e-Security: The way ahead - Cover Story - Network Magazine India Page 1 of 3
Archives || About Us || Advertise || Feedback || Subscribe-
Issue of January 2003
Home > Cover Story Print Friendly Page || Email this story
Techscope 2003: e-Security
e-Security: The way ahead
India Inc has finally woken up to the security threat. But merely deploying firewalls or
anti-virus solutions isn't enough. Here's how organizations need to strengthen their
defences in the wake of new threats. by Vishwajeet Deshmukh
A global study by KPMG in 2000 reveals that Indian companies achieved the dubious
distinction of having the highest number of e-commerce security breaches in the world at
23 percent, followed by UK and Germany at 14 percent. Of the 60 percent companies that were
victims of some security breach, 21 percent recorded actual loss in revenue. About 58 percent have
still not been able to quantify their loss. According to a PWC-CII study, only five percent of the
survey respondents reported a revenue loss of over Rs 5 million.
Over 65 percent of the respondents admitted to not running security audits on e-commerce systems.
Only 50 percent have incident response procedures in place in case of security breach and 83
percent of the firms that were victim to a security breach have taken no legal action. About 38
percent fail to perform background checks on entities that assist them with development,
maintenance and/or administration of their e-commerce systems.
Almost 70 percent of Indian firms conduct background checks on e-commerce system suppliers. And
72 percent companies said they were reluctant to report security breaches for fear of damaging their
There is no doubt that India Inc has woken up to the reality of security threats. In the past year
(2002) the number of companies implementing a security policy has doubled. However, effective
security implementation is still needed. This is due to the lack of a clearly defined security policy.
Merely deploying firewall, IDS and anti-virus solutions is not enough. There is a need for a set of
rules that are based on business objectives of the enterprise, to secure information and systems—or
a need for comprehensive security policy. Further, the policy has to be documented and
reviewed/revised frequently, in accordance with change in business objectives and change in
technology. In other words it has to be dynamic.
The PWC-CII survey 2002-03 illustrates the lack of framework of comprehensive security policy
across India Inc and hence lack of effective security implementation. To quote from the report:
Though 68 percent of the respondents accorded a high priority to security, only 41 percent had a
comprehensive security policy in place. Worse, about 47 percent of the respondents continue to
operate without a security policy.
This is a fairly large number with far reaching consequences.
To elaborate, the main areas where companies face a threat are security of online systems, system
availability, confidentiality of customer and company information, and maintenance of the integrity of
data. Further, in an increasingly networked world, it is a no-brainer that any device/client (desktop,
notebook, PDA) that the user connects to in the network (Internet, Intranet, or Extranet), needs to
go through a firewall and an anti-virus system. Also, the entire computing infrastructure (switches,
routers, LAN, WAN, WLAN, Web servers, application servers, databases, etc.), need appropriate