In recent weeks, the quality of India’s IT security has been called into question several times. First, when London’s Channel 4 claimed its sting operation had revealed “credit card data, along with passport and driving licence numbers are being stolen from call centres in India and sold to the highest bidder.” Next, when a survey on the Global State of Information Security 2006 (www.CSOonline.com) highlighted the ‘sad’ state of IT security in India (and elsewhere). The report singled India out for special attention, saying “India lags far behind the rest of the world in instituting even the most basic information security practices and tools. With the subcontinent claiming status as the outsourcing partner of choice for the biggest IT powerhouses in the world, these findings should be a source of considerable concern.” The latest blow is a decision by Gurgaon-based IT firm Acme Telepower to pull out of India last week and to cancel a $10 million investment plan here.
How true is this picture? IT experts that I checked with bristle at such allegations and believe that foreign media reports tend to paint all IT companies with the same brush. That is definitely true.
For instance, Infosys points out that “most Indian companies which serve multinational corporations from the developed world (and they are the ones who matter) have an information security framework and implementation aligned with globally accepted security standards, such as BS 7799. They also have Global Business Continuity plans that are operational and tested. Infosys is the first company to be assessed as compliant under the Technical Reference standards of the Singapore Standards Body. It also has dedicated IT security teams to review organisational security on an ongoing basis.”
But then, Infosys and a few dozen others are exceptional companies. Prakash Hebalkar, president of Profitech, says “Security preparedness is as much a matter of technology as mindset.” The first is usually on offer directly, but the second is harder, as the CEOs of many banks are not IT-savvy and tend to brush these things away as unduly alarmist. On the other hand, the ministry of finance has regular security audits. So standards vary, both among Indian companies that are heavy users of Information Technology (IT), as well as IT and BPO operations.
IT experts also refute the Global Security Survey’s comment that “nearly one in three Indian organisations suffered some financial loss because of a cyber attack last year, compared with one out of five worldwide and one out of eight in the United States.” They say that while IT security is always a serious concern, there have been only been a handful of data security incidents in the past three years, of which two led to financial losses. More importantly, the perpetrators were caught very quickly in each case.
Few companies initiate strict action against employees who fudge academic qualifications or employment records, which is short-sighted
Sanjay Pandey, an IT security expert with a police background, says companies that outsource to India are also to blame, because if they do not insist on high security standards, they obviously have a loose outsourcing regime. He says that action against security breach must also cover the organisation under attack if it has lax controls.
While this is all true, there is unfortunately a yawning chasm between, say, Infosys, Wipro and TCS on the one hand, and someone like Dinesh Dalmia at the other. Dalmia ran three BPO outfits in India, while absconding from this country and has cheated investors in the
US and UK to the tune of over $130 million. He is by no means the only dubious operator in India. If foreigners tend to generalise about security concerns while dealing with Indian firms, the fault also lies with us.
The industry and its trade bodies like Nasscom are entirely focused on image building, lobbying for the industry and focusing on less important issues such as resume ramping by employees. Few companies initiate strict action against employees who fudge academic qualifications or employment records, although such employees are most likely to be lured into data theft as well. Some think that background verification is protection enough. If the IT industry is irked by security concerns expressed by international firms, it must push for a cleansing and ensure that dubious companies are not allowed to ride the BPO bandwagon and tarnish India’s image.