Cyber attackers are creating mayhem in the digital world, forcing a wide range of companies, young and old, to re-think their digital security best practices.
Not surprisingly, the $60-billion-plus IT services industry in India, known for being a pioneer in establishing quality standards that has impressed its global clients, is not taking chances.
While most of these companies have their own security best practices, efforts are underway to standardise them, spearheaded by the Data Security Council of India, a Nasscom organisation that looks after data protection in India.
In a pioneering move, DSCI is planning to launch a certification process for the Indian IT services providers.
Cyber attacks in the recent past -- whether targeting consumer electronics giant Sony, or the systems of International Monetary Fund -- are even more insidious because they don't reveal any common pattern or motive.
The only thing that is certain is that companies that fall prey to such attacks are subject to a high degree of reputational risk, not to mention the financial losses incurred due to data leakage.
"It starts with the basic premise of making quick money to more complex things like competitive warfare and espionage. In my opinion there is no simple trend or pattern," says Sudhir Kumar Reddy, CIO of MindTree.
"The perpetrators of these attacks could be disgruntled employees on the inside to professional hackers on the outside," he adds.
The reason why experts feel that Indian IT services industry is a ripe target for possible attackers is that they are sitting on tonnes of data generated both domestically and by their global clients.
Any kind of assault to their systems could have a disastrous impact on the export-driven industry and tarnish its image considerably.
This is especially so since competing emerging markets are trying to position themselves as safer and viable destinations for IT outsourcing.
"Of course, it could affect the reputation of the industry. In terms of data, the attackers could pull out financial data, competition data and HR data which will have a serious impact on their business," said Siddharth Vishwanath, associate director (consulting) PwC.
According to security experts, the risk is more in a case where the IT/BPO company is handling a client's data.
For example, the global banking clients of most of the IT/ITeS services providers in India share their corporate banking information, including the names and details of their customers, with their service providers.
Take the example of a large bank which outsources its works to most Indian IT services providers.
"We need to protect not only the corporate banking information of the client, but the privacy of millions of their customers as well," said an industry source on condition of anonymity.
Some Indian IT companies, however, feel
"Most Indian IT companies may not be attractive targets as they do not offer information a hacker can profit from. . .
"These are neither transactional sites nor have information of relevance to warrant such attacks," said MindTree's Reddy.
On their own, Indian IT companies are not leaving any stone unturned. Most of the companies have employed security tools like anti-virus, firewalls and intrusion detection system.
The data leak prevention software installed at these companies ensures that nobody is able to download the confidential financial data of the clients which could contain things like account information and credit card information.
"At HCL Technologies' business services division, there is a strong emphasis on Information Security," says Sundaresan Ramamoorthy, VP and chief risk officer, HCL Technologies.
"We have a comprehensive multi-domain, multi-layered, multi-level information security policy which is divided into 11 domains with 39 control ob-jectives and 133 controls which are audited at regular intervals," he adds.
At present, most of the IT companies in India follow ISO 27001, that so far is the only global standard that takes care of the security elements.
However, according to DSCI, ISO 27001 may not be enough to ensure that the companies that have adopted it are not prone to cyber attacks.
The security certification that DSCI is planning to offer under the DSCI Security Frameworks, will rate Indian IT companies based on 16 areas.
This includes the security policies, processes, people induction, people maturity, buying of the equipment, third-part software testing and application security.
The certification will also cover threat and vulnerability management, network access and data layer, among others, according to DSCI.
"Some of these elements are not part of the ISO 27001. We believe that DSF has a better approach to security than the ISO standard," says DSCI CEO Kamlesh Bajaj.
DSCI is already doing a pilot with about 15-20 IT/ITeS companies of various sizes on its own and with the help of consulting firms like KPMG, Deloitte, PwC and E&Y.
The rating process is expected to start in the next 6-8 months.
Why online attacks can be a piece of cake?
According to industry experts, most of the applications in the Internet world are developed in a hurry and deployed immediately without testing for potential security problems.
This happens because of the go-to-market pressure, as companies always want to be the first mover.
"Before you deploy any application, it must be developed very securely and tested thoroughly. So if this one precaution is taken, I think large number of attacks can be averted," said Kamalesh Bajaj, CEO of DSCI.
For example if someone is developing an Internet payment gateway, the developer need to ensure that every part of that data is sent in an encrypted format.
