Just how security conscious are Indian business process outsourcing companies?
That matter has come under the arc lights thanks to former MphasiS employees in Pune having allegedly stolen more than $350,000 (about Rs 1.5 crore) from the accounts of four customers of its BPO client, Citibank.
The episode can have serious consequences -- in a report, Forrester Research, the consultancy, stated that call centre expansion in India would be hit by as much as 30 per cent because of the incident.
Call centre theft may bust India's BPO boom
But security in Indian information technology companies, claims Sunil Mehta, vice president at the National Association of Software and Service Companies, is as good if not better than in any other companies in the world.
Indeed, a few companies, according to a NASSCOM-Evalueserve report on the information security environment in India, have claimed that India is the most stable of offshore locations.
Mphasis case not to impact BPO boom
Many observers also make the point that such incidents occur all over the world -- in February this year ChoicePoint, the US company that verifies identities and credentials of people, announced that it would rescreen some 17,000 business customers who could have accessed its data, because scammers, posing as legitimate businessmen, opened some 50 of those accounts in its data base.
But, notes Forrester Research country head Sudin Apte: "It could be argued that this happens all the time worldwide. This may be true. But many a time it is the perception that matters. The anti offshoring lobby gets one more point to raise and it may impact client confidence."
The school of thought that says that Indian BPO companies are highly security conscious argues that most BPO companies do invest in security technologies.
Says Sreeram Iyer, group head, global shared service centres at Scope International, the outsourcing arm of Standard Chartered: "This is one sector which services multiple clients across multiple geographies. Security-related practices are driven by client requirements, and most companies are willing to invest in technology. Which is why the security threat is actually low as the level of awareness and vulnerability is high."
Outsourcing and India: Complete Coverage
True, Indian BPO companies do require employees to have access cards, and undergo biometric tests. They also have policies for handling removable computer media such as CDs and floppies.
Also, only 1,000 companies in the world have attained the highest level of security standard, the British Standard BS7799 -- and 10 per cent of these companies are Indian (MphasiS is assessed at this standard).
But at the end of the day, what counts is a company's security culture. Security standards play an important role, but the internal controls a company exercises plays an even bigger role.
Asks a vice president at a leading IT company: "How many companies actually review their security policies rigorously? How many strictly implement their security policies?"
Still, Pramod Bhasin, president & CEO of Gecis Global, formerly GE's BPO arm and now an independent third party BPO company, thinks that most Indian IT companies and BPOs will consider hiring a chief security officer, or a chief data protection officer, if they've not done so as yet. Gecis is doing just this, he says.
Bhasin also says that most BPOs will also review their security processes as a result of this incident. If nothing else, that's one outcome of the incident that is only to be welcomed.
