1. Security
IT Has The Cure
Insecure
For An
Organisation! Ensuring the security of an organisation’s
physical and digital assets is a complex
task! It can't be achieved merely by
building high walls of concrete around
critical assets or by installing the latest IT
security tools, feel experts. Here are some
solutions that can help businesses keep
this problem at bay!
“Let us not look back in anger or forward in
fear, but around in awareness.”
— James Thurber
Vandana Sharma
BenefIT Bureau
10 / December 2009 / BenefIT

2. Security
D
uring the normal course of Security lapses may cost
events, the focus of most a fortune!
businesses is to manage day- Here are a few instances where
to-day cash flows, increase market security breaches led to grave
share, and so on. But there are times problems for organisations:
when this equilibrium gets disturbed; • The infamous stamp paper scam is
a major case of a security lapse.
when some crack in the security
“If state revenue departments—
system shakes the very foundations which are under constant video
of an organisation—damaging its surveillance and have a highly
reputation, causing loss of data, trained security staff—could not
prevent a class IV staff from taking
assets or money. This leads to a battle
out the stamp imprint, no amount
of wits for business heads and CIOs of security and surveillance can
(chief information officer), as most be considered sufficient,” remarks
often they get caught unaware. Ghildiyal. This calls for an aware
organisation and smart use of
Rajat Agarwal, executive director,
technologies to combat the threat.
Bhorukha Aluminium, feels that
• Soi shares more: “In June 2006, a
businesses today are aware of the security breach at HSBC’s offshore
security threats; yet it’s just not a data-processing unit in Bangalore
top priority, especially when the led to $425,000 being stolen from
the accounts of the bank’s UK
organisation is small. However, if
customers.”
a small company wants to grow
big in the near future, it must train Advt
its team in the routine security Considering this, information security
norms and processes and put in has become a necessity for both small
place technologies, that aren't too as well as the big business units to
expensive, to automate security secure itself from such threats.”
procedures for data and resource But to be on guard and identify
protection, and related to authorised vulnerabilities and threats; or to
access, avers Ram Krishna Ghildiyal, look for security breaches and
technical head, Sanvei Overseas, an simultaneously find tools and
international IT-based surveillance solutions to prevent any damage
company. from happening—isn't easy! To help
Sundar Ram, vice president, our readers, we turned to various
Technology Sales Consulting, Oracle organisations to understand the
Asia Pacific, seconds the thought strategies that they have adopted to
and adds: “Every organisation today, tackle this challenge. We also spoke to
needs to cope with the key issue of experts to understand more about the
securing its data, inventory, human vulnerabilities and the IT solutions
resource, etc, from security threats. that are available.
“ Information security has
become a necessity for both
small as well as the big
business units to secure itself
from such threats.”
Sundar Ram, vice president,
Technology Sales Consulting, Oracle Asia Pacific
BenefIT / December 2009 / 11

3. Security
Security planning: the issues, and solutions
T
he security domain is infinitely vast and aspects may need attention:
complex and requires considerable planning, • Sensitive data or
says Ghildiyal. But the key issue here is that information: Documents
in small to mid-sized companies, security is still not including confidential reports/
given due importance and the top management do credit card information are all
not accept it as a challenge that warrants a dedicated prone to security attacks, either from within the
team of experts. Dhruv Soi, chair–OWASP (Open Web organisation or from the outside
Application Security Project) India, agrees, “There world.
is a sheer lack of security awareness in most Indian • Threats from within the
firms. The security budget is often just 5 to 10 per cent organisation: Employees have
of the total IT expenditure. Internal reports are often been known to steal sensitive
vulnerable to manipulations. Improper/inadequate data from computers, laptops
monitoring creates a big hole in security. Since or over the network using USB
organisations refrain from spending on regular third- drives. Unsecured confidential
party security audits, the real security position of the data can also be sent to the outside world, through e-
company is never clear to the top management. In mails. Without solutions to prevent data leakage, it is
scenarios like these, one infected system propagates hard to control it, says Soi.
the infection to all the systems connected into the Apart from this, how a company treats its
organisational network,” he adds. employees also plays a role, feels Milind Mody, CEO,
Agarwal seconds the thought and adds that security eBrandz.com. He
breakdowns are not easy to monitor unless regular cites a scenraio:
investments are made in IT tools to secure different “Companies that
aspects of the organisation. “Having an outsourced deal with their
IT department with clear KPIs (key performance employees fairly,
indicators)—one of which should be to monitor data earn their respect.
security—can help. Apart from this, a thorough cost- However, there
benefit analysis should be done before choosing the are organisations
right combination of tools and technologies. Factors that delay giving
such as threat level, size of the organisation, budget, employees their dues after they leave; that may
etc, should be factored in,” he adds. sometimes upset an exiting employee, who could then
try to steal data or, in general, act against the interests
Identifying vulnerabilities of the company.” Mody suggests laying down clear
Before we move on to exploring ways to deal with policies and procedures to deal with such challenges.
security-related challenges, it is important to identify • Threats via the Internet: Another threat is from
and understand the security vulnerabilities that may viruses*, malware*, spyware* attacks, etc, which may
exist/affect an organisation at any point. The following damage, or result in the pilferage of organisational
information.
“ Security breakdowns are not easy to
* •A computer virus is a
computer program that
monitor unless regular investments can copy itself and infect a
computer.
are made in IT tools to secure •Malware is a type of
different aspects of the organisation.” software that can harm
computers, such as
Rajat Agarwal, executive director, Bhorukha Aluminium computer viruses and
spyware.
12 / December 2009 / BenefIT

4. Security
•Spyware is software that’s implanted into a computer system
to gather information about a person or organisation, without the look-out to poach
their knowledge. good talent. To deal
• Unsecured network access: Intruding on the with this problem,
organisational network and/or servers* by outsiders or Mody suggests: “If
by disgruntled employees to pilfer sensitive data can your company has a
occur at any moment, says Mody. board line or EPABX
(electronic private
*A server is a high-end/high-capacity computer that is
required to run multi-user applications like organisational automatic branch
e-mail, data back-up, storage, etc. exchange) system, make sure someone monitors
• Critical/valuable physical assets: Physical incoming calls for external HR agencies trying to
theft of devices like the mouse, headphones, USB poach employees.” But he agrees that there have been
hard disk drives or cases where HR managers from competitive firms
even cash can be have actually stood outside a company’s premises to
another problem poach its employees. In such cases, it is difficult to do
that organisations anything to prevent the practice.
confront frequently, • Irregular processes: Non-adherence to security
in the absence of policies is another vulnerability that a small and mid-
adequate security sized company can face. Therefore, all companies
systems, adds Mody. however small they may be, must plan for a periodic
• Employee security audit and must invest in automated systems
poaching: Another area where organisations may need rather than people driven systems.
to be watchful is from competitors or HR agencies on
Advt
BenefIT / December 2009 / 13

5. Security
Management-level solutions
D
eploying security tools is important, but, before they unwittingly create
prior to that, having an organisational culture a security breach. And the third
where both the management and employees advantage is, you can pursue
are aware of the correct security policies and practices, the matter in court in situations
is equally critical. Experts suggest having the following where a serious security
practices to help organisations be better prepared for threat has been committed against the company, by an
this challenge: employee.”
Plans and policies to counter security Plan security as per the nature of the
breaches business
A company should have a security policy and a security Planning for organisational security is another important
plan, to begin with, opines Ghildiyal. “A security policy task that depends primarily upon the nature of a business.
must define a company's information and other assets, Ghildiyal agrees and says: “For knowledge-based
its security needs, roles and responsibilities, the rights of companies that have Internet dependent processes,
employees, and so on. A security plan on the other hand information is the most valuable asset. Such firms must
may describe the procedures, tools and technologies consider information security technologies or solutions,
that are required to implement the security plan,” like firewalls*, antivirus* or identity authentication
he adds. In fact, a security plan can also include the systems*, etc. Similarly, companies that have large
anomalies, special rights and data and asset recovery public assets must invest on surveillance technologies
procedures to reduce the impact of a security lapse. like video surveillance, threat detection, etc.” However,
some technologies like,
“
antivirus, biometric*
It is always good to clearly define the access and identity
terms and conditions/policies related management are
to proprietary or confidential data in uniformly applicable
the employment agreements.” to all the companies as
they provide the building
Milind Mody, CEO, eBrandz.com blocks for security process
implementation, he adds.
*•A firewall is a software
Employment agreements must be in tandem tool that enables IT managers to block unauthorised access even
with security policies while allowing authorised communications.
Mody feels that it is always good to clearly define the •Antivirus software can be used to make Internet access secure
terms and conditions/policies related to proprietary and prevent the computer network of the organisation from
getting affected by viruses like malware, spyware, etc.
or confidential data in the employment agreements.
“Also if an employee is working on projects for which •Identity authentication systems or devices help authenticate
or verify the identity of a person or other entity requesting access
the company has signed an NDA (non disclosure under security constraints.
agreement), it should make sure that the employee
•Biometrics is a technique used to recognise humans based upon
also signs a similar agreement. Clearly mentioning a
one or more physical or behavioural traits, like fingerprints, face
few examples of what is considered as corporate data recognition, DNA, hand and palm geometry, iris recognition,
theft, makes the agreement more well-defined. Get this voice, etc.
agreement vetted by an attorney. This is a one time cost,
but it has three advantages. First it makes sure that you Avoid complex policies
have fulfilled your responsibility. Second it deters people It is one thing to lay down policies and procedures,
from commiting unethical deeds and makes them think and it is quite another to implement those
14 / December 2009 / BenefIT

6. Security
“ Security awareness training
for end-users (like, people
in accounts, HR, etc)
and IT/ security staff is
required, to equip them with
the knowledge to protect
themselves and the organisation from
security threats.”
Dhruv Soi, chair–OWASP (Open Web Application Security Project) India
successfully. One key deterrent in of security products to deal with
policy adherence is the complexity this challenge, the problems are
of policies and procedures, caused by inadequately skilled
believes Ghidiyal. He explains: or less-aware staff. Soi suggests
“For example, most companies conducting training programmes
implement a ‘password aging’ for IT staff to empower them
policy, which demands all to tackle security breaches,
employees and customers to effectively. He says: “Security
change their computer and/or awareness training for end-users Advt
Internet login passwords every (like, people in accounts, HR,
three months. As the number administration departments,
of such systems increases, it etc) and training for IT/security
becomes more of a hassle for staff is required, from time-to-
employees and then they start time, to equip them with the
using easily breakable dictionary knowledge to protect themselves
passwords* that are not only easy and the organisation from security
to remember but can be uniformly threats.” Agarwal suggests having
applied at all places that require regular seminars to discuss issues
a password prior to access. Thus related to security.
a theoretically sound system of
‘password aging’ actually creates a Better safe than sorry
security hole in the system.” So it Agarwal feels that it is better to
is best to adopt workable policies limit the use of e-mails and the
that are simple and effective to Internet to only those who really
implement and adhere to, in the require it. Also, he advises that
long run. the IT managers should always
monitor out-going attachments,
•Dictionary passwords are simple or
easily predictable variations of words as and when possible. Soi agrees
used as login passwords.] and adds: “Regular log monitoring
of servers, applications and
Train your staff network devices is required
Nearly 80 per cent of security to keep an eye on employee
breaches occur due to weak IT behaviour, and also to take
security systems. More than lack preventive actions.”
BenefIT / December 2009 / 15

7. Security
It’s Advantage, Unified help of Medley Marketing, New
Delhi, one of the key Watchguard
Threat Management Secure Partners in India (WSP).
At Wadpack, ESS also
Solutions!
manages the entire IT
requirements in addition to
managing its ERP system. “Since
With vulnerabilities in the digital world rising by the the Wadpack management
minute, keeping organisation networks safe is becoming wanted to focus on growth,
an acutely challenging task. Wadpack, a manufacturer profitability and operational
efficiency, it decided to leave
of corrugated packaging material, opted for a
the task of efficiently managing
comprehensive threat management solution that has the IT function, including IT
been acting as a shield against the security menace. infrastructure security, to ESS,”
says Narayanan.
B “Since the Wadpack
angalore-based Wadpack
*[A UTM is an all inclusive
is one of the pioneers in
manufacturing corrugated
management wanted security system that can perform
multiple security functions. It can
fibre board containers. The to focus on growth, functions as an all-in-one security
tool—acting as a firewall, antivirus,
company is quite tech savvy and profitability and anti-spam solution, VPN security
tool, content filtering tool, and a lot
is always on the look out for new
operational efficiency, more. To know more about a VPN,
concepts and technologies in the
it decided to leave
refer to the box.]
packaging industry.
Wadpack, which uses ESS’s the task of efficiently Easy to manage, and
ERP ebizframe from its multiple managing the IT economical
locations, wanted to ensure
secured connectivity between
function, including IT The major benefit of a UTM is
that so many necessary functions
branches. “ Ensuring the security infrastructure security, are combined into one solution.
of data transacted through the to ESS.” This saves businesses time,
ERP system was quite critical Sankaran Narayanan, money and hassles, affirms Anil
finance controller, Wadpack
for Wadpack, alongwith linking Bakht, managing director, ESS.
its various locations. After a “Maintaining network
careful analyses we opted for virtual private network or VPN,” security can often become
the Watchguard unified threat says Sankaran Narayanan, finance complex and confusing, but
management (UTM)* solution, controller, Wadpack. The solution when all security features are
suggested by ESS, to secure our was implemented by ESS with the combined into one system, it is
easy to see how all the functions
are integrated and how they
IT’s a networked world work together. Also, because
it is coming from a single
Most organisations work in networked environments these days where all computers are vendor, training and support
connected, not only in one office, but across branches. This becomes an organisation’s
for the entire system also comes
virtual private network or VPN. Apart from this, these machines that’re connected over
a VPN also connect with computers in the outside world or public network through the from a single vendor. A single
Internet. Organisational networks are vulnerable to attacks as precious data traverses window solution helps reduce
from one end to the other. This can leave a company’s operational resources, customer the hassles associated with
data, proprietary tools and technologies, and intellectual capital in danger of being stolen,
managing multi-vendor security
misused, or vandalised by third parties.
systems,” he suggests.
16 / December 2009 / BenefIT

8. Security
Technology tools that may help
B
usiness units today have begun to look around information, which could be
for solutions that can help them protect their their server room or where the
software applications, like ERP CRM, etc, and also
, accounts or sales team sits.
their IT and data infrastructure, observes Ram. The selective application of
Now, let us take note of a few IT tools that can help such devices can still be made.
businesses to pro-actively deal with this challenge: Otherwise biometric devices cost two or three times more
than RFID* (radio frequency identification) card-based
Identity authentication tools systems, which are also a viable alternative.
It is not possible to validate or authenticate the identity
*RFID tags refer to small electronic devices that are made
of all staff members or customers, up of a small chip and an antenna. The device can carry
manually, every time they attempt to approximately 2,000 bytes of data. And, just as information
can be retrieved or read from bar codes or magnetic strips
access organisational information. This via a scanner or bar-code reader, RFID devices also require a
is because small firms operate with less scanner to retrieve the information stored in them.
resources, and manual authentication
may lead to transaction processing delays. Information security tools
To address to this problem, companies can opt for Companies that have online systems or processes and
tools like biometric devices, which can validate the depend on data and information assets, must consider
identity of an employee, by validating physical traits, information security technologies like firewalls, antivirus
like fingerprints, vein patterns, etc and automate the software, information authentication, encryption* tools,
process of allowing information or network access to only etc.
authorised staff or customers, suggests Ghildiyal. Agarwal
*Encryption is the process of converting information given
seconds the thought and suggests: “This is a great option in plaintext into an unreadable format, which can be
if you want to add an extra layer of security to certain decoded by a person possessing a special key/password to
convert the coded text into plain text again.
areas such as server rooms, electrical control panels, etc.”
Mody however feels that while biometric devices are Mody shares details about solutions that his
quite relevant for businesses like jewellery shops that company, eBrandz has adopted. “I personally feel that
have precious assets, for a company with more than if an organisation has more than 25 PCs then antivirus
100 employees, such devices can be a real problem if are useless without a hardware firewall. Besides, most
used at the entrance gate. He explains the flip side: “You firewalls have the antivirus component built into it. So
will have a long queue of employees while coming in you do not need to invest separately on the antivirus.
or going out of the organisation premises, either at the Not spending on such intrusion prevention systems
start of the day or at lunch time. There is a school of (like, firewalls) makes mission critical systems and
thought that claims that biometric devices help prevent information vulnerable to new attack variants, warns
the buddy system that involved the problem of proxy Soi. Agarwal agrees and adds: “This works really well
attendance. But I would advice keeping biometric devices to control and more importantly monitor the kind
only at places where companies store their sensitive of information your employees have access to and
also what they are doing with it (saving, e-
“
mailing, copying to USB drives, sending to
Companies that have large public competitors, etc).”
assets must invest on surveillance Many a time organisations resort to using
technologies like video surveillance, pirated software to avoid investing in buying
original software. Soi cautions that use of
threat detection, etc.” pirated software brings spyware to the system
Ram Krishna Ghildiyal, technical head, Sanvei Overseas without the knowledge of user, putting the
organisation information at risk.
BenefIT / December 2009 / 17

9. Security
Tools to safeguard physical assets The way the RFID tracker works for laptops
Many organisations assign laptops to their workforce
to enable them to keep in touch with the firm from RFID, a combination of radio-frequency-based and microchip
anywhere, anytime. In such a scenario, the security of technology helps in identifying an asset. For tracking, an active RFID
the laptops, which invariably carry crucial work-related tag of 1.5” (3.8 cm) to 0.765” (1.9 cm) is embedded into the laptop.
information, is vital. The RFID reader has both the laptops' ID as well as the
employee's tag ID associated with it. Each time a person passes
Organisations can have encryption software installed
through the main door/entrance gate where the reader is installed,
on all the desktops and laptops to avoid the risk of data the tag in the laptop transmits the information stored in it, to the
theft in case a computer is stolen/misplaced, suggests RFID reader. Interestingly, the presence as well as movement of
Soi. There are two types of encryption tools. One type is a laptop is picked up from a distance of over 30 feet (9.1 meter).
The ability to detect a laptop even if it is placed in a moving car
used to encrypt files, digital documents or e-mails that
enhances this system further.
an organisation sends out to people, within or outside
the organisation, over the Internet. The other type of
encryption tool is used to convert the data on the hard work: “A network access control system prevents access to
drive of a computer into an unreadable format, in such a organisational networks unless the connected computer
way that it can’t be made readable again unless a password complies with a set standards.”
is entered. This tool is useful to
*•An organisation network comprises the local area network
prevent data loss in the event of theft comprising a group of computers within the organisation premises
or the loss of a laptop. or across its different branches connected to each other for the
purpose of communication; the other type is a wide area network
A RFID (radio frequency through which the organisation communicates with the world
identification) asset tracking system outside, over the Internet.
is another solution, which can help in •A Web server is a computer program that fetches content in
safeguarding assets like laptops, or any other expensive the form of information, data, images, etc, from the Web pages
available over the Internet and delivers it via a Web browser (like,
devices. The RFID tracking system keeps track of assets
Internet Explorer, Firefox, etc).
whether placed within the bounds of the organisation or
even when anyone moves out of the company gates.
Surveillance tools
Tools for network security Have CCTVs (closed circuit TV) cameras across the
To ensure organisational network security*, a firm can entire premises to monitor physical threats (external/
disable the use of USB drives on PCs/laptops, advises internal). The devices enable not just real time
Mody. “Apart from this, have your network configured monitoring but also keep records for future reference,
in such a way that data of different departments are says Soi. Mody agrees and says that CCTV cameras are
stored at different places. And, then allow access only to also a must for any organisation that has more than 25
authorised people. Some common data can be stored to 30 employees. “This will deter people from stealing
centrally but in this case there is a need to have different devices or cash. In serious cases, it might help the police
levels of access rights. track down culprits,” he adds.
“Access to Web servers* also needs to be restricted only Aggrwal feels that having CCTV cameras is a good
to a few select individuals. If an organisation uses Internet option for firms that are into manufacturing and need to
based applications like SaaS (software-as-a-service)-based monitor labour movement and behaviour. “Firms can also
ERP etc, make sure all such applications are protected
, have CCTV cameras to monitor strategic locations,” he
through some specific Internet-based restrictions.” observes. Currently, these devices are slightly expensive,
Soi explains how network access protection tools but the cost is decreasing rapidly.
Considering the kind of threats any existing or probable security Most importantly, firms should
that security vulnerabilities expose loopholes, and then around them create a culture of monitoring and
an organisation to, it would be wise to devise strategies and deploy observing safe practices to safeguard
for firms to first look within, for tools to address security gaps. organisational assets.
18 / December 2009 / BenefIT