Insider threats a major concern for India Inc: DSCI-PwC study

50% of surveyed IT/BPO cos feel insider fraud perpetrators don’t belong to core IT departments; believe current employees are primary insider threats.

Insider threats are now a major concern for Indian organizations, according to a study conducted by the Data Security Council of India (DSCI) and PricewaterhouseCoopers (PwC), released as part of the DSCI Best Practices meet held in Bangalore on June 28, 2011. Other issues addressed at the meet included discussions around the contentious IT rules 2011, data protection in cloud computing and compliance.

The DSCI-PwC study analyzes Indian IT and BPO industry’s security posture in terms of insider threats. It features inputs from service providers and client organizations (nine IT/BPO firms and four client organizations). Titled ‘The threat within’, the survey consisted of three phases — industry inputs, analysis of theft cases, and secondary research.

Among other key findings, the survey reveals that more than 50% of perpetrators of insider frauds do not belong to core IT departments of surveyed organizations. Personal financial gain has been highlighted as the prime motives driving insider threats by 75% of client organizations. All surveyed organizations believe that their current employees are the primary source of insider incidents.

In addition, 67% of service providers and 75% of client organizations identify insider incidents as the result of unintentional exposure of sensitive information. With the Indian IT/BPO industry poised for a second renaissance (in addition to regulatory pressures), insider threats to data security are believed to be significant hurdles.

DSCI’s data protection framework (DPF) and data security framework (DSF) were also explored in detail as part of the meet, with regards to applicability. “Pilot studies have shown that these frameworks create value above and beyond traditionally accepted international frameworks. The focus is on organizational security, rather than baseline compliance,” says Dr Kamlesh Bajaj, the CEO of DSCI. The framework’s focus is now on implementation guidelines and maturity criteria.

Panel discussions at the event focused on the newly notified IT Rules 2011. These addressed issues from business implications to consumers’ gains, ending on the optimistic note that the rules are not as draconian, as initially perceived to be. “India features high on sound data protection practices. With the announcement of IT Rules 2011 under Section 43A and 79 of the IT (Amendment) Act 2008, the Rules now define Privacy Principles, along with what constitutes Reasonable Security Practices,” says Bajaj.

Read more on Data breach incident management and recovery