Friday, 2 August 2013 03:18
94% of IT security breaches go undetected by victims
Everyone inside the rampart should not be trusted
What could be the worst nightmare for a CIO? Needless to say, it would be the morning he or she wakes up to find the entire IT system of the company hacked into!
In this day and age, any company, regardless of its scale, is vulnerable to hackers and cyber-attacks. Hackers, from almost every part of the world, are roaming the cyber space looking for a chink in IT security systems of companies. Banks, financial institutions and insurance companies should be particularly aware of this, as their transactions involve millions and billions of rupees.
HP Enterprise Security, the largest security research company in the world, in collaboration with EGUARDIAN, conducted an educational session for CIOs and senior executive level officers of several prominent banks and financial institutions on how to protect themselves from hackers and cyber-crime. EGUARDIAN is the value added distributor for HP Enterprise Security in South East Asia.
During the session, IT security experts, drawing examples from all over the world, explained why corporates should take the matter of IT security into serious consideration. The session also looked into global trends and the ways in which companies can manage risks in terms of IT security.
Murali Urs, Regional Sales Director, South Asia/Sri Lanka of HP Enterprise Security, made an interesting remark saying that the vast majority of companies who become victims of hackers have fairly good IT security systems in place.
“They have firewalls, anti-viruses, various protections and highly skilled IT people. But hackers somehow infiltrate and access their data. Hackers, as many assume, are not isolated individuals who wear black jackets and gloves and have long hair. They are very smart, well-funded and well-organised. They do their homework and they know exactly what they are doing. And most importantly, they know where the money is,” he said.
As he explained, 94% of IT security breaches are not detected by companies who are victims, but are notified by third parties. That, in other words, means that most companies are not even aware of the breach until third parties inform them. He also said that it would naturally take an average of 416 days to detect a breach, if you are to detect them by your own systems. 84% of breaches happen at the ‘application layer’ and not on perimeters or firewalls.
“Most companies are unaware of these application level attacks. The money lies in applications. That is exactly why they tend to infiltrate applications and corporates need to know this. It is important to have the CIO at the top level board meeting. In every Indian company, the CIO plays an important role as a member of the board of directors because none of the plans will work out if your IT system is vulnerable to unauthorised infiltrations,” he asserted.
Another important aspect of the problem is that hackers know that they go undetected, as it is extremely hard to track them. Because of that, Murali says, they have no rules or regulations. That is the most dangerous part of the game.
“The problem is you have too much of data and too many security solutions so you don’t even know what to do with them. All you need is an integrated intelligence system that builds a platform to collect everything and see everything. That is the business we are involved in.”
Dhamanjit Uberoi, Chief Solution Architect/Evangelist of HP Enterprise Security, said that corporates, especially banks and financial institutions, should stop peeping through keyholes when they can open the doors and see the emerging threats.
“The time is ripe for companies to spend a little more money on security and strengthen their security systems. Investing in that is always better than losing colossal amounts of money due to cyber-attacks,” he asserted.
Some companies, he said, are unaware of the fact threats always do not come from outside. “Usually, everyone within the rampart is trusted. When you are so engrossed in that idea, you don’t see the threats that emerge from within.”
He went on to say that a perfect IT security system should have any type of system and any type of data structured into a common format and categorised for easy analysis and future proof. He also highlighted the fact that companies should be ready to walk the extra mile to ensure the safety of information, to identify suspicious transactions and to conduct risk evaluations in an effective manner.
Investments in IT security are similar to the defence budget of a country. Even when there is no ongoing civil war or internal riot, countries keep increasing their defence budgets and purchasing new arms and ammunition, as a way of avoiding potential flashpoints. Companies, especially financial institutions, should follow the same path, but on a different scale.