The Apeejay Surrendra group, a large privately-owned family business, will be completing 100 years in 2010. It has diversified business interests in tea, hospitality, shipping, real estate, retail, logistics and insurance services. The group has branch offices across metros with its head office at Kolkata.
Apeejay uses robust and scalable IT infrastructure for managing its IT security. It uses Cisco ASA and PIX for two-layer firewall protection. This is supplemented by a Trend Micro solution for virus and malware protection, spam and URL filtering, and other Web security aspects. "Despite such a robust IT setup, we faced information security threats at Apeejay. However, these were primarily from
Like several other organizations, Apeejay was earlier flexible in implementing desktop security such as controls on peripheral devices, file/folder sharing, printer output management and management of physical papers (and files). The CTO realized that no amount of IT tools could train users to shred unwanted printed material, secure their physical files and folders, or not use a password such as 'Welcome' or 'Apeejay'. "Hence I decided that the only way to protect us from information security threats was to make people aware of the need to take care of their own soft and hard information," explains Saha.
Apeejay decided to address this challenge with a well-defined and planned program for increasing information security awareness across group companies. Some of the primary objectives of this campaign were to explain information security using easy to understand language, with practical examples of current practices followed, to build an information security community having participation from each of the group companies, and to further the cause of information security awareness in the long-term.
PCS was called in as the security consultant to help Apeejay design the information security campaign. PCS was responsible to create and manage the distribution of theme-based screen savers and wallpapers for a period of six months. Another reason to involve a security consultant was to bring in an outsider perspective and get professional help for IT security audits, Saha explains.
Apeejay dedicated a week (August 3-7, 2009), for focused programs on information security awareness. During this week, the company organized group-wide awareness workshops, quiz programs, slogan contests, the sharing of ideas and feedback, and sponsored contests. The content and schedule of the information security campaign was designed by Joy Bagish, senior IT infrastructure manager who also looks after IT security. The corporate communications and HR departments were involved in communicating and organizing seminars across group companies.
The information security awareness campaign's total cost, which included sponsorship from hardware vendors and OEMs, came to about Rs 1,00,000. According to Saha, the security awareness campaign has been really effective in increasing enthusiasm and involvement from the user community. "The program has helped to make our colleagues understand that information security starts with the individual, and cannot be driven only by the IT department," says Saha.
In order to keep up the momentum, Apeejay organized several subsequent security awareness training camps where information security issues have been handled at the individual level. "During January 2010, we organized an online quiz to check the level of improvement, and felt that information security awareness needs to be pushed as a continuous engagement process," concludes Saha.