The internet traffic is growing and so is hacking: over 10,000 Indian websites including those of the government were hacked in 2011. Moreover, there are instances of leakage of confidential data. Keeping tabs on the content circulating within and across organisations has become even more difficult with the rising usage of social media website. Atul Khatavkar, vice-president - IT governance, risk and compliance, AGC Networks Limited, spoke with Shubham Batra on the challenges of electronic security, especially in the government sector. Edited excerpts of the discussions:

What are the projects on which you are working with the government?
AGC Networks has worked with many key government bodies like Indian Navy and Nuclear Power Corporation. We have helped them design as well as implement high-end IT security solutions. Recently, the Brihanmumbai Mahanagar Palika has also entrusted us the work to develop a high-end security solution for its IT Infrastructure. AGC is also a CERT-In (Indian Computer Emergency Response Team) empanelled auditor and is eligible to conduct security audit for any government department. 
 
Year 2011 was a year of hackers, when major organisations like Sony faced attacked and Stuxnets entered into Iran to affect its nuclear facilities. How can we respond to this challenge?
Information security implementation is an ongoing exercise. Most organisations feel that they have implemented the latest technical solution and can relax in peace, which is not true. Security deployments need most frequent checks and updates. They need constant monitoring as the posed threat constantly evolves, so there is need for protection to get updated.

The information security scenario in both government and private sectors is far from encouraging because of lack of awareness and understanding of data security. How do you see it?
Information security threat landscapes are changing very fast. Awareness generally lags behind due to fast changes. Today when we interact with government bodies most of the senior team members are highly trained and have sharpened their IT skills.
 
Would you recommend any government regulation or compliance for information security?
There is already an act in place on the government’s data implementation privacy regulation, but it needs urgent update to be brought to the same levels as in advanced economies.
 
In terms of unified communication (UC), the biggest challenge is that people or organisations are not aware of threats and risks it poses to them. How do you address such problems?
It is thanks to the evolvement of UC that we are seeing a lot of shifts in network building, applications development as well as security measures which have now become redundant. Also, I believe that it is not UC-related threats which need awareness, it is the platforms and the access modes of UC which need to be fortified and users need to be made aware of.
At AGC Networks UC is the inception of solution development. We keep UC at core and then work on peripheries. Today we are proud to speak of UC security methodologies that we have developed which ensure that UC related vulnerabilities are taken care of before as well as after implementation.
 
What about security threats from social media?
There is a steep increase in the number of social media users and hours spent in using social media. Also, with network availability on even handsets, it gets exposed to all age groups. While it has advantages, it does pose many threats too. Most people accessing social media are unaware of how the data can be used. It won’t be more than 10 percent of social media users who would have read the privacy policy. We all tend to just ‘accept’ and move on. And so is the case with applications we download on our phone: just accept and move on.
Today with an increasing user base every social media platform is sitting on individual and enterprise data worth billions of dollars. But nobody is aware if they have stringent security policies in place or not. Social media can expose inside information of an organisation and employee views on it to the whole user base in a matter of minutes. People today are unaware of how the information on social media is misused.

How do you prevent leakage of confidential data via social media?
First is definitely awareness creation, of what should be shared and with whom. Then creating policies for non-compliance usage from the organisation’s perspective is very much required. Secondly the social platforms should ensure they are able to secure their user data with the best of security solutions in highly fortified environments. Google recently announced a single stringent data security policy in place of 70-odd policies. The same is expected from Facebook too.
 
How important it is to standardise processes across government organisations?
Government departments do hold a huge amount of confidential information which is of national importance. Such information and stakeholders of such information, if vulnerable, will become easy targets of hackers who can gain access to critical information. Standardised processes will help departments which do not have security measures in place to a basic level of security. Also good practices of one organisation will be accessible to and easy to replicate in other and then they can improve continuously.

What are the significant changes that are required at the top level of an organisation in terms of the level of data leak prevention systems and security solutions involved?
Top-level management needs to understand the importance of the data security. They shouldn’t look at IT investments as expenses but as a necessity. They need to commit appropriate resources for prevention of data leakages. The information risk management framework can give significant information, about what information to protect and how, to the senior management. Top management should create and review information risk management at least once in six months to understand the risks which have emerged and prepare their organisations against them.