NEXT100 Winner 2017 SN Sasikumar, Assistant General Manager, TVS & Sons Pvt. Ltd. shares his views on the challenges, laws, standards and certifications related to IT security
IT security plays a prime role in helping create the environment needed to set the ground for implementing successful Information Technology plans
The first step in improving the security of IT system is to answer these basic questions:
- What am I trying to protect and how much is it worth to me?
- What do I need to protect against?
- How much time, effort, and money am I willing to expend to obtain adequate protection?
These questions form the basis of the process known as risk assessment. Risk assessment is a very important part of the IT security process. We cannot formulate protections if we do not know what we are protecting those things against. After we know our risks, we can plan the policies and techniques that we need to implement to reduce those risks.
IT security plays a prime role in helping create the environment needed to set the ground for implementing successful Information Technology (IT) plans. IT security is a complex topic and evolves almost as fast as technology does.
If we use computers at home or at work, we have a certain level of responsibility. Security is everyone’s responsibility, whether you are a regular or non-regular user, server administrator, network administrator, manager or a general manager; with responsibility for systems or networks, understanding what the central security issues are, taking prudent actions to protect our systems, and putting a set of effective security policies in place.
These are critical steps we must take to ensure that our IT systems and information will be secure from unauthorized access and that will be able to exchange that information securely with others on the network.
Many technically skilled people use computers; so advice and assistance from peers is easily obtained. When computer or network problems arise, such as the spread of a virus, there is a rich set of information channels through which news and security patches are transmitted.
Failures in security occur in organizations and few breaches are made public in the press or known through various electronic social media (Facebook, Twitter, etc.). Many failures are not reported as leakage of IT security breaches in public knowledge could lead to further intrusions and unwanted results. Organizations can generally withstand some level of security failure. However, the consequences of security failures in occurrence could be considerably more serious, because lack of awareness may lead to more massive breaches, and a malicious attack may be more disastrous, in terms of money, reputational effects and loss of trust.
A criminal activity will migrate to places where controls are poor and security is weak. The IT system activities are likely to make interesting targets in companies that are less conscious of IT security. Organizations need to build capacity in terms of trained human resources and in terms of the technological infrastructure that will protect them from being easy targets of hackers.
With the emergence of voice over IP, digital telephony protocols that are increasingly used, and the emergence of 4G in India and 5G technologies in the US and other developed nations, security issues in this space need to be clearly understood and addressed.
Emerging Technology Adoption Threats Create Complexity
The IT environment is changing rapidly with the introduction of new products, especially digital revolution of mobile devices, laptops, cellular phones, which present different challenges to infrastructure and data security. Emerging computing applications including e-commerce also create complexity in the networked environment. From ATM machines to online banking, these capabilities offer convenience and cost savings, but they also introduce new opportunities for theft and fraud. To make matters worse, would-be attackers are now able to develop blended threats, combinations of Trojans viruses, and worms that may cause greater damage to IT systems and data than the individual forms of such “malware”. Since these developments affect users of technology in the organization, awareness of general IT security issues, including the existence and prevalence of specific security threats will help users, managers, and policy makers design effective strategies to strengthen their networks, at home and at work, against breaches.
In spite of the challenges, IT managers in the public and private companies are investing in new tools and communication technologies (like e-mail, VOIP and Wi-Fi) and business software to assist in running their day-to-day operations. The advantages in efficiency, outreach, and cost savings in these IT devices and services are clear:
- E-mail improves business communications with customers, partners and suppliers
- VOIP provides an expanded data protection and management capabilities, resulting in better record-keeping for financial managers, better customer analysis for sales and marketing managers, and better production statistics for line managers
- Wi-Fi enhances the ability to access large quantities of information quickly and cheaply
However, these improvements are not without risk, and thus, some organizations may choose to outsource their security needs. Some experts say that outsourcing for non-core services like IT security has been the corporate strategy. In addition, some organizations have a specific interest in global security needs, particularly those of developing countries. As an example, the Information System Audit and Control Association (ISACA) has partnerships in all major countries and provides cases from various countries, and programs, all available as open source. ISACA also offers an audit and control framework for organizations and includes checklists for outsourcing situations. Whether conducted and controlled in-house or through outside vendors, developing and maintaining strong security infrastructure, policies, and procedures is a balancing act for most enterprises. Executives, managers, and policymakers must weigh the risks and set a standard that balances the investment in security with the official objectives and bottom line growth of the company. Once a company has achieved the desired level of security, the management must not forget the importance of maintaining up-to-date systems and performing regular audits of the security plan. Security is an art form, rather than a science, and requires the coordination of many creative thinkers to ensure its successful impact on an organization and society as a whole.
Regulators should consider how broadly to extend supervision and enforcement over transmission method. The primary reason by most people for refusing to use electronic transmission method is fear that the information is not adequately protected. However, now people have started understanding and adopting the electronic transmission mode of payment in their day-to-day life (Digital wallets such as, Paytm, OLA Money, PhonePe, etc.) and the drive of digital transformation from the present Narendra Modi government. Proper protection could strengthen consumer confidence and market discipline, paving the way for greater use of electronic financial systems.
IT Security Laws
All the countries now put in place IT laws addressing abuses of a computer or network that result in loss or destruction to the computer or network, as well as associated losses. The law should also provide the tools and resources needed to investigate, prosecute, and punish perpetrators of cyber crimes.
One key issue realized most of the companies or countries’ need to improve information exchange between regulatory and law enforcement agencies. Many companies/countries have several agencies for gathering critical information.The data is shared by these agencies or with the agencies of other nations (sometimes for legal reasons), as governments try to leverage scarce resources in order to regulate and battle crime in the electronic environment; thus, making information sharing and international cooperation a critical activity.
Standards, Roles and Certification
Both public and private entities should work cooperatively to develop standards and harmonize certification schemes. The two categories that require particular attention in terms of certification are electronic security service providers and transaction elements. In order to enable secure electronic transaction, financial regulators would require licensing of vendors that directly affect the payment system. The security industry has developed a Security Expert certification. By using a certification approach, the industry benefits by providing consumers with a recognizable structure, accountability between the industry and its experts, and a means of separating the approved expert from the self-proclaimed expert. It also elevates the field of security to a professional status and creates an incentive for the industry to raise and protect standards.