BPO industry battling data insecurity

In the 1950s, the world’s very first credit card, Diner’s Club, reconciled transactions and payments manually, taking months to clear an account. Today, the global leader in credit/debit card services, Visa, with over 1.4 billion cards in circulation, can process 6,300 transactions per second.

Such efficiency is increasingly demanding its pound of flesh, with security breaches and data theft becoming a crucial global concern. According to consumer research conducted by Visa, data security issues surpassed even terrorism, job loss and natural disasters as the greatest concern globally.

Given its significant market share in outsourced data processing, the Indian BPO industry has landed in the eye of a storm. Consider some recently reported security breaches:

• June 2006: An HSBC employee at Bangalore allegedly leaked personal information of customers. Estimated theft amount: £233,000.

• April 2005: Three employees of Mphasis in Pune arrested for stealing from New York-based Citibank customers. Estimated losses: $350,000.

• June 2005: An employee of Delhi-based Infinity e-Search reportedly sold customer information to a UK tabloid journalist for $5000.

But security violation is not just an Indian problem. Data processing firms the world over are grappling with the issue, often on a much larger scale. For example, in June 2005 the data of over 40 million credit card holders was compromised through a breach at US based CardSystems Solutions. The same month, CitiFinancial reported another breach affecting 3.9 million current and former US customers.

The Indian BPO industry is not even a decade old. According to PricewaterhouseCoopers, outsourcing of IT security is a relatively new practice in India, in contrast to developed information security markets in other countries. This has contributed to opportunities and pitfalls in equal measure. Anirban Sengupta, principal consultant, Business Solutions,PwC believes that the banking and financial services and ITeS/BPO segment have in fact contributed largely towards increasing the quality of information security. 

Though the frequency and magnitude of reported security violations in Indian BPOs has been relatively small, it is taking its toll on the industry. According to a recent report by Forrester Research, a combination of information security breaches, high attrition rates and staffing costs has contributed to a fall in the Indian BPO growth rate. It  fell from 48 per cent in 2004-05 to 35 per cent in 2005-06, and is expected to dip further to 28-30 per cent over the next 12 months. 

Indian BPOs have been continuously upgrading security measures. These include complying with international standards and tighter physical and network security. Currently, the overall spending on security ranges from 5-15 per cent of a company’s IT budget, and seems set to rise. With a NASSCOM–McKinsey study predicting Indian IT/BPO exports to reach $60 billion by 2010, this is crucial investment for sustaining competitiveness.

Indian BPOs are moving up the value chain, handling high-end data for airline information, insurance, and mortgage companies, and data protection is high on the agenda. Importantly, the Forrester report places security at Indian facilities above that of the US and UK. But it is mostly the top-tier companies that have attained globally competitive levels, and more needs to be done to include smaller operators.

Security breaches have also put the spotlight on recruitment practices. NASSCOM’s recently launched National Skills Registry is a centralised database of comprehensive information on ITeS-BPO professionals in India. Since its January 2006 launch, 23 companies have joined.

But certifications and physical and network security measures need to  be supplemented by  comprehensive data protection  laws, as the next story shows.