BPO firms assure clients on data

Stringent BS 7799 certification seen as inadequate

After a recent sting operation by British tabloid The Sun claimed to have exposed data-flogging in India's call-centre business, BPO managers are asking their clients not to panic saying their data are safe.

Data security remains a concern especially after data pirates reportedly breached security in BPO firms twice in recent times. Security experts warn the BS 7799 certificate, which is awarded to companies applying the highest form of security to protect client data, is no longer enough.

"In India, barring a handful of Indian companies and MNCs which have international security standards, all others have minimal security cover," said Raghuraman, CEO Mahindra SSG, specialising in information security. This would mean only 1 per cent of the total companies in India has comprehensive security measures, he added.

The case involving the employee of Infinity E-search is still being investigated, while the Mphasis case, where a fraud involved 15 employees over a period of six months, highlights that security is more about people than processes.

The company already had a BS 7799 certification. The employees siphoned off $425,000 by using private data of foreign clients before the management discovered their act.

Experts say the first sign of any security breach are the behavioural changes that occur in the employees, and Mphasis had failed to notice them.

Most security analysts concur that understanding employee behaviour and a comprehensive information security cover are most important measures. According to them, most companies consider background checks of employees to be the single most important measure to prevent cyber crime.

But statistics show that more than 70 per cent of white collar crimes are committed by first-timers. Background checks are, thus, the biggest myth of a security framework, experts say.

"With employees having no sense of belonging, it is easier for some to fall in the trap of making a quick buck by palming off secure data," says an expert.

Nasscom is hoping to address this problem by establishing a register of information technology professionals to ensure that their track record can be maintained. But that will be an onerous task given the size of the Indian IT industry.

To avoid security breaches in an environment where employees have in-depth knowledge of the system, companies are being advised to undertake regular job-rotation.

"This does not give employees a chance to personalise the system. We advice companies to watch out for those employees who have personalised their systems and have worked longer hours without leaves," the expert added.

A comprehensive security cover, not just cyber security, is very essential to avoid security breaches. "Most companies use a Six Sigma and a BS 7799 certification only for some operations," said Raghuraman.

According to a recent PricewaterhouseCoopers report that covered firms with a work force of 300 or more employees, 65 per cent of the companies do not have comprehensive information security measures.

Wipro and Godrej have tripled their information technology budgets in the last one year to implement a comprehensive security.

Editorial Comment: Now get the law

In most BPOs, changes have been made in service level agreements with clients to ensure that specific security measures are put in place.

According to experts, it is time for a CEO or CTO of a BPO to take a comprehensive check. With the chorus against outsourcing to India getting louder by the day in the West, that's one thing BPOs can ill afford to ignore.