Financial Daily from THE HINDU group of publications
Monday, Sep 19, 2005
eWorld
Features
Stocks
Port Info
Archives
Google

Group Sites

 eWorld - Security
Info-Tech - Insight


Fencing out trouble

Gaurav Raghuvanshi

Play by the book, but don't expect to be always lucky. That's why Indian BPO players are sparing no effort to protect information security, such as a `clean desk' policy, rigorous employee background checks, and educating staff on the need for safety steps.

YOU are a BPO employee with a criminal bent of mind. You are dealing with sensitive client information and have immense faith in your `charms' to be able to coax out passwords and personal identification numbers from unsuspecting customers.

Bingo. That's all it takes to become a millionaire overnight by stealing others' money.

Well, it did happen at a BPO centre in Pune earlier this year, but it is not that simple and companies in India are now taking extra care to ensure that incidents akin to the two recent frauds in BPO companies are not repeated. Several BPO companies that eWorld sounded out admit that it is virtually impossible to have a completely fool-proof system. The key, then, is to first ensure that such sick minds don't reach the call centre floor and if at all they do, life is made difficult for them.

`Clean desk' policy

Companies are doing that by employing a `clean desk policy.' This ensures that the floors are `no paper, no pencil and no mobile phone' zones. Almost every BPO company that is dealing with sensitive information that has a potential for misuse now forbids its agents to carry any such instruments to their desks.

Plus, Internet access is not allowed, all disc drives of the personal computers are deactivated, and printers are not connected.

"I guess it would require some superhuman effort for an individual to memorise the details of a customer, go out of the premises to make note of it and then come back for more," says Kaushal Mehta, Chief Executive Officer of Motif India Infotech Ltd, an Ahmedabad-based BPO outfit.

And that too can only be limited as the agents are not allowed frequent breaks. While on the floor, they are constantly taking calls or responding to e-mails. The breaks are regulated, so it would be difficult for someone to play foul.

Often, the security measures required on the floors are specified by the clients themselves. "Each BPO company takes measures specific to their client requirements. This ranges from multiple levels of physical security, data protection through dumbed down computers, disallowing mobile phones on the floor and isolated high-security zones with restricted access," says P.V. Kannan, Chief Executive Officer of 24/7 Customer.

Speaking of the data security measures taken by HCL Technologies BPO Services Ltd, the company's Chief Operations Officer, Ranjit Narasimhan, says "very comprehensive multi-domain, multi-layered and multi-level security policies have been formed to ensure that there is no violation."

"Our security policies are divided into 10 domains with 37 control objectives and 124 control points. They are divided into different layers such as desktop layer, network security and perimeter security. For example, perimeter security involves detailed intrusion detection systems with detailed procedures for handling various incidents. We have very strict controls of physical access and we have never had any security violations since our inception," says Narasimhan.

Then why have break-ins occurred? "It is unfortunate that such incidents occurred. But it is not as if similar incidents have not occurred in the US. In fact, the number of incidents in the US may actually be higher but due to an undercurrent against outsourcing, the media hype generated was much higher when the violation occurred in an Indian BPO outfit," says Motif's Mehta.

Agrees Kannan of 24/7. "The focus on security is for real and will remain a constant expectation in offshore outsourcing. The sensationalism around breaches is, however, a temporary phenomenon. Our customers are well aware that these type of breaches happen regularly even within their countries. Only, because it happened in India, it has taken a different hue as anything that involves offshoring, especially things that go wrong, is always of interest to the media," he says.

While most existing and prospective clients do understand that adequate security measures are taken, most of them insist on their own set of standards and regularly come down to BPO campuses to ensure that they are being adhered to.

"Our clients have been asking us about the security standards for the last four years. Most of our clients have very strict security requirements and compliance procedures. Surprise audits are routinely conducted by them to ensure that we have implemented security measures as committed," says Kannan of 24/7.

Narasimhan of HCL BPO adds that concerns regarding security are not a temporary phenomenon that would die down with time. While the hype may go down, no client is willing to make even the smallest compromise on security.

That must be one of the reasons prompting companies to get certified for BS 7799, CoBIT or BS 15000 standards. Compliance with recognised standards helps generate greater confidence among clients, say the executives of BPO companies.

"We have recently been certified BS 7799 compliant. Although none of our clients had refused to give us business though we were not certified, getting the standard will certainly add value to us and we are sure clients are more comfortable dealing with BPOs that have such certification," says Mehta of Motif.

Kannan of 24/7 Customer and Narasimhan of HCL BPO say that BS 7799 has almost become a standard expectation among clients and their processes have already been certified.

Employee background checks

The BPO companies agree that the best security systems have to also involve the Human Resource Development (HRD) departments. Background checks on employees are a standard across the industry.

"It is one thing to have systems. But employees have to be motivated to adhere to the systems. We ensure that our employees are not only educated on the security systems, but that they also scrupulously follow them, in both letter and spirit," says Mehta of Motif.

"We carry out comprehensive background checks on all our employees.

Further, all our employees also sign a non-disclosure agreement when they join. They are oriented with the various security processes as part of their induction into the organisation," says Narasimhan.

Meanwhile, the National Association of Software and Service Companies (Nasscom) has started an online registry of BPO employees as a ready reference check for its member companies. The move is aimed at reducing the risk of criminal activity while not violating the privacy of existing and prospective employees.

The background information will only be revealed to a prospective employer with the explicit consent of the employee. Nasscom hopes that employers will be able to steer clear of individuals who have committed some kind of fraud in their career.

Starting with a pilot project in Delhi and Gurgaon, Nasscom is now taking the experiment across the country.

The need to ramp up the employee certification process needs no highlighting. According to Nasscom figures, India's BPO industry employed 348,000 staff as of March 31 this year, and is expected to generate employment for over one million people by 2009.

At the moment, US organisations devote only a small fraction of their budgets for information technology services — including BPO — to low-cost countries, according to a recent Merrill Lynch survey of chief information officers.

But that share of the budget is expected to grow over time, from 0.9 per cent in 2004 to 1.6 per cent in two to three years.

According to the Merrill Lynch report, security fears are the main reason CIOs are not moving IT work offshore faster: The `key inhibitor preventing companies (from using) offshore outsourcing remains data security,' the report said.

But the Indian Police system did come in for a lot of praise for the manner in which the Pune incident was handled.

So, while there should not be too much concern regarding loss of business due to a perceived lack of security, Indian companies would have to work harder to ensure that there are fewer breaches in future.

The Nasscom President, Kiran Karnik, sums up the situation aptly. "India is fast becoming the outsourcing capital of the world, and this kind of incident, while unfortunate in itself, when successfully dealt with, highlights and reaffirms the existence of an effective framework of laws and a commitment to enforcing them in India," Karnik said in a statement after the Pune incident.

eworld@thehindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Banknet India Tata Safari Dicor

Stories in this Section
Life cycle of a captive BPO

The buzz is louder
Doing IT differently
Sootaspeak
The Web's a call away
RAM-induced problem
Removing virus program
Drive allocation
Ready for the opportunity
Fencing out trouble
Monitoring Net traffic
Quiz
Create work and then sell it to someone else
Cartoon

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line