“70 percent of unauthorised access is committed by employees”

Though every corporate feels it is secure, there is a wide gap between awareness of identity theft and the perceived ability to stop it. A recent survey by RSA Security throws up some interesting numbers. Surendra Singh, the company’s head for South-East Asia & India spoke to CHITRA PADMANABHAN about trends in the security space

What is the basic aim of the survey conducted by RSA?

The security survey was conducted by Opinion Research Corporation in the US. More than 1,000 consumers were asked a variety of questions relating to the awareness of security issues, feeling of safety while carrying out online transactions, and use of available safeguards against identity threats. It was found that there was a wide gap between consumers’ awareness of identity theft and their perceived ability to protect against it. Nearly two in three respondents, that is, 63 percent, used fewer than five passwords for all electronic information access, and more than one in ten, that is 15 percent, used only one password for carrying out all online transactions. The survey highlights the poor management of PINs and passwords for accessing online services, desktop computer systems, ATMs and other electronic services, which results in threats to conducting online transactions. The basic aim of the survey was to get authentic statistics on user attitudes towards security.

How have the findings helped in deciding future strategy?

The survey has given us a clear idea of the weak points in an organisation’s security strategy. Talking about strategy, RSA has recently tied up with Microsoft to deliver security for Microsoft Windows enterprise customers by replacing static passwords with two-factor authentication. What this means is that end-users would log on to Microsoft Windows with RSA SecurID two-factor authentication instead of using just a password. The user carries a RSA SecurID token, which has a six-digit number displayed on it and changes every 60 seconds. Because of this, the user does not need to remember the password but should simply key in the number that is displayed on the RSA token. The user enters the combination of a password that they know and the number displayed, which is synchronised with the central server. At the user-end, the system reduces the need for complex passwords, password change management policies, and help desk calls. It is something similar to how the banking ATM system works, where users must present their PIN together with their bank card before being granted access to their account. RSA SecurID for Microsoft Windows is expected to be available in the third quarter of 2004.

What are the security concerns emerging among corporates in the Indian scenario?

Gartner estimates that more than 70 percent of unauthorised access to information systems is committed by employees, as are more than 95 percent of intrusions that result in significant financial losses. In India, the trend of online transactions is still at a nascent stage, and so are the threats associated with it. But companies need to get their security systems in place as more users shift to online booking of tickets or Internet banking. Another area where there is increased concern about security is the BPO segment. The backlash in the US has already made a dent here. If security issues become serious then it is likely to do further damage to prospects of this space. Lately, there have been a few incidents of identity thefts, which need to be contained, or else it might fuel the resistance towards outsourcing by US and UK markets.