Profiles
 Interviews
 Ask our Expert
Columnsmore...
The Sun Exposé - Does it really sting?

Prakash Gurbaxani, CEO, TransWorks Information Services

The recent events pertaining to the undercover operation by a British Tabloid have brought the Indian BPO industry under the media's glare once again. There has been a lot of speculation on the state of information security with respect to the industry in this regard. A closer look at the global information security environment helps us view this situation more objectively.

Over the past 5-6 years the BPO industry in India has grown rapidly and has consolidated its position as a Global Outsourcing hub. The position the IT/ITES industry has earned has been built, by not only providing World-Class Quality Service at competitive rates to Global 1000 companies, but also by strictly adhering to globally accepted Data Security and Protection norms.

To ensure that India is 'Competitive' as a Global BPO destination it is imperative that potential customers don't see any 'India' specific risk in their decision to move work offshore to India. This is evident from the fact that the 'Captive' BPO business in India is twice the size of the third-party BPO business in India. This means that Global 1000 companies after conducting a thorough research vis-à-vis location attractiveness across parameters such as availability of quality labour pool, costs, infrastructure, technology, data, security risks, business continuity risks and the like are choosing India as the best location for their BPO hubs. Hence, it is now a well-established fact that global organizations do not incur any additional risk to their business by moving their work to India. The risk that any organisation entails by outsourcing its work to India is equivalent to the risk it faces while running its business in its home country or in any other country.

To get a perspective on the Sun exposé, it is important that we look at the overall Data Security scenario around the world. A few facts that are representative of security concerns across many countries show us that Information Security breaches are common to countries the world over.
  • In the DTI's (Department of Trade and Industry UK) 2004 Information Security Breaches Survey, over 70% of organizations reported that they had suffered a security breach the previous year.

  • Within the last twelve months, 9.3 million Americans were victims of identity theft. Most thieves still obtain personal information through traditional rather than electronic channels. In the cases where the method was known, 68.2% of information was obtained off-line versus only 11.6% obtained online. (Source: Javelin/Better Business Bureau - January 2005)

  • Conventional methods, such as through lost or stolen wallets, misappropriation by family and friends, and theft of paper mail are among the most common ways thieves gain access to information.

  • Nearly one-quarter of all victims said their information was lost or stolen, including lost or stolen credit cards, checkbooks or social security cards.
Keeping the above facts in mind, it is obvious that such instances are not unique to India and hence will not have any long-term impact on the BPO Industry. The Indian statistics on security breaches such as cyber crime and identity theft are practically non-existent as compared to these figures.

Having said that, it is imperative that we realize the importance of maintaining high levels of precautionary Information Security measures, in addition to building a strong legal enforcement structure. Though many companies have taken steps to get certified to International Data Security regulations, it is important that India is viewed as a business destination where Data Protection is a norm rather than an exception. To this effect, individual organizations and Industry associations have aggressively pushed for legislations that provide a strong regulatory framework to create an environment of awareness, compliance and enforcement to global norms, standards and laws with respect to Data Security, Privacy, Intellectual Property Protection, Piracy, and Confidentiality.

The government's role in ensuring a reliable regulatory framework has given impetus to this movement. The recent communiqué from the Prime Minister's Office on strengthening the Data Security framework and increasing the focus on de-risking the Indian business scenario vis-à-vis Data Security indicates the level of seriousness with which the Government addresses this issue.

The most important aspect of all the facets of Information Security in the Outsourcing business is what a customer views as priority. From a customer's view point there are a number of steps that can be taken to bring in a sense of assurance.
  • Awareness of the importance of Data and Information Security at all levels is a primary step towards building a strong foundation. Communication to employees across the organisation about the impact of maintaining customers' data secure is an ongoing process. At the industry level, reinforcement of the need for a strong data security framework is addressed at every forum.

  • At the organisational level, there is a strong focus on physical security which includes Closed Circuit Televisions (CCTVs), the presence of security staff, electronic access cards, disabled floppy and CD drives etc. Additionally, from an IT perspective, Firewalls, Internet security, limited access to Emails and the Internet are other steps that are taken to ensure information security within organizations. Stringent HR policies that include not allowing employees to carry mobiles or pens or any electronic gadget are a norm in almost every call center.

  • The focus on acquiring globally accepted security certifications such as the GLBA (Gramm-Leach Bliley Act), Sarbanes Oxley, HIPAA, UK Data Protection Act and Safe Harbor, is increasing. The awareness of these security regulations amongst organizations and their employees is also on the rise.

  • The IT/ITES industry's largest forum, NASSCOM has taken a number of steps to prevent such incidents altogether, in addition to working closely with the government to build a strong regulatory framework. NASSCOM is in the process of building an employee database that can be used as a reference while hiring employees in the BPO industry. The database will bring about a great deal of control in the recruitment process with respect to the kind of employees being recruited, in addition to curbing rising attrition.

  • The Government of India itself has shown a keen interest in ensuring that a strict legal framework is developed to counter such incidents. Security issues that are under the purview of the Indian Information Technology Act 2000 (IT Act) can today be addressed easily. Despite that, there is work on revamping the IT Act to provide a greater focus on Data Protection.


There is no doubt that Data Security is viewed very seriously at every level - be it individual companies, the IT/ITES industry or even at a national level where the Govt. of India has shown tremendous interest and support. Despite precautionary measures and enforcement frameworks, there will always be miscreants all over the world who are driven to committing cyber crimes and thefts and as long as stringent enforcement methods are employed, these will be kept to a minimum.

Our aim however, is to ensure awareness of the importance of Data Security, knowledge of the implications of such offences and the existence of a stringent legal framework that addresses and enforces the law in the event of such incidents however infrequent they may be. To this date, we have done an exemplary job of it and are comparable, if not better than most countries with regard to Information Security and Data Protection - We just need to keep up the good work!