In-house IT security threat worries corporates now

CIO-PricewaterhouseCoopers survey shows 83% security breach occurred due to loopholes in internal security system

For several years, Information Technology (IT) security officers had been losing their sleep over viruses, Trojan horses and worms. These were external threats. Now, it's the enemy within that is prompting them to be vigilant.

According to a survey conducted by CIO-PricewaterhouseCoopers (PwC) in August this year, out of the total security breach incidents in companies and institutions, 83 per cent were due to the loopholes in internal security. Experts are of the view that companies spend very less on IT security, giving rise to such incidents.

The survey report showed that 22 per cent of the country's Chief Information Officers (CIOs) had reported three to nine incidents of security breach during the last year. Global State of Information Security Survey (August 2008) suggests that 83 per cent of these threats faced by the Indian companies are because of internal security breach.

The internal security breach by employees constitute 43 per cent, former employees (28 per cent) and partner/supplier (12 per cent). Forty-two per cent of the companies that were surveyed suffered financial losses, while 35 per cent suffered intellectual property losses.

Recently, an employee of an Ahmedabad-based software development company was leaking out information about the projects on one of the clients' blog.

"The employee wrote on the blog that he could do the project at one-tenth of the cost as a freelancer," said Sunny Vaghela, an IT security expert. Finally, a trap was laid to catch the employee, and he was later terminated from service. The US-based client cancelled the project when they came to know that information was leaked about the project, Vaghela added.

In another incident, a disgruntled employee of an IT company, who was fired from the company due to his irresponsible behaviour, started sending e-mails to the clients by creating a fake e-mail account. The employee used abusive words in the letters telling them not to outsource work to the company. The foreign client never came back to that company.

Meera Ramnivas, DIG, CID (Crime) admitted that there are lot of cases in which internal security breach takes place. "The internal security breach is a serious issue. You will not find many examples as most of the companies don't want to come forward to report such incidents. They feel their reputation will take a beating."

The need for internal security is massive. The Directorate of Security Council of India (DSCI) has also realised this. Along with the department of IT, DSCI is now coming up with its own report on security in the IT and ITeS sector.

"We are in the process of preparing the report, which will be released in Bangalore in December. Based on the findings, we will be able to measure the need of securitising the IT/ITeS sector. At this point, we have made it mandatory for them to get the security audit done. We are also in the process of incorporating the financial services sector under this," said DSCI Chairman Shyamal Ghosh. The statutory body under NASSCOM is committed to uphold a high-level of data privacy and security standard.

L K Pathak, senior manager with the Ahmedabad-based Elitecore Technologies, said: "Companies spend a lot on external threat. But when it comes to internal security, they don't have any option, but to trust their employees. They don't have monitoring as well as control on the employees."

Elitecore Technologies, a unified threat management system appliances manufacturer, has now recently come up with an internal security appliance.

The threat is valid and is gradually being recognised. "You cannot isolate the employee of the company from the system. The companies have only two options. Either to trust them or go for internal security and internal audit to find out what is happening in the system," said Saumil Shah from Net-Square, a company specialising in penetration testing, and internal or external security audits.

Please read our terms of use before posting comments
TERMS OF USE: The views expressed in comments published on indianexpress.com are those of the comment writer's alone. They do not represent the views or opinions of The Indian Express Group or its staff. Comments are automatically posted live; however, indianexpress.com reserves the right to take it down at any time. We also reserve the right not to publish comments that are abusive, obscene, inflammatory, derogatory or defamatory.