India Makes Steady Progress in Data Security

No room for complacency

Recent Articles

Careless Talk Costs Revenue India Makes Stready Progress Security Trends in Mobile Devices Cloud Computing Effects of Data Loss Information Theft Warning Signs Staff Vetting Portable Media Legal Developments

India Makes Steady Progress in Data Security

Although India's private and public organizations are working hard to safeguard information, they've yet to fully convince their employees of the importance of data protection, according to a joint survey between DSCI (Data Security Council of India) and KPMG's Indian firm.

Keeping information secure is a huge task facing businesses and nowhere more so than in India, which is home to many of the world's sourcing partners for IT and business processes. So it's no surprise that in this 2009 survey of 150 major Indian organizations, 87 percent of respondents claim that information security is either a top or a critical priority.

However, this sense of urgency does not appear to be fully shared by staff. Those taking part in the research also claim that the single greatest security challenge is to get their people to take data protection and privacy more seriously.

The Indian government has proactively encouraged the safeguarding of information, and with the Information Technology (Amendment) Act 2008, all corporations are obliged to bring in "reasonable” security practices to protect sensitive customer information.

This commitment is mirrored in businesses of all kinds across the sub-continent, that have been busy creating structures and procedures to prevent data being leaked, lost or stolen. Two thirds of respondents have an independent management structure devoted to IT security, and over half have more than five employees dedicated to this area. Such efforts should help maintain a strong focus, and avoid staff and resources being diverted to other organizational initiatives.

No system is foolproof, and organizations should always be prepared for the worst; whether its hackers trying to infiltrate their system, or a careless employee leaving a laptop in a café. It's therefore reassuring that the vast majority of those surveyed have both disaster recovery and business continuity plans, which are updated regularly.

Keeping the momentum

In the fast-moving world of digital technology, security professionals have to work hard to keep one step ahead of criminals, virus creators or other threats. The survey results point to substantial investment in various data protection technologies, particularly from enterprises in the IT, IT-enabled services and financial services sectors. Some of the newer tools include end-point encryption and virtualization security, while many of the survey participants have already implemented basic IT security controls such as anti-virus and malware, firewalls, content monitoring and filtering.

Having spent sizeable sums on protection, organizations are keen to confirm that these various controls are working effectively, and that individuals are fulfilling their responsibilities. Internal and external security audits play a vital role, and according to the research, a healthy 89 percent of Indian businesses carry out such activities.

Clients, stakeholders and investors also want to see evidence of a diligent approach to data security. This is particularly important for those companies handling information for clients through outsourcing contracts. Encouragingly, almost two thirds of participants have already adopted the industry-accepted ISO 27001 standard - or are planning to do so in the near future.

No room for complacency

Although many of the survey responses paint a positive picture of data security and privacy practices across the Indian economy, there is still room for improvement in a number of areas.

Data privacy looms large over the telecommunications, IT and IT-enabled services industries, where a majority of respondents admit that clients or customers are worried about who has access to their details. Again, this is partly influenced by the large outsourcing and offshoring businesses, which together store and process vital information on hundreds of millions of people. The survey suggests that it's these client concerns (rather than regulatory pressure) that are driving Indian companies to improve data privacy.

No matter how much an organization spends on systems and other technology, people will always play a critical role in keeping information safe. Senior management across the country is trying hard to convince staff to develop good habits and comply with policies, yet, as mentioned; there is still much work to be done. The responses suggest that the single biggest cause of security incidents in India is the unauthorized sharing of sensitive data internally and externally, which is very much a "people” issue.

Data leakage continues to be a challenge for all entities. The main causes identified were emails without encryption, printing of information, and use of CDs and memory sticks (USBs). Such weaknesses reinforce the need for automation and strong governance to help prevent information escaping in future.

As companies - private and public - evaluate their business models and partner or outsource more frequently, so the "extended enterprise” becomes a reality, involving contractors, suppliers and other third parties. Such relationships also reduce the level of control an organization has over its data, and almost half of the respondents claim that sharing information is a big security challenge.

A combined effort

Data security is the responsibility of everyone. At an organizational level, this means creating an appropriate culture supported by the latest technology, with firm governance. At a macro level, government and business need to work together to develop and implement leading practices, to satisfy customers and stakeholders and enhance the standing of "India Incorporated.”

This survey suggests that excellent progress is being made on all fronts, but also highlights some continuing challenges, notably in training and educating staff, managing third parties, and maintaining data privacy. By integrating the various elements of information security, Indian businesses and public bodies can build on the promising results of this research, and counter the emerging threats in cyber-space.

Click here to read the survey in full.

By Sandip Wadje, Sachin Khalap

© 2012 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.