Unaware Users Highest Information Security Threat

Ask a CIO to choose between a security budget increase and educated users - chances are, he would go for the latter. The reason being the number of security threats faced by businesses due to lack of user awareness. The hardest hit sectors are BFSI, ITES and ones generating intellectual properties. While banks and finance institutions are struggling to deal with both internal and external user awareness issues, for ITES it is about protecting sensitive client information and customers’ and their own IP information that can establish their credibility as a service provider. Each of these verticals, apart from streamlining their security processes and technologies are aggressively initiating end-user awareness programmes.

People Part of Information Security

Advisory firm Ernst and Young says while an unaware user could be a serious information security threat to any organisation irrespective of the industry or sector he might belong to, in India it still seems to be vertical dependent and the push mainly comes from the target audience or customers depending on their stake in the information. As Terry Thomas, Partner, Risk Advisory Services, Ernst & Young says, “Measures regarding IT security awareness varies from industry to industry. For verticals like BFSI and ITES, customers would initiate business only when they are confident of the security levels at an organisation. Especially for banks, because of the huge volume of online financial transactions, it is the customers who push for fool proof security implementations. Another vertical that takes high security precautions is pharma because IP protection becomes critical for them.”

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

The need for information security awareness in BFSI is well echoed in what Prasad C.V.G, CIO - ING Vysya Bank Limited says, “People risk or risk associated with lack of awareness on secure use of systems seems to be the high risk area which may lead to reputation or regulatory risk. A user, unaware of the consequences of non-secure usage of the data, is a higher risk to the organisation than any other technical issue.”

Agrees Umesh Jain, CIO-Yes Bank, “User awareness is the biggest critical factor for us, because technology can do only so much if users are not aware then the whole structure is at risk.”

The need for IT security awareness in ITES is as pressing as is evident from the positioning Ajuba – a healthcare BPO company, gives to the people aspect of IT security. “Out of the three major information security components - people, technology and processes, people is the most important of all,” says T Jagannathan, CTO, Ajuba Solutions. Software services biggies like Infosys Technologies are actively taking steps to ensure that employees go through the regular formal awareness process. “We track whether employees have gone through information security process within the required timeframe, and take action to ensure that they do," informs Prabhakar D. Mallya, Head – Security Audit & Architecture Group, Infosys.

Unaware Users A Business Risk

In BFSI, security awareness has two aspects to it – internal risk brought about by employees and external risks brought about by unaware customers. In a set up like ING Vyasa, the common threat that internal unaware users can bring about is spread of Virus and Trojans due to lack of understanding of secure usage of systems. But the most daunting challenge is reaching out to people spread across number of locations in India and getting them on the same security compliance level.

Adds Mahesh Gupta Business Development Manager – Advanced Technologies Cisco Systems, India & SAARC, “As banks gear up to expand into many branches, one of the formidable challenges they are facing is branch protection or end point protection. How does one ensure that an interim branch of a bank has the same kind of IT security insight as that of the headquarter.”

As for external unaware users or customers of a bank, the common risks arise due to users sharing the password and id with a secondary user, who gets access to confidential information. Users often leave their password and id on unknown sites, especially while trying to access a bank website, and many a times they land on dummy websites. These can cost banks huge business losses, as Jain informs in case of Yes Bank, some of the threats that they face are:

• For retail banking the bank exchanges a lot of sensitive financial data of the customer for transaction, there’s a danger of leakage of such information
• In case of corporate banking, there’s a risk of confidential data of its corporate customers reaching their competitors
• In case of treasury, the bank is at risk of leakage of rates it is offering to customers

Even for ITES, any customer information leakage might mean snapping of an entire business deal. As Jagannathan informs, “We work in a tough regulatory environment, which mandates compliance with such US laws as HIPAA, FDCPA etc. Protecting sensitive client information, preventing misuse of such information and ensuring compliance with the relevant laws is fundamental to our credibility as a service provider.”

For Helios & Matheson Information Technology Limited, another IT services player focusing on healthcare, information security is a critical area of concern. As Ravindran NS, Principal Architect, Helios & Matheson Information says, “At the low end it is virus infection and at the other end of the spectrum is data loss and identity theft. There is a plethora of intermediate damage levels like corrupted code, loss of files and work in progress.”

For software service providers, it is about protecting not only the customer’s intellectual property (IP) but also their own. For Infosys, the two highest priority assets are the sensitive information and IP. Apart from this, it has its own IP, sensitive financial and personal information, and the ICT infrastructure that require the maintenance of confidentiality, integrity and availability. The consequences of an error by an unaware user can often be as catastrophic as that of an action by a malicious user.

Align Security With Business Goals

Many a times, while employees do not openly oppose security initiatives in their organisation, they do not adopt them either. This passive opposition can proof fatal to an organisation as they are more likely to escape vigilance easily. “Therefore”, suggests Thomas, “show the people how overall business objectives can be met through implementation of IT security so people see a connection to why they are doing what they are doing.”

In this regard, a number of organisations are seriously working towards educating the end users about IT security vulnerabilities and their role in combating the same through newsletters, mailers, quizzers, security portals etc.

The Information Risk Management unit of the ING Vysya Bank Limited, for instance, has regular trainings/workshops on information security at different business/operational levels, setting up an information security awareness portal, conducting security awareness quiz etc.

Some of ING Vyasa’s initiatives include an IT Quality Management system effectively monitoring effectiveness of implementation of IT Processes; monitoring advances in all the technology used by banks on a continuous basis, regular discussions with vendors and technology consultants; and ongoing security awareness programmes as part of the organisation’s training calendar.

Yes Bank has initiated three primary levels of protection amongst others:

People Level: This is from an inhouse employee perspective where the bank drives user education by upgrading skills, periodic newsletters, emails, quizzers etc – all of which are mandatory for all employees to take up.

Internet Banking: To cater to the retail banking security issues that it faces, wherein it has a dual factor authentication process where any user, with a registered id and password with the bank, will be smsed a random pin number to the mobile phone number registered with Yes Bank. Unless the user enters that pin number he/she cannot make a transaction of beyond Rs 5,000

Corporate customers: Customers are given unique passwords for online banking which they enter on the desktop keypad, which leads to another dynamic password

Other initiatives by the bank include encryption of data on WAN, strong password policy with a combination of lower and upper cases, length and no password can be same as the last 12 passwords; network protection through firewalls, spam filters, website filters, discouragement of freeware downloads etc; logging and analysis of email interactions.

Ajuba’s intranet portal, TOUCH, offers its employees the requisite information for security compliance with a list of do’s and don’ts. The company doesn’t believe in enforcing information security through an isolated Information Security Department. Therefore it has a cross functional team which acts as the steering committee for enforcing and monitoring information security policies along with representatives from various teams to conduct periodic audits on the sanctity of passwords.

For Infosys, it’s more about monitoring and anlysing internal and industry wide incidents around IT security amongst other initiatives. Many a times acceptance becomes an issue. As Mallya says, “Information security controls are often unpopular because they may require people to change some of their established habits of work. The deployment of security controls are supported by help provided to users in achieving their business goals by alternate means, especially if their regular work practices are affected due to the deployment of the control.”