Security Feature Cover Story

Ensuring the security of an organisation’s physical and digital assets is a complex

task! It can't be achieved merely by building high walls of concrete around

critical assets or by installing the latest IT security tools, feel experts. Here are some

solutions that can help businesses keep this problem at bay!

IT Has The Cure For An Insecure Organisation!

“Let us not look back in anger or forward in

fear, but around in awareness.”

— James Thurber

Vandana SharmaBenefIT Bureau

Security

10 / December 2009 / BenefIT

Considering this, information security

has become a necessity for both small

as well as the big business units to

secure itself from such threats.”

But to be on guard and identify

vulnerabilities and threats; or to

look for security breaches and

simultaneously find tools and

solutions to prevent any damage

from happening—isn't easy! To help

our readers, we turned to various

organisations to understand the

strategies that they have adopted to

tackle this challenge. We also spoke to

experts to understand more about the

vulnerabilities and the IT solutions

that are available.

Here are a few instances where security breaches led to grave problems for organisations:

• The infamous stamp paper scam is a major case of a security lapse. “If state revenue departments—which are under constant video surveillance and have a highly trained security staff—could not prevent a class IV staff from taking out the stamp imprint, no amount of security and surveillance can be considered sufficient,” remarks Ghildiyal. This calls for an aware organisation and smart use of technologies to combat the threat.

• Soi shares more: “In June 2006, a security breach at HSBC’s offshore data-processing unit in Bangalore led to $425,000 being stolen from the accounts of the bank’s UK customers.”

Security lapses may cost a fortune!During the normal course of

events, the focus of most

businesses is to manage day-

to-day cash flows, increase market

share, and so on. But there are times

when this equilibrium gets disturbed;

when some crack in the security

system shakes the very foundations

of an organisation—damaging its

reputation, causing loss of data,

assets or money. This leads to a battle

of wits for business heads and CIOs

(chief information officer), as most

often they get caught unaware.

Rajat Agarwal, executive director,

Bhorukha Aluminium, feels that

businesses today are aware of the

security threats; yet it’s just not a

top priority, especially when the

organisation is small. However, if

a small company wants to grow

big in the near future, it must train

its team in the routine security

norms and processes and put in

place technologies, that aren't too

expensive, to automate security

procedures for data and resource

protection, and related to authorised

access, avers Ram Krishna Ghildiyal,

technical head, Sanvei Overseas, an

international IT-based surveillance

company.

Sundar Ram, vice president,

Technology Sales Consulting, Oracle

Asia Pacific, seconds the thought

and adds: “Every organisation today,

needs to cope with the key issue of

securing its data, inventory, human

resource, etc, from security threats.

“Information security has become a necessity for both small as well as the big business units to secure itself from such threats.”Sundar Ram, vice president, Technology Sales Consulting, Oracle Asia Pacific

Advt

BenefIT / December 2009 / 11

Security

The security domain is infinitely vast and

complex and requires considerable planning,

says Ghildiyal. But the key issue here is that

in small to mid-sized companies, security is still not

given due importance and the top management do

not accept it as a challenge that warrants a dedicated

team of experts. Dhruv Soi, chair–OWASP (Open Web

Application Security Project) India, agrees, “There

is a sheer lack of security awareness in most Indian

firms. The security budget is often just 5 to 10 per cent

of the total IT expenditure. Internal reports are often

vulnerable to manipulations. Improper/inadequate

monitoring creates a big hole in security. Since

organisations refrain from spending on regular third-

party security audits, the real security position of the

company is never clear to the top management. In

scenarios like these, one infected system propagates

the infection to all the systems connected into the

organisational network,” he adds.

Agarwal seconds the thought and adds that security

breakdowns are not easy to monitor unless regular

investments are made in IT tools to secure different

aspects of the organisation. “Having an outsourced

IT department with clear KPIs (key performance

indicators)—one of which should be to monitor data

security—can help. Apart from this, a thorough cost-

benefit analysis should be done before choosing the

right combination of tools and technologies. Factors

such as threat level, size of the organisation, budget,

etc, should be factored in,” he adds.

Identifying vulnerabilitiesBefore we move on to exploring ways to deal with

security-related challenges, it is important to identify

and understand the security vulnerabilities that may

exist/affect an organisation at any point. The following

aspects may need attention:

• Sensitive data or

information: Documents

including confidential reports/

credit card information are all

prone to security attacks, either from within the

organisation or from the outside

world.

• Threats from within the

organisation: Employees have

been known to steal sensitive

data from computers, laptops

or over the network using USB

drives. Unsecured confidential

data can also be sent to the outside world, through e-

mails. Without solutions to prevent data leakage, it is

hard to control it, says Soi.

Apart from this, how a company treats its

employees also plays a role, feels Milind Mody, CEO,

eBrandz.com. He

cites a scenraio:

“Companies that

deal with their

employees fairly,

earn their respect.

However, there

are organisations

that delay giving

employees their dues after they leave; that may

sometimes upset an exiting employee, who could then

try to steal data or, in general, act against the interests

of the company.” Mody suggests laying down clear

policies and procedures to deal with such challenges.

• Threats via the Internet: Another threat is from

viruses*, malware*, spyware* attacks, etc, which may

damage, or result in the pilferage of organisational

information.

* •A computer virus is a computer program that can copy itself and infect a computer.

•Malware is a type of software that can harm computers, such as computer viruses and spyware.

Security planning: the issues, and solutions

“ Security breakdowns are not easy to monitor unless regular investments are made in IT tools to secure different aspects of the organisation.”Rajat Agarwal, executive director, Bhorukha Aluminium

Security


•Spyware is software that’s implanted into a computer system to gather information about a person or organisation, without their knowledge.

• Unsecured network access: Intruding on the

organisational network and/or servers* by outsiders or

by disgruntled employees to pilfer sensitive data can

occur at any moment, says Mody.

*A server is a high-end/high-capacity computer that is required to run multi-user applications like organisational e-mail, data back-up, storage, etc.

• Critical/valuable physical assets: Physical

theft of devices like the mouse, headphones, USB

hard disk drives or

even cash can be

another problem

that organisations

confront frequently,

in the absence of

adequate security

systems, adds Mody.

• Employee

poaching: Another area where organisations may need

to be watchful is from competitors or HR agencies on

the look-out to poach

good talent. To deal

with this problem,

Mody suggests: “If

your company has a

board line or EPABX

(electronic private

automatic branch

exchange) system, make sure someone monitors

incoming calls for external HR agencies trying to

poach employees.” But he agrees that there have been

cases where HR managers from competitive firms

have actually stood outside a company’s premises to

poach its employees. In such cases, it is difficult to do

anything to prevent the practice.

• Irregular processes: Non-adherence to security

policies is another vulnerability that a small and mid-

sized company can face. Therefore, all companies

however small they may be, must plan for a periodic

security audit and must invest in automated systems

rather than people driven systems.

Advt


Security

Deploying security tools is important, but,

prior to that, having an organisational culture

where both the management and employees

are aware of the correct security policies and practices,

is equally critical. Experts suggest having the following

practices to help organisations be better prepared for

this challenge:

Plans and policies to counter security breachesA company should have a security policy and a security

plan, to begin with, opines Ghildiyal. “A security policy

must define a company's information and other assets,

its security needs, roles and responsibilities, the rights of

employees, and so on. A security plan on the other hand

may describe the procedures, tools and technologies

that are required to implement the security plan,”

he adds. In fact, a security plan can also include the

anomalies, special rights and data and asset recovery

procedures to reduce the impact of a security lapse.

Employment agreements must be in tandem with security policiesMody feels that it is always good to clearly define the

terms and conditions/policies related to proprietary

or confidential data in the employment agreements.

“Also if an employee is working on projects for which

the company has signed an NDA (non disclosure

agreement), it should make sure that the employee

also signs a similar agreement. Clearly mentioning a

few examples of what is considered as corporate data

theft, makes the agreement more well-defined. Get this

agreement vetted by an attorney. This is a one time cost,

but it has three advantages. First it makes sure that you

have fulfilled your responsibility. Second it deters people

from commiting unethical deeds and makes them think

before they unwittingly create

a security breach. And the third

advantage is, you can pursue

the matter in court in situations

where a serious security

threat has been committed against the company, by an

employee.”

Plan security as per the nature of the businessPlanning for organisational security is another important

task that depends primarily upon the nature of a business.

Ghildiyal agrees and says: “For knowledge-based

companies that have Internet dependent processes,

information is the most valuable asset. Such firms must

consider information security technologies or solutions,

like firewalls*, antivirus* or identity authentication

systems*, etc. Similarly, companies that have large

public assets must invest on surveillance technologies

like video surveillance, threat detection, etc.” However,

some technologies like,

antivirus, biometric*

access and identity

management are

uniformly applicable

to all the companies as

they provide the building

blocks for security process

implementation, he adds.

*•A firewall is a software tool that enables IT managers to block unauthorised access even while allowing authorised communications.

•Antivirus software can be used to make Internet access secure and prevent the computer network of the organisation from getting affected by viruses like malware, spyware, etc.

•Identity authentication systems or devices help authenticate or verify the identity of a person or other entity requesting access under security constraints.

•Biometrics is a technique used to recognise humans based upon one or more physical or behavioural traits, like fingerprints, face recognition, DNA, hand and palm geometry, iris recognition, voice, etc.

Avoid complex policiesIt is one thing to lay down policies and procedures,

and it is quite another to implement those

Management-level solutions

“It is always good to clearly define the terms and conditions/policies related to proprietary or confidential data in the employment agreements.”Milind Mody, CEO, eBrandz.com

Security


successfully. One key deterrent in

policy adherence is the complexity

of policies and procedures,

believes Ghidiyal. He explains:

“For example, most companies

implement a ‘password aging’

policy, which demands all

employees and customers to

change their computer and/or

Internet login passwords every

three months. As the number

of such systems increases, it

becomes more of a hassle for

employees and then they start

using easily breakable dictionary

passwords* that are not only easy

to remember but can be uniformly

applied at all places that require

a password prior to access. Thus

a theoretically sound system of

‘password aging’ actually creates a

security hole in the system.” So it

is best to adopt workable policies

that are simple and effective to

implement and adhere to, in the

long run.

•Dictionary passwords are simple or easily predictable variations of words used as login passwords.]

Train your staffNearly 80 per cent of security

breaches occur due to weak IT

security systems. More than lack

of security products to deal with

this challenge, the problems are

caused by inadequately skilled

or less-aware staff. Soi suggests

conducting training programmes

for IT staff to empower them

to tackle security breaches,

effectively. He says: “Security

awareness training for end-users

(like, people in accounts, HR,

administration departments,

etc) and training for IT/security

staff is required, from time-to-

time, to equip them with the

knowledge to protect themselves

and the organisation from security

threats.” Agarwal suggests having

regular seminars to discuss issues

related to security.

Better safe than sorryAgarwal feels that it is better to

limit the use of e-mails and the

Internet to only those who really

require it. Also, he advises that

the IT managers should always

monitor out-going attachments,

as and when possible. Soi agrees

and adds: “Regular log monitoring

of servers, applications and

network devices is required

to keep an eye on employee

behaviour, and also to take

preventive actions.”

“Security awareness training for end-users (like, people in accounts, HR, etc) and IT/ security staff is required, to equip them with the knowledge to protect themselves and the organisation from security threats.”Dhruv Soi, chair–OWASP (Open Web Application Security Project) India

Advt


Security

It’s Advantage, Unified Threat Management Solutions!

Bangalore-based Wadpack

is one of the pioneers in

manufacturing corrugated

fibre board containers. The

company is quite tech savvy and

is always on the look out for new

concepts and technologies in the

packaging industry.

Wadpack, which uses ESS’s

ERP ebizframe from its multiple

locations, wanted to ensure

secured connectivity between

branches. “ Ensuring the security

of data transacted through the

ERP system was quite critical

for Wadpack, alongwith linking

its various locations. After a

careful analyses we opted for

the Watchguard unified threat

management (UTM)* solution,

suggested by ESS, to secure our

virtual private network or VPN,”

says Sankaran Narayanan, finance

controller, Wadpack. The solution

was implemented by ESS with the

With vulnerabilities in the digital world rising by the minute, keeping organisation networks safe is becoming an acutely challenging task. Wadpack, a manufacturer of corrugated packaging material, opted for a comprehensive threat management solution that has been acting as a shield against the security menace.

help of Medley Marketing, New

Delhi, one of the key Watchguard

Secure Partners in India (WSP).

At Wadpack, ESS also

manages the entire IT

requirements in addition to

managing its ERP system. “Since

the Wadpack management

wanted to focus on growth,

profitability and operational

efficiency, it decided to leave

the task of efficiently managing

the IT function, including IT

infrastructure security, to ESS,”

says Narayanan.

*[A UTM is an all inclusive security system that can perform multiple security functions. It can functions as an all-in-one security tool—acting as a firewall, antivirus, anti-spam solution, VPN security tool, content filtering tool, and a lot more. To know more about a VPN, refer to the box.]

Easy to manage, and economicalThe major benefit of a UTM is

that so many necessary functions

are combined into one solution.

This saves businesses time,

money and hassles, affirms Anil

Bakht, managing director, ESS.

“Maintaining network

security can often become

complex and confusing, but

when all security features are

combined into one system, it is

easy to see how all the functions

are integrated and how they

work together. Also, because

it is coming from a single

vendor, training and support

for the entire system also comes

from a single vendor. A single

window solution helps reduce

the hassles associated with

managing multi-vendor security

systems,” he suggests.

Most organisations work in networked environments these days where all computers are connected, not only in one office, but across branches. This becomes an organisation’s virtual private network or VPN. Apart from this, these machines that’re connected over a VPN also connect with computers in the outside world or public network through the Internet. Organisational networks are vulnerable to attacks as precious data traverses from one end to the other. This can leave a company’s operational resources, customer data, proprietary tools and technologies, and intellectual capital in danger of being stolen, misused, or vandalised by third parties.

IT’s a networked world

“Since the Wadpack management wanted to focus on growth,

profitability and operational efficiency,

it decided to leave the task of efficiently

managing the IT function, including IT infrastructure security,

to ESS.”Sankaran Narayanan,

finance controller, Wadpack

Security


Business units today have begun to look around

for solutions that can help them protect their

software applications, like ERP, CRM, etc, and also

their IT and data infrastructure, observes Ram.

Now, let us take note of a few IT tools that can help

businesses to pro-actively deal with this challenge:

Identity authentication toolsIt is not possible to validate or authenticate the identity

of all staff members or customers,

manually, every time they attempt to

access organisational information. This

is because small firms operate with less

resources, and manual authentication

may lead to transaction processing delays.

To address to this problem, companies can opt for

tools like biometric devices, which can validate the

identity of an employee, by validating physical traits,

like fingerprints, vein patterns, etc and automate the

process of allowing information or network access to only

authorised staff or customers, suggests Ghildiyal. Agarwal

seconds the thought and suggests: “This is a great option

if you want to add an extra layer of security to certain

areas such as server rooms, electrical control panels, etc.”

Mody however feels that while biometric devices are

quite relevant for businesses like jewellery shops that

have precious assets, for a company with more than

100 employees, such devices can be a real problem if

used at the entrance gate. He explains the flip side: “You

will have a long queue of employees while coming in

or going out of the organisation premises, either at the

start of the day or at lunch time. There is a school of

thought that claims that biometric devices help prevent

the buddy system that involved the problem of proxy

attendance. But I would advice keeping biometric devices

only at places where companies store their sensitive

information, which could be

their server room or where the

accounts or sales team sits.

The selective application of

such devices can still be made.

Otherwise biometric devices cost two or three times more

than RFID* (radio frequency identification) card-based

systems, which are also a viable alternative.

*RFID tags refer to small electronic devices that are made up of a small chip and an antenna. The device can carry approximately 2,000 bytes of data. And, just as information can be retrieved or read from bar codes or magnetic strips via a scanner or bar-code reader, RFID devices also require a scanner to retrieve the information stored in them.

Information security toolsCompanies that have online systems or processes and

depend on data and information assets, must consider

information security technologies like firewalls, antivirus

software, information authentication, encryption* tools,

etc.

*Encryption is the process of converting information given in plaintext into an unreadable format, which can be decoded by a person possessing a special key/password to convert the coded text into plain text again.

Mody shares details about solutions that his

company, eBrandz has adopted. “I personally feel that

if an organisation has more than 25 PCs then antivirus

are useless without a hardware firewall. Besides, most

firewalls have the antivirus component built into it. So

you do not need to invest separately on the antivirus.

Not spending on such intrusion prevention systems

(like, firewalls) makes mission critical systems and

information vulnerable to new attack variants, warns

Soi. Agarwal agrees and adds: “This works really well

to control and more importantly monitor the kind

of information your employees have access to and

also what they are doing with it (saving, e-

mailing, copying to USB drives, sending to

competitors, etc).”

Many a time organisations resort to using

pirated software to avoid investing in buying

original software. Soi cautions that use of

pirated software brings spyware to the system

without the knowledge of user, putting the

organisation information at risk.

Technology tools that may help

“Companies that have large public assets must invest on surveillance technologies like video surveillance, threat detection, etc.”Ram Krishna Ghildiyal, technical head, Sanvei Overseas


Security

Considering the kind of threats

that security vulnerabilities expose

an organisation to, it would be wise

for firms to first look within, for

any existing or probable security

loopholes, and then around them

to devise strategies and deploy

tools to address security gaps.

Most importantly, firms should

create a culture of monitoring and

observing safe practices to safeguard

organisational assets.

Tools to safeguard physical assetsMany organisations assign laptops to their workforce

to enable them to keep in touch with the firm from

anywhere, anytime. In such a scenario, the security of

the laptops, which invariably carry crucial work-related

information, is vital.

Organisations can have encryption software installed

on all the desktops and laptops to avoid the risk of data

theft in case a computer is stolen/misplaced, suggests

Soi. There are two types of encryption tools. One type is

used to encrypt files, digital documents or e-mails that

an organisation sends out to people, within or outside

the organisation, over the Internet. The other type of

encryption tool is used to convert the data on the hard

drive of a computer into an unreadable format, in such a

way that it can’t be made readable again unless a password

is entered. This tool is useful to

prevent data loss in the event of theft

or the loss of a laptop.

A RFID (radio frequency

identification) asset tracking system

is another solution, which can help in

safeguarding assets like laptops, or any other expensive

devices. The RFID tracking system keeps track of assets

whether placed within the bounds of the organisation or

even when anyone moves out of the company gates.

Tools for network securityTo ensure organisational network security*, a firm can

disable the use of USB drives on PCs/laptops, advises

Mody. “Apart from this, have your network configured

in such a way that data of different departments are

stored at different places. And, then allow access only to

authorised people. Some common data can be stored

centrally but in this case there is a need to have different

levels of access rights.

“Access to Web servers* also needs to be restricted only

to a few select individuals. If an organisation uses Internet

based applications like SaaS (software-as-a-service)-based

ERP, etc, make sure all such applications are protected

through some specific Internet-based restrictions.”

Soi explains how network access protection tools

work: “A network access control system prevents access to

organisational networks unless the connected computer

complies with a set standards.”

*•An organisation network comprises the local area network comprising a group of computers within the organisation premises or across its different branches connected to each other for the purpose of communication; the other type is a wide area network through which the organisation communicates with the world outside, over the Internet.

•A Web server is a computer program that fetches content in the form of information, data, images, etc, from the Web pages available over the Internet and delivers it via a Web browser (like, Internet Explorer, Firefox, etc).

Surveillance toolsHave CCTVs (closed circuit TV) cameras across the

entire premises to monitor physical threats (external/

internal). The devices enable not just real time

monitoring but also keep records for future reference,

says Soi. Mody agrees and says that CCTV cameras are

also a must for any organisation that has more than 25

to 30 employees. “This will deter people from stealing

devices or cash. In serious cases, it might help the police

track down culprits,” he adds.

Aggrwal feels that having CCTV cameras is a good

option for firms that are into manufacturing and need to

monitor labour movement and behaviour. “Firms can also

have CCTV cameras to monitor strategic locations,” he

observes. Currently, these devices are slightly expensive,

but the cost is decreasing rapidly.

RFID, a combination of radio-frequency-based and microchip technology helps in identifying an asset. For tracking, an active RFID tag of 1.5” (3.8 cm) to 0.765” (1.9 cm) is embedded into the laptop.

The RFID reader has both the laptops' ID as well as the employee's tag ID associated with it. Each time a person passes through the main door/entrance gate where the reader is installed, the tag in the laptop transmits the information stored in it, to the RFID reader. Interestingly, the presence as well as movement of a laptop is picked up from a distance of over 30 feet (9.1 meter). The ability to detect a laptop even if it is placed in a moving car enhances this system further.

The way the RFID tracker works for laptops

Security
