|Rediff India Abroad Home | All the sections|
Indian call centres under threat
Vandana Gombar in New Delhi | July 22, 2006
"Gotcha!" Charan Kamal Bhalla has got used to repeating that phrase more times than he would care to remember since August last year. That is when he took over as the head of information security at Wipro BPO, a 16,000 employee strong behemoth spread over six locations.
No, he doesn't wear dark glasses (or safari suits for that matter) or carry a shooter. When he suspects an information breach, as he did recently with Rachna (name changed) who worked at the company's facility in Delhi's Okhla area, he collects evidence - which is fairly easy given CCTVs, listening-in devices and tagged entry and exit points - and then sacks the delinquent employee.
Or not! For he must also take a call on whether Rachna is a lone operator out to make a quick buck? Or is she the (innocent?) front end of a global ring of criminals wanting to penetrate the databases of international financial agencies via India?
After all, financial services is one of the faster growing segments of what is known as business process outsourcing with companies like UBS, Amex, Deloitte, Citbank, Washington Mutual and Franklin Templeton having a presence here.
Was the breach aimed at petty thieving or laundering dirty money from conflict diamonds, narcotics, human trafficking or sales of arms? The worry is that the chances of it being the latter are getting higher.
While software industry association Nasscom's vice president Sunil Mehta rings a warning bell - "There is a very real threat of organised crime entering this industry," - there are many (alarmists?) who argue that this has already happened.
The outsourcing industry has a voracious appetite for people. Almost 3,50,000 people are projected to join the current workforce (IT/ITES) of about 1.3 million this year.
Given an employee turnover which borders on obscene in some instances (even crossing 70 per cent), it would be fairly easy for a person with criminal designs to slip through, and also get in a group of friends to cosy up with. And they do.
When a breach is detected, the group moves on, to another "raw" outsourcing unit, sometimes with a changed identity.
Living with multiple identities in this country is a fairly easy process, informs Captain Raghu Raman, CEO of Mahindra Special Services Group - the five-year-old unit of Mahindra & Mahindra that focuses on information security. How is that? KK Kumar can be Kiran K Kumar in some documents, and K Kumar in some others, he says.
Without a singular social security number, as in the US, multiple identities are easily made possible.
As for supporting documents for identification, the seven main ones - birth certificate, matriculation certificates, graduation degree, PAN card, driving licence, ration card and passport - can be obtained for a few hundred rupees.
"The passport is the toughest to replicate. Every other document can be managed for less than Rs 500," says Raman.
If you are still in doubt about the ease of fraud, consider last month's case of Hongkong and Shanghai Banking Corporation's Nadeem Kashmiri, who landed in the industry on the basis of fake certificates.
Now believed to be a pawn in an international syndicate (read organised crime), he helped a group illegally withdraw over $400,000 (about Rs 2 crore) from the bank's customers. While illegal withdrawals is an issue, illegal deposits is a nightmare.
KPMG's forensic team, which makes its living out of preventing and detecting fraud, recently went to meet the head of a large bank in the country and asked him what his prime concern was.
Pat came the reply: "Money laundering." That is when dirty money enters your account and quietly exits it - without your knowledge. Black money becomes white. Dirty money becomes clean.
In this threat facing the banking industry, the outsourcing units become an easy soft target.
"Globally, cyber crime, money laundering (through electronic channels), dirty money and terrorist activities are converging. India is a relatively easy entry point not only for cyber crime but for many other things," says Raman.
Many would say it "was" an easy entry point, but no longer is. Partly pushed by demanding clients and partly of their own volition, India's infotech firms have got themselves on the best information security standards available, such as the British BS 7799, and are readying for the more stringent international standard IS 27001, which is in the pipeline.
Since the "breach of security and privacy of overseas data" could be used as a "serious non-tariff barrier" to the export of software and services, the industry has evolved what some see as a draconian solution.
Moving on the premise of "guilty until proven innocent", in the making since January this year is what is innocuously called the national skills registry or NSR www.nationalskillsregistry.com).
Here is how it works: all data pertaining to a worker in the infotech industry - from residential address to education to work experience - is being verified personally by background checkers.
These verifications, along with the fingerprints (of no less than six fingers) of each worker, are being uploaded to the registry in a kind of a white list (rather than a black list).
"The process is entirely voluntary," says Kiran Karnik, president of Nasscom, which is backing the initiative. Karnik was, in fact, the first to register on the data base - "for symbolism" - to those wary of fingerprinting.
Now, the data at the NSR is strictly owned by the person who is putting it there. He can control who can access it, say a prospective employer, and for how long. Enough safeguards have been put in to ensure there is "not a whiff of privacy violation", assures Mehta.
We spoke to one of the 10,000 people who are on the registry - Nita Sarang, a senior industry professional.
She was excited by the prospect of what the registry could evolve into - an open database of squeaky clean prospective employees, like a claim-verified naukri.com that "will help identify an individual with right skills" - rather than what it is today: an access-controlled database.
NSR is managed by a subsidiary of the National Securities Depository - NSDL Database Management. A background check - in which a personal visit is a must - typically takes a few months.
Remember, records at most universities are not computerised and to verify a graduation or a school-leaving certificate can be quite a task. And then there is the time taken to travel to some very remote areas of the country. Names, on client demand, are also run through what are referred to as lists - that is the "wanted" roster of the multifarious security agencies.
"I have been surprised at the extent of discrepancies in the claims of employees. I am also surprised that it is so rampant," says Arpinder Singh, director at KPMG, which is one of the entities authorised to conduct background checks for the NSR.
According to Singh, there is some falsehood in at least one of every 10 cases that his team checks, and that is a pretty high number. And yes, talk of organised crime is cropping up more often than it used to.
Since companies are "growing beyond their compliance systems", NSR is a good way to pool limited resources, except for one fundamental flaw - the voluntarism of the system. A dishonest person would simply escape the NSR net by not volunteering to be on the database.
"I think there are serious challenges in NSR being a serious tool. I don't believe it will work," feels Raman, who is in favour of collating a "known-offenders list" (read black list). There is also legislation on data security which is in the pipeline (actually, it has been in the pipeline for years now). But legislations have rarely solved the problem.
"There is an anti eve-teasing law in India. That hasn't stopped it," quips Raman, who thinks most companies live in a state of denial as far as security is concerned.
Since one company's lapse could end up hurting the entire $24 billion software and services (IT/ITES) export industry "which has a long tail", on the cards is a self regulatory organisation (SRO) for the industry, again backed by Nasscom. It will set out information security guidelines to be followed by all companies, audit the adherence to those guidelines, and will also have the power to impose penalties for violations.
Currently, the headhunters are out looking for a head for the SRO. Not surprising, given that the industry has always been ahead of legislation.
"The larger we grow, the larger the perception of threat," shrugs Saurabh Srivastava, chairman of Xansa and also Nasscom's chairman emeritus. So what the industry has to do now is to show that not only is it fighting-fit, but it is actually fighting back what could be a threat to its existence.
Look Who's Registered!
What is the national skills registry (NSR)?
A national database of employees in the IT/ITES sector with their fingerprints (six) and verified details on qualifications and work experience.
How many employees are on the NSR today?
Just about 10,000 of the industry's 1.3 million people.
How many companies have extended their support to NSR?
About 18 so far including TCS, Genpact, Franklin Templeton, WNS, NIIT, Tech Mahindra, Cognizant, ICICI OneSource and Wipro BPO. Many more are in the pipeline.
Is the information on NSR open for anyone to see?
No. It is only the employee who can give access to the information to, say, a prospective employer.
What is the benefit of the NSR to the employee and employer?
Doing away with a repeat background check every time there is a job hop will save time and money.
Is NSR mandatory for all IT/ITES employees?
It is voluntary for now. This could change if threat perception increases.
SpywareCCTV (closed circuit TV)
Swipe-in and swipe-out
Regular bag frisking