As Indian IT companies face a slew of cyberattacks, their clients are asking for more security audits and are looking into whether vendors are making adequate investments to keep their data safe, analysts said.
Clients typically had broad language in their contracts to ensure they were protected but with increasing attacks by hackers, more is needed. “It is now apparent to the whole industry that not enough attention was being paid to security, including the vendor’s networks. Clients are moving to increase the level of commitment, introduce more audits to inspect the level of compliance and work with their vendors to ensure the appropriate investments in security are made and maintained,” Peter Bendor-Samuel, CEO of IT advisory Everest Research, told ET.
He said that for clients, this appears to be a case of ‘the cobbler’s daughter having no shoes’ as IT companies sometimes provide security services to their clients but may have not done enough to protect their own systems. “We can expect to see more attention being paid to this, more demanding contracts, more aggressive audits and substantially more money being spent,” Bendor-Samuel added
IT executives said more clients were asking about security and that reports about an attempted attack at one company lead to questions for others. “In the past, even for clients, there wasn’t that much understanding about it. Now, with hacks becoming more sophisticated and expensive, clients want more than just contract terms protecting them. They want to be involved in how their data is protected,” an IT executive told ET, asking not to be identified.
Earlier this year, WiproNSE 0.52 % said it had faced an attack that looked to garner client data. Newswire Reuters reported that Tata Consultancy Services and other IT services companies such as DXC Technology, IBM and Hewlett Packard were subject to an attack by China-sponsored hackers
Indian IT companies, which have access to client systems and their data, are significant targets for hackers. Wipro said it investigated 4.5 million security alerts a year. However, IT companies point out that not all attacks lead to a breach and that they have a successful track record of fending off attacks and work to ensure that their data is protected. “Our corporate security team conducts regular external and internal assessments, including penetration testing and vulnerability scans, to measure the health of our environment from a security standpoint,” a Cognizant spokesperson told ET.
“Vulnerability assessments are scheduled on a monthly basis and configuration audits are also performed on network devices.”
Given that several successful breaches happen due to phishing attacks — where emails trick receivers into installing malware or revealing system passwords — IT companies run training simulations to teach employees about such mails and those who fail to identify the attack are put through additional training
Wipro puts its employees through phishing training, the company said. TCS did not respond to a request seeking comment for this story. Infosys declined to comment.
Source : Times of India