Time to take stock
2011 may not have been as significant for India Inc. as it was for its global counterparts. However, as Indian companies get more globalized and security breaches become more lucrative, companies may be caught off guard in the future if investments in security are not considered as a top priority. By Venkatesh Ganesh
Last year could be termed as the coming of age when it came to breaches in the global enterprise. While this cannot be considered as a positive, it is a wake up call nevertheless—wake up or you will be wiped out. From Stuxnet and Wikileaks to breaches in Honeywell, Sony and others, new terms like hacktivism, spear phishing and Advanced Persistent Threats (APT) kept CIOs on their toes. Security vendors themselves faced the brunt of hackers as RSA and Symantec found out in attacks directed at them.
The security software market in India was pegged at $209 million in 2011 and is set to grow to $320 million by 2014, a 50% growth as per Gartner estimates. According to IDC, spending on security software in the Asia- Pacific in 2011 is expected to reach $1.75 billion and most economies are slated to post double-digit growth. This includes expenditure on secure content and threat management, security and vulnerability management (SVM) and identity and access management (IAM) products. The total Indian security market, according to Gartner is estimated to be $255 million in 2011.
On the ground, things have started to move with regards to security adoption. Take the case of Applied Materials. “In line with our global strategy, we can safely say that the bulk of the IT spends within the enterprise was earmarked for security,” asserted Nagaraj Bhat, Director, Global Information Services, Applied Materials India. He went on to add that the company spent a complete gamut of security solutions that included upgrades on existing infrastructure and adding some additional layers of security.
Online Trust Alliance’s privacy and data loss incident management plan |
OTA advocates all that businesses create an incident response plan and be prepared for the likelihood they will experience a breach or data loss in the future. The fact is breaches happen and often at the worst of times. Rather than be lulled into the belief it will not happen to your business, a well-designed plan is emerging as an essential part of regulatory compliance, demonstrating that a firm or organization is willing to take reasonable steps to protect data from abuse. Doing so is good business.
In the past five years, it is estimated over 543 million records containing sensitive personal information have been compromised due to breaches. According to the 2010 Cost of Data Breach Report published by the Ponemon Institute, data breach incidents cost US companies $318 per compromised customer record with an average cost per-incident of $7.2 million. Directly related to data security breaches is the impact of key operations which may result from criminals changing passwords, deleting key files and or loss of physical property impacting business continuity. Planning for incidents and physical disaster helps to identify exposure from internal and external threats. Synthesizing your hard and soft assets can help provide effective prevention, recovery and system integrity. In addition to cyber-attacks, employee theft and accidents, related incidents include fires, earthquakes, power outages and are proving to be critical scenario planning requirements. Incident planning incorporates both data breaches and disaster planning as a part of an organization’s learning effort that helps reduce operational risks, improve information security and corporate reputation risk management practices. Not unlike training first responders for a physical incident, data managers and cyber responders must be trained, equipped and empowered. Planning is the key to maintaining online trust and the vitality of the Internet, while helping to ensure the continuity of business. Executive support for making data privacy part of the business culture, and for building, testing, and maintaining a DIP, is critical for ensuring that a business is prepared before a breach occurs. It is also important for executives to acknowledge the need for businesses to work to ensure that their customers have clear, conspicuous, and readable notices which can be easily understood by the target audience of the product or service. Additionally, consumers must have the ability to permanently opt-out of all collection of their personal data and be provided notice on the use and sharing of any such data after it has been collected. Source: OTA |
Inevitable breaches
Last year it became apparent that all the breaches had one common theme. Every breach had financial gains written all over it. According to the ‘2011 Data Breach Investigations Report’ from Verizon, the number of attacks launched online against businesses between 2005 and 2010 increased by a factor of five. Also, for the first time, we saw hackers emerge from countries like China and India among others.
Indian enterprises have started to realize that breaches are a question of ‘when’ and not ‘if’. Accordingly, companies have stared to take precautions, most notably in the BFSI sector. Both analysts and vendors opined that 2011 witnessed the maximum number of attacks in the history of the sector. “The most common threats are malware, phishing and exploits. A new bit of malware is generated every second and there are over 100 attacks per second,” said Ramandeep Singh Walia, Head – System Engineering, Check Point India & SAARC.
Despite this, organizations were reactive rather than proactive. “Very frequently, we see organizations with some protective measures in place based on the assumption that they are not a target,” said Manish Goel, Founder and CEO of TrustSphere and the Chairman for the Online Trust Alliance. This realization is beginning to set into India Inc. post the Stuxnet attack, which has impacted Indian companies although the extent of damage is unknown. This realization in turn has given an extra boost across all the areas within security—from firewalls to mobile security.
“Indian businesses are increasingly feeling the need to adopt a holistic strategy that moves beyond point solutions to define and enforce policies, protect the information and identities, protect the infrastructure and manage systems efficiently,” averred Shantanu Ghosh, VP and MD, India Product Operations, Symantec.
Compliance continues to be a strong driver for security adoption. In a recent report on the Indian financial services sector, Symantec found that compliance and governance were key drivers for IT security investments. In the past 12 months, 31% of respondent-banks invested in identity management and stated that investment in technologies to address such regulations were likely to continue.
There is a noticeable shift in the pattern of attacks. “Unlike earlier times wherein if the business was breached and if the security was strong, it was the end of that story, nowadays, with APT, hackers are squatters,” said Kartik Shahani, Country Manager RSA India and SAARC.
Also, as trends such as consumerization of IT and BYOD start to enter the computing mainstream, security and the role of a CISO takes on a whole new meaning. “The repercussions for IT administrators will be an imperative to approach security with a need to continue moving toward a more data-centric model for effective security and privacy as they embrace consumerization, virtualization, and the Cloud,” said Amit Nath, Country Manager India and SAARC Trend Micro.
Cisco sees three major trends sweeping through the enterprise. Firstly, the rapid rise of the consumerized endpoint, followed by the onset of virtualization and the Cloud as well as the growing use of high-definition video conferencing. Each of these critical technologies is forcing a fundamental shift in how security is developed and deployed. In the past, enterprises had defined models and makes for phones, laptops or any other end points that they would allow into their network. All that has changed. “The concept of a perimeter in an enterprise is blurring fast, and this has intensified the challenge of ensuring security across multiple access points,” said Bipin Kumar Amin, Principle Consultant, Borderless Networks – Security, Cisco.
While there were no major reports on APTs in the Indian context, it is pertinent to note that increasingly as India Inc. starts to be a part of a global supply chain, it’s vulnerability increases.
Large enterprises prefer point solutions
Till date, large enterprises in India have been leaning towards point or best-of-breed solutions although, theoretically, UTM has manageability and cost factors going for it. Also, the nature of business seems to be a hindrance when it comes to UTM adoption. Businesses, like telecom that cannot afford to have a single point of failure go for point security solutions. Bank branches, typically, adopt UTM solutions due to the fact that these tend to be smaller in size.
Further, there are issues surrounding performance. “One of the big problems faced by large organizations for UTM adoption is with regards to performance because once the AV, IPS and other components are activated, performance tends to go down,” said Raman. However, vendors are overcoming this with some tweaks. UTM solutions are being offered with options wherein an enterprise can turn on or activate security features as their security needs grow. It is a ‘pay as you grow’ and ‘use as you need’ model.
Some of the UTM vendors are repositioning themselves and refocusing on enterprises, pointed out Amin.
Mobile malware: truth or scare?
Mobile malware came into light sometime in 2006 and last year saw several announcements around this subject as sales of smartphones and tablets surged globally and, to a lesser extent, in India. Also, the trend of BYOD and consumerization of IT could end up contributing to the rise of mobile malware. The number of new mobile malware observed in 2010 increased by 46% when compared to 2009, demonstrating a considerable rise. On mobile platforms front, threats on Symbian were highest, followed by J2ME, Android and Windows CE in 2009-10, according to McAfee Labs.
“An increase in people connecting on mobile platforms, with more easily available connectivity, on the move creating and sharing unstructured data is creating a big security dilemma for CISOs and corporations, people and governments. Is the infrastructure security adequate? The answer is no,” said Vic Mankotia, Vice President Security Sales, Asia Pacific & Japan, CA.
“The security risk is largely driven by employees demanding remote access to business applications, data and resources and their desire to connect to resources from both corporate and personally-owned devices,” said Vishak Raman, Regional Director, India and SAARC, Fortinet.
Most organizations are also concerned that growth in remote users will result in exposure to sensitive data among other security threats including unauthorized network access and user management complexity.
Sensing this, almost all the vendors came out with solutions to mobile malware. McAfee’s latest Mobile Security 2.0 enables remote data wipes, tracking and locks, as well as the ability to tell when applications are accessing personal data. This is aimed to protect data in smartphones and tablets. “Additionally, the security software also includes online device management where users can remotely wipe data on the device and on a removable Secure Digital (SD) card,” said Sridhar Jayanthi, Senior VP Engineering & MD- India, McAfee.
Considering that a lot of breaches start with spam, vendors are coming out with solutions that have spam filtering capabilities on the mobile device to block unwanted calls and spam text messages and prevent unauthorized users from uninstalling or bypassing the vendors’ security features.
Data compromise is high on the risk agenda for payment schemes, issuers and acquirers. The way that fraudsters obtain data is becoming complex and more innovative. “There are more touchpoints in the transaction flow, each one of them representing a potential risk,” said Sivarama Krishnan, Executive Director, PwC. The game has changed from criminals stealing data on a card-by-card basis to wholesale theft of data.
With financial inclusion and mobile banking set to take off in India, we will see mobile malware on the rise going ahead as breaches start getting lucrative,” said Jayanthi.
Sector adoption
In 2011, the usual suspects led the pack in terms of security adoption in India. IT-ITES and BFSI led the way primarily due to escalating client demands on the former and regulatory compliance in case of the latter. The RBI mandated that banks apply stronger KYC norms and multi factor authentication coupled with other compliance requirements. “Banks are building in SLAs which specify that threats should be identified within 30 days. They are going a step forward by testing out their system vulnerabilities with third parties,” said Jeff Kissling, CTO, ORCC. The telecom sector, despite being mired in controversies and scandals, also adopted some security solutions.
Cisco saw substantial adoption in both SMBs and mid-sized enterprises. The banking and finance vertical is the biggest adopter of security solutions for branch operations, closely followed by the ITES/BPO vertical. The traditional enterprises, retail, health and education verticals are now catching up. With RBI’s tightening of the Personal Information Act in the works, security vendors are bullish about 2012.
The Symantec State of Security Survey 2011 revealed that nearly 75% of Indian businesses have been attacked in the past 12 months, but ongoing security efforts have reduced the revenue loss of cyber attacks by 40% on an average. The survey found that 53% of Indian businesses are planning changes to enterprise security in the next 12 months, the areas of change being risk management, endpoint and Web security. The survey also found an increase in budget and manpower for private and public Cloud initiatives.
Last year saw the oil & gas sector as one of the fastest adopters of IT solutions. Oil & gas companies were forced to look at adopting IT due to growing competition and fluctuations in crude prices and to optimize performance and plant assets, according to a study by Frost & Sullivan. However, they still have to up the ante when it comes to investing in security, which, is being deployed in silos.
Security requirements vary depending on the size and nature of organizations within sectors too. However, the need for effective security is universal, as businesses embrace mobile, social and Cloud and face the changing external and internal threat landscape. Whether it is customer information in the banking sector or proprietary code in the IT industry, security is a key business requirement today. “BFSI, government and telecom are early adopters in security deployments, though all organizations across sizes and sectors are increasing their security focus”, according to Ghosh.
With the way the socio-political scenario is panning out IP surveillance is starting to see increasing adoption. Already certain toll booths have gone for analog surveillance. “The Indian market is dominated by analog surveillance but by 2012-13, IP surveillance will emerge and sectors like retail chains, multiple branch offices, transportation and healthcare sectors will start adopting it,” said Subhasini Ramakrishnan, CTO, Dax Networks. There is an increasing push from the government to adopt surveillance technologies.
Cloud to the rescue?
Vendors on their part are positioning Cloud as a panacea to all or most of the ills. Security-as-a-service gained traction last year due to its advantages in freeing IT from the operational, IT and budget constraints that can keep them from achieving business goals. “Services like remote management, monitoring of firewalls, gateway AV, IDS and other dedicated security infrastructure through the Cloud are gaining traction,” said Nath.
For all the trumpeting about Cloud, reliable broadband connectivity is still an issue. “With broadband infrastructure still in the maturity stage, it will take two years for security-as-a-service to evolve,” said Ramakrishnan.
Other vendors are still cautious about the Cloud. There are multiple components in the Cloud when it concerns security and finally whose responsibility is it to maintain QoS and other compliance issues. “The board will ask questions around why do you want to do it, scalability, what happens when there is a breach and right now the answers are not clear,” pointed out Shahani.
CA offers authentication (One Time Passwords or OTP) as-a-Service.
Dynamics such as mobility and increasing virtualization are some key drivers for security adoption going ahead. As India Inc. continues on its globalization journey, investing in state-of-the-art security would not be an option but a given.