Home > Business > Special
Are Indian BPO operations secure?
Ashish Aggarwal |
August 25, 2005
CEO, Mahindra Special Services Group
Security is a fairly recent concern. 9/11 probably has been the single most significant event in recent history if one considers the reshaping of socio-economic beliefs.
An unfortunate fallout has been the increased exposure in terms of information risk. While a handful of BPOs have realised the far reaching implications of information security risks, most have only accorded lip service.
A few examples will help. The British Standard 7799 is one of the recognisable standards of information security, so several BPOs have worked towards achieving the same.
But the problem is most of these BPOs have chosen only a part of their organisation as the scope of the certification, typically the customer-facing departments or the data centre.
Certifying just the data centre is like saying that the health of my right hand is good so I am a healthy person. Systems just don't work that way.
The second issue is the over-dependence on process steps or controls rather than outcomes. A few months ago, a major fraud involving over a quarter million dollars and several personnel was unearthed in a BS 7799-certified BPO. The irony is it was the customer in the US who first discovered the fraud, not the much-vaunted set of controls.
Another significant issue is the defensive mode that most BPOs are in. Given the number of transactions being handled by BPOs in India, literally in billions, if all BPOs claim that no errors have taken place in their company, then we need to ask Motorola to move over.
Because the BPO industry has just invented a new standard which is about 10 times more stringent than Six Sigma! Indeed, there is no need to be in the defensive mode.
Security breaches or frauds must never be measured in absolute terms. It is always the relative ratio of "good transactions to bad" which is considered to be the benchmark. So if Indian BPOs are getting defensive about admitting, reporting, investigating and prosecuting breaches, they probably need to remember that the top five fraud cases in the US last year alone would probably be more than the GDP of many countries.
India is a choice of outsourcing because of its cost advantage. But India is not just a few concrete and chrome buildings of BPOs. It is the same country where lack of privacy is a common phenomenon, where even personal security levels need improvement.
And the first step to be able to do that is for BPOs to clearly articulate that there are two components of their service. One is operational functionality and the other is security. And unless clients start paying for this, there is no way Indian BPOs can start becoming more secure.
Former CMD, Wipro Spectramind
All the talk over whether Indian BPOs are secure or not continues to amaze me. The underlying assumption being that security has something to do with parentage or where you are located.
What also emanates is the unsaid thinking that if you are doing the same work, in the same manner, with same processes and procedures, and the same technology, but at a different location, and perhaps with a different workforce, you are more secure!
I would humbly disagree. There is no statistical evidence to suggest that the security between Kashmir and Kanyakumari is any different than San Francisco and New York.
Nor is there any evidence that suggests that Indians have a greater criminal intent (and are thus a greater security threat). The question whether Indian BPOs are secure has to be seen in the context of the security requirements for the kind of business that a unit does and the measures that have been taken to fulfill those requirements.
More importantly, are the security standards implemented in Indian BPO companies, for the work that was originally done in, say, the US or Europe similar, higher or lower? Having closely observed the practices in the US and Europe, I can say that Indian BPOs offer similar or better security.
What is perhaps not fully understood is that it's about an ongoing learning and improvement process where there is an unambiguous understanding of what data can be used for and what it cannot be. The understanding that any misuse can be and will be tracked and monitored. Cases of misuse will be penalised and publicised.
What we need to determine is if our share of misuse of data is disproportionately large versus the kind and amount of work we do or if we display an unusual "repeat" of the same kind of mistakes.
While only scant data is available, I would present a hypothesis that India is not a major outlier in these statistics. I have been asked that if Indian BPOs have security systems and procedures then why do we get instances of data theft? This is best understood by the example of a fire detection and prevention system.
A fire prevention system can't stop a fire from taking place, but it prevents small aberrations from turning into a fire. If a fire was to happen, the detection system detects it rapidly and helps in putting it off with minimal damage.
We should take into account what our commerce minister said on the floor of Rajya Sabha on a recent case of alleged data leakage.
He indicated that the veracity of these incidents has to be carefully looked into and we should carefully evaluate if these incidents are being highlighted to discredit the Indian BPO industry.