moves out of the company gates.
Tools for network securityTo ensure organisational network security*, a firm can
disable the use of USB drives on PCs/laptops, advises
Mody. “Apart from this, have your network configured
in such a way that data of different departments are
stored at different places. And, then allow access only to
authorised people. Some common data can be stored
centrally but in this case there is a need to have different
levels of access rights.
“Access to Web servers* also needs to be restricted only
to a few select individuals. If an organisation uses Internet
based applications like SaaS (software-as-a-service)-based
ERP, etc, make sure all such applications are protected
through some specific Internet-based restrictions.”
Soi explains how network access protection tools
work: “A network access control system prevents access to
organisational networks unless the connected computer
complies with a set standards.”
*•An organisation network comprises the local area network comprising a group of computers within the organisation premises or across its different branches connected to each other for the purpose of communication; the other type is a wide area network through which the organisation communicates with the world outside, over the Internet.
•A Web server is a computer program that fetches content in the form of information, data, images, etc, from the Web pages available over the Internet and delivers it via a Web browser (like, Internet Explorer, Firefox, etc).
Surveillance toolsHave CCTVs (closed circuit TV) cameras across the
entire premises to monitor physical threats (external/
internal). The devices enable not just real time
monitoring but also keep records for future reference,
says Soi. Mody agrees and says that CCTV cameras are
also a must for any organisation that has more than 25
to 30 employees. “This will deter people from stealing
devices or cash. In serious cases, it might help the police
track down culprits,” he adds.
Aggrwal feels that having CCTV cameras is a good
option for firms that are into manufacturing and need to
monitor labour movement and behaviour. “Firms can also
have CCTV cameras to monitor strategic locations,” he
observes. Currently, these devices are slightly expensive,
but the cost is decreasing rapidly.
RFID, a combination of radio-frequency-based and microchip technology helps in identifying an asset. For tracking, an active RFID tag of 1.5” (3.8 cm) to 0.765” (1.9 cm) is embedded into the laptop.
The RFID reader has both the laptops' ID as well as the employee's tag ID associated with it. Each time a person passes through the main door/entrance gate where the reader is installed, the tag in the laptop transmits the information stored in it, to the RFID reader. Interestingly, the presence as well as movement of a laptop is picked up from a distance of over 30 feet (9.1 meter). The ability to detect a laptop even if it is placed in a moving car enhances this system further.
The way the RFID tracker works for laptops
Security
18 / December 2009 / BenefIT