[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Hiring hackers to protect systems
From:       mea culpa <jericho () dimensional ! com>
Date:       1999-01-27 20:54:00
[Download RAW message or body]


Forwarded From: Stuart Sabel <stuarts@seanet.com>

Hiring hackers to protect systems
By P. Vikram Reddy, The Hindu
HYDERABAD, Jan. 24.

The statement that ``People are hiring hackers to protect themselves from
hackers", perhaps reflects best the extent to which IT companies as also
other organisations, for whom information is the most valuable asset, are
forced to go, to protect their systems. 

With focus shifting to India, the next question one needs to ask is how
strong are the information security systems here. Or for that matter what
is the level of awareness of the information security systems? It is
against this background that the KPMG Peat Marwick (KPMG), the global
professional advisory firm, has decided to launch India's first
Information Security Survey (ISS). It is perhaps appropriate that it was
launched in Hyderabad, which is attracting a lot of IT activity. 

With 92,000 people collaborating worldwide, the firm provides consulting,
tax and audit services from over 825 locations in 157 countries. It has
been conducting Information Security Surveys in the U.S. and the U.K. 
periodically. India happens to be only the third country where the
organisation has taken up such a survey. 

About 3,100 Indian corporates will be covered by the survey, based a
detailed postal questionnaire. Of them 146 are from Andhra Pradesh and 88
from Hyderabad. The ISS is conducted by Information Risk Management (IRM) 
practice, a specialist within the KPMG. 

`` Looking at the imminent growth of India on the world technology map,
KPMG has targeted it as the next most important location to conduct the
survey'', says Mr. Sridar A. Iyengar, CEO. And as Mr. Sanjay Dhawan,
Director, says ``With business getting so globalised, risks and procedures
and policies do not change from country to country''. 

The IRM practice has been conducting a biennial ISS of the U.K. and
Ireland since 1996, to investigate the state of security. The 1998 U.K.
survey has been an eye opener. It shows that electronic commerce
represents a major security threat, the year 2000 date format problem and
economic and monetary union in Europe are highlighting security issues. Of
more concern is the finding that security offences are going undetected,
recovery plans remain untested and security policies are inadequate. 

The single most important business issue in terms of its likely impact on
security was considered to be electronic commerce followed by mobile
computing. Almost two-thirds of the organisations used Internets. But over
three quarters of them had not tested the security of their internet site,
and less than half had procedures covering internet use. A third of
Internet users had systems which do not provide security violation
reporting or did not review it, and half of those using mobile computing
did not have procedures covering this. 

It was found that only half of the organisations carry out formal
reporting of security incidents and only half of these take action against
offenders.  Only a half had an approved computer security policy. What
could be the consequences? Inherent risks might result in disruption of
business operations and loss of management control. It found users were
least aware of the information security. Awareness of a formal disaster
recovery/ business continuity plan is still considered low in India. 

An interesting finding was that ``Security saves money". Organisations
were incurrring losses to the tune of two to three times the cost they
would have incurred for setting up a secure IT environment at the initial
stage. And 20 per cent of respondents said that their risk management
programmes enabled them to obtain a discount on cost of insurance. 

A matter of concern is the response level. A 11 per cent response is
considered good. Even in the U.K. where the survey covered 15,000
companies, only 1,000 responded. About 52 per cent were from IT companies,
33 per cent finance and 15 per cent others. ``If companies do not respond
and we alert them to their problem (through questionnaire) - our objective
would have been met (of creating awareness)", says Mr. Dhawan. 

What about the post survey scenario? The KPMG has been instrumental in
designing IT security, IT risk management, system reviews and IT control
environment review. But how many surveyed companies come back for
consultancy? ``We do not monitor how many seek consultancy", says Mr. 
Dhawan, reflecting the veil of secrecy around such information. 



-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

[prev in list] [next in list] [prev in thread] [next in thread]