Indian business has been hit by another high profile 'security incident' - Wipro has made a disclosure about a $4 million embezzlement carried out by an employee in its finance division. Earlier this month, another IT major TCS was the victim of a hacking attack, which left their Website defaced for a few hours. Last year, IT major Satyam nearly went down after the CEO confessed to a major fraud. Such high profile incidents are bound to raise questions about the quality of deployed controls by companies (large and small) to safeguard client information, as well as the inhouse information security awareness levels. At times, it may not just be about security of the information, but about the break in services being provided by the company, if it is hit by an incident that may bring its operations to a stop.
If we look closely at such incidents, we find fault with the user(s) who can cause incidents due to an error, accident or on purpose. However, it's not often that one will find issues due to an issue in the infrastructure. The reason is that hardware and software suppliers are very savvy, and will push the latest architecture components to customers.
Security awareness related issues are a key factor in any untoward incident. Apart from the controls in place, one will find that security awareness will be low amongst a section of the immediate stakeholders. This is an area of concern, as security awareness is the last item on the things-to-do checklist to get the certification being chased by the organization.
As a thought, if we go back in time by a few decades into the tradition of Indian business, we see a high level of loyalty in the employee towards his employer. Progressive managements cultivated loyalty and demonstrated empathy for the workforce. A chain of command was built from top down, and was in sync with the goals, vision, mission and plans of the top management. Honesty, ethics, loyalty are virtues that come with the Indian psyche, as these are ingrained into our lifestyle from birth.
Today, the issue is that typical security awareness programs don't seek to draw on employee thought leadership while creating controls. Neither do security awareness programs create employee leaders who will then carry the message to every employee's psyche. Security awareness programs are conducted by disinterested consultants or 'trainers' who are looking at completing the two hour training, getting their money, and moving on. In such a scenario, the internal team is looking at it's goal to meet a compliance requirement, and misses out on the security awareness activity's spirit.
A solution to achieve higher security awareness levels can be to go back in time, communicate with key employees, and create that loyalty factor. Empower them with awareness of control requirements, organization objectives and plans. Ensure that they carry the message across the organization. Start this with a measure of the level of awareness and 'knowledge factor' and periodically pull metrics to track progress.
Circling back to the incidents at the major IT companies, maybe someone would have seen the Wipro guy splurging and reported to a manager. Or maybe someone at Satyam would have realized Raju's frauds earlier and blown the whistle on him. Yes, these are all maybes, but every 'maybe' addresses a risk, and one never knows when the 'maybe' saved the day.
About the author: Dinesh O Bareja is a passionate information security evangelist. In his professional capacity, Bareja provides consulting and advisory services for security practices. Bareja can be contacted on [email protected]