The growing importance of information technology and the Internet in our businesses and daily lives renders us increasingly vulnerable to anti-social elements seeking to exploit the weaknesses and gaps in our information systems.

Recently, Cisco released a report on cyber-security threats where it warned us that Internet based attacks were becoming increasingly sophisticated and specialized. The Cisco Annual Security Report 2008 identifies the year’s top cyber-security threats. These include spam, phishing, botnets, social engineering techniques and reputation hijacking.

Cisco identifies global cyber-security threats
Some noteworthy observations in the Cisco report include –

• The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007
• Vulnerabilities in virtualization technology grew from 35 to 103
• Attacks are becoming increasingly blended, cross-vector and targeted
• Threats originating from legitimate domains are nearly double of what was observed in 2007

According to the report, there are certain threats that bear close scrutiny over the year 2009. One is that of ‘Insider Threats’ i.e. threats from disgruntled employees. This threat assumes greater importance in the global economic meltdown scenario. Secondly, ‘Data Loss’ or data leakages either inadvertently through careless employees or through deliberate breaches/hacking are seen to be a growing problem. Thirdly, the trend toward ‘Remote Working’ and the use of virtualization and cloud computing is going to pose a significant security challenge.

Rising opportunities in the global IT security market
The alarming growth in cyber-crime creates significant opportunities in the security market. Internet security products on offer include firewalls, antivirus and antispyware softwares, anti-spam programs, phishing spam filters etc.

The global IT security market is expected to grow at a CAGR of 15.5% between 2008-2012. The higher demand for strong security solutions comes from the government installations, financial services sectors, IT enabled services (ITeS) and healthcare.

India’s IT security market
The proliferation of IT (through desktop PCs, laptops, broadband and mobile phone connections) is accelerating demand in India’s IT security market. According to research report ‘Global IT Security Market Forecast to 2012’, the Indian IT security market was valued at US$ 46.8 million in 2006-07. This is projected to rise to US$ 464.4 million by end 2010 mainly due to increased demand from the business sector and continuous IT development in infrastructure.

According to the report, the IT and Business Process Outsourcing (BPO) industries are the two biggest consumers of security solutions in India and facilitating growth in the IT security industry. The growing small and medium businesses (SMB) segment is also expected to give rise to greater demand for IT security solutions since it focuses on the development of IT infrastructure. The SMB segment is expected to contribute around 44-48% of total IT spending in the country.

The role of information technology in economic and social development is becoming more and more important, as each leap in technology enables faster and easier communication and access to information than ever before.

Enterprises are using IT solutions effectively to enhance their businesses and opportunities abound but with each opportunity, arises a new challenge. As technology advances, information security threats in the form of hacking, data thefts and leakages are proliferating.

A recent study, conducted by the Federation of Indian Chambers of Commerce & Industry (FICCI) in association with the Indian Computer Emergency Response Team (CERT-In) and PricewaterhouseCoopers (PwC), assesses the preparedness of Indian organizations in securing their information systems against such threats. The report entitled ‘From Strength to Strength: Raising the benchmark for information security in India’ was released in December 2008. More than 140 organizations across a range of industries participated in the survey, which put forth some interesting observations.

Indian orgs. fare better than global counterparts
Perhaps the most important trend, which emerged from the survey, is that Indian organizations have fared better than their global counterparts in deploying a variety of controls, spread across people, process and technology domains.

”It is encouraging to see that Indian organisations have moved faster than their global counterparts in establishing processes for conducting periodic security audits and in having information security strategy in place,” says Mr. Sivarama Krishnan, executive director in the information security practice of PwC. “We expect this to continue as majority of the organisations have plans to increase their security spending by double digits”.

ITeS scores over financial services
An industry-wise analysis revealed that the ITeS segment has overtaken the financial services sector in terms of effective security controls. Traditionally, the financial services segment has been at the top position.

“Organisations in the ITeS segment have implemented security that goes far beyond in what is practised in the West. For example, BPO agents are required to surrender everything which could facilitate data compromise like mobile phones, PDA’s, pens and notebooks,” commented Mr. Krishnan.

Focus on employee awareness and monitoring
Organisations have identified enhancement of security awareness as a top strategic priority. Today, more than 80% of the organisations focus on employee awareness programmes, as compared to 47%, as per global figures.

More than 78% of Indian organizations are focusing on monitoring employee use of the Internet and information, as compared to the global figure of 48%. India Inc. is also increasingly hiring specialised security staff. 51% of the organisations in India, as against 32% globally, have employed Chief Information Security Officers.

Strengthening the information security system – the way ahead
An essential part of evolving a highly effective information security system is involves changing the way Indian organizations view security. “Indian enterprises can avoid security breaches further if they develop and implement an effective information security strategy and framework.” says Dr. Gulshan Rai, Director of CERT-In. An essential component of this framework is to view security as a strategic initiative and not as a cost centre.”

Lack of dedicated resources and adequate training are the primary barriers for strengthening information security in India. “This clearly establishes the requirement of universities and colleges to come up with specialised training courses, so that information security professionals are equipped with necessary know-how and knowledge,” says Dr. Amit Mitra, Secretary General, FICCI.