In The recent revelations made by the Julian Assange-led WikiLeaks have not only stormed governments around the globe, but also rings the warning bell for many IT managers, sitting in their comfort zones with outdated information security policies in the Web 2.0 world.
According to industry experts, the Wiki-leaks incident (especially diplomatic cables) has confirmed that intentional data theft and copying are not limited to financial motivations alone. The political and ideological exploits can impact governments and non-governmental organisations in a massive way. As it appears, most of the new material on Wiki-leaks has been posted by insiders, giving a substantial challenge to companies that are also grappling with flat security budgets, shifts in security policies, and a shortage of qualified IT staff.
Whats more, the rise of mobility, social media and cloud based applications has posed a serious threat to information. And the worst part is that majority of organisations still dont have the efficient risk management policy in place to fight with cyber criminals. In fact, experts believe that many of them are yet to fully grasp the seriousness and relevance of having such a policy in the first place, leaving a big hole in their entire security system.
Challenging times
The industry estimates put the total losses associated with cyber crime at more than $1 trillion value in a year. While everyone understands the unlimited opportunities created and available from this shared global infrastructure known as cyberspace, only few understand the ever evolving threats presented in the cyberspace at individual, organisational and at a national (or societal) level, adds Sumeet Parashar, Chief Information Security Officer, CSC, India
In 2010, there have been at least 301 security breaches resulting in the exposure of more than 8.2 million records. Also, a webroots survey of 803 IT professionals at small and medium-sized companies reveals that Facebook, RSS feeds, and related Web 2.0-based malware is going to be more difficult to manage than e-mail based threats.
The estimates suggest that while on one hand the fear is that the threats can arise from any unsuspected source, the problem gets really complicated when employees also fails to be on the same page of security policies. While the support of management and resource allocation is important, architecting for security can only become effective and pervasive when everyone in the organisation are aware about security policies of an organisation and follow it through a step by step approach, says Prashant Mali, President, Cyber Law Consulting.
The problem is also complicated since we have less of legislation for data and whatever is available is insufficient to deal with the present scenario plagued by cyber crimes. Also, as a country, we do not have a redressal chain or body for governance to ensure a better picture related to data for individuals and corporate, says Jacob Livingstone, Manager(IT) at BEC.
Plan your security
In todays cyber age security, it is important that every business realises the need for a strong risk management architecture, as they need to protect their trade secrets, proprietary information, and Personally Identifiable Information (PII) of their customers or employees. A god risk management will always force you to think about what your assets are, what will happen to you or your company if something happens to those assets. How likely is it something will happen to it etc, says Thiru Vengadam, MD, IFS Solutions India.
According to Ashish Dhawan, Country Lead, Enterprise Business, Juniper Networks, the risk management policy should be planned keeping in view of the:-
Organisation objectives - To ensure the effects of uncertainty do not hinder the business objectives of the organisation
Require involvement of all relevant stakeholders
Incorporate current industry drivers and trends as applicable to the organisation.
Also, its important to keep in mind to analyse the Return On Investment (ROI) before making any risk assessment plan, as spending more money on protecting your assets than the real value is always a bad idea. If you have a gold watch (value Rs. 1000), then your protection should not cost more than Rs. 1000 because if you spend more than that, it will be cheaper to buy a new gold watch if something happens to it, advises Thiru Vengadam, MD, IFS Solutions India.
Steps to follow
While putting policies in place is only a first step, the IT manager needs to make sure that these policies are effectively enforced in the organisation. While it might be impossible to completely eliminate risk in a challenging IT environment, IT managers are advised to adopt a risk-reduction strategy by implementing a solution that allows the organisation to prioritise security and compliance efforts based on risk level.
First and foremost, its critical to develop awareness of IT risks; therefore, a clear assessment to consider the organisations current requirements, capabilities and vulnerabilities. This stage involves identifying and classifying threats, issues, vulnerabilities, and weaknesses, and assigning each a priority according to risk. The second phase revolves around quantifying business impacts, which is considered to be the most challenging and important step, as its not possible to analyse the impact as positive or negative, of addressing an area of IT risk without making the complications known to an IT head.
While many solutions are available to solve these challenges, each offering its own set of features and functionality, an organisation should follow a criteria to evaluating these solutions by assessing their levels of IT risk, develop remediation roadmaps, and ultimately build effective, continuous IT risk management programmes, advises Shantanu Ghosh of Symantec.
The third stage helps design a set of recommended solutions after a careful analysis of a problem. This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organisational goals, which might be a custom based solution.From our experience, we have to develop our own process. This is completely based on the individual company to company and certainly needs a customised business approach, says Vishal Bisht, IT manager of Marksman Technologies.
Once implementation of the first wave of IT risk solutions is underway, organisations should institute programmes for continuous improvement and ongoing governance of their IT risk management programme. The fundamental thread between all these rules is that there has to be a monitoring method put in place to see who is accessing the information and how it is being used. Technology alone is not enough for achieving this, but companies needs strong processes as well, says Prakash Baskaran, Founder & CEO, Pawaa Software.
In addition, in order to tackle the new age threats, enterprises should explore using the services from skilled professionals who can help to secure the digital data and to develop and automate IT policies. However, at the end of the day, its the ability to enforce a policy or continuously monitor the status against the policy over time that provides the real value. odziez
Add new comment