Indian BPOs Face Data Security and Privacy Challenges

Indian BPO industry, which grew nine-fold from $1.6 bn to $14.7 bn in just a decade, has always tried to overcome one of the major challengesaddressing data security and privacy concerns of their stakeholders. Even today, security and privacy keep them up on the heels. This has been revealed in a KPMG-DSCI survey 2010 which claims to assess the current state of data security and privacy practices in Indian BPO industry. As part of the survey, 50 organizationslarge and smallwere surveyed.

Meeting Data Security and Privacy Challenge

The survey underlines the fact that the organizations treat security more as a hygiene factor than as a point of differentiation to gain competitive advantage. Also, the Indian BPO industry realizes the concern of its end customers about their personal data. They are wary of any bad publicity resulting from a data breach. As found in the study, Indian BPOs find security a basic minimum element to stay in the business. They know that by having good security measures, they hardly get any competitive advantage, says Akhilesh Tuteja, executive director, KPMG.

Drivers for Data Security: According to the study, 70% of the organizations accept the fact that key data security threats emerge internally. In addition, clients continue to drive the information security requirements, helping corporations mature their information security programs through periodic audit and monitoring.

Security Function: The survey reveals that organizations place due importance to security function internally, which is why two-third of the organizations have more than 5 members in the security team. It further underlines that geographical expansion of operations, rising revenue in the lines of services, and business growth in client relationships are making security a localized/decentralized function.

Maturity of Security Practices: The survey highlights positive trends outlining the use of standardized processes in the Indian BPOs by seeking well known standards such as ISO 27001. At the same time, a majority of the organizations keep continuous vigilance on evolving security issues and vulnerabilities. They also do constant review of the environment to assess its security situation.

Drivers for Data Privacy: Organizations are aware of the fact that even a small incident of data breach can affect their brand image to a large extent. This also gets reflected by the fact that 73% of the organizations consider bad publicity in media as a critical driver for their data privacy initiatives. Besides, 50% of the respondents also mentioned that their clients demand them to undertake privacy initiatives, and exclusively mention data privacy clauses in the contracts. Companies focus has also shifted towards protecting their employee data. There are 48% of the organizations, which have started to focus on protecting the privacy of their employees data, reveals Tuteja.

Privacy Function: While primary drivers for data security and data privacy are the same, the controls and the capabilities required for ensuring these are quite different. Realizing this, organizations are moving towards deploying dedicated personnel for privacy. This is evident from the fact that 41% of the organizations have a dedicated privacy function with a team strength of more than 2 members. Companies need to handle data security and privacy security differently. Privacy security is mainly associated with protecting personal data of employees, clients, and clients clients, adds Tuteja.

Information Security Governance and CISOs Role

Most BPO organizations are now familiar with the value a chief information security officer (CISO) adds to their security functions. Hence Indian BPOs do have a designated CISO, who spends significant time on strategic initiatives such as evaluating and mitigating security implications of new business initiatives.

However, there is a confusion in the organizations over whom should the CISO report to. The survey says that there is no standardization on reporting alignment of CISOs. CISOs have multiple reporting lines, resulting in lack of focus and accountability. Thirty percent of organizations CISOs are reporting to CIO/CTO, highlighting the concerns with respect to independence of security function. Organizations need to decide his reporting line in such a way, so that he could take independent decisions on security threats, further suggests Tuteja.

Apparently security of the organization is the prime responsibility of the CISO and his/her team, but he needs to be equally involved with the IT infrastructure team, business unit, corporate compliance, etc. These areas are also involved in the security management.

Challenges from Extended Boundaries

Expansion pushes growth. This is the case with BPO industry, which has registered its presence across diverse geographies over time and consequently faced challenges in meeting multiple regulatory or client requirements. Meeting multiple client/regulatory requirements, while serving clients across geographies, is a key challenge faced by the organizations, says Tuteja in the survey. According to him, BPOs have been renegotiating contracts with the clients to ensure that any liability arising from vulnerabilities in the clients environment is borne by the client.

Lack of Seriousness from Employees: According to the survey, 73% of the organizations believe that there is a lack of seriousness among their employees towards data security. Managing data security and privacy is also a challenge due to higher attrition rate in the BPO industry. It is because mostly their employees are from the younger age group. And this age group is more risk conscious resulting in lack of seriousness for security and privacy functions. When they switch jobs frequently, it poses a significant challenge to the security and privacy of the organization, says Tuteja.

Mitigating Client Environment Risk: Risks do not arise at the organizations end only but at the clients end too. The findings show that the organizations are making their employees aware of the risks that arise from a clients environment. They are also deploying additional technical and organizational controls to mitigate these risks.

Mitigating Third Party Risk: When a BPO handles processes of its client, it also faces security risks emerging from its clients third party service providers. The survey underlines that the risk of data breach increases especially when these service providers have access to confidential information. As revealed in the survey, most of the organizations sign non-disclosure agreements/confidentiality agreements with the third party service providers, and use the contract as an instrument to make the third party service providers liable for any security breach, says Atul Gupta, director, IT advisory services, KPMG. Beyond that, 48% of the organizations have controls deployed as per third party risk assessment framework and 52% conduct vendor risk management exercises.

Understanding Regulations

According to the survey, since Indian BPO industry is majorly driven by clients from international geographies, its data security and privacy related technological investments, are done on the basis of global regulatory requirements. Indian BPOs are quite aware of the international regulatory environments, but barely aware of the regulatory requirements at home, that is, Information Technology Act Amendment 2008 (ITAA 2008). Organizations have not started even any awareness drives for ITAA 2008, says Tuteja. Adding to his words, Gupta reveals that a large percentage of the organizations have not even activated legal function to understand, interpret, and suggest necessary precautions to comply with ITAA 2008.

As far as tracking contractual/regulatory requirements is concerned, the survey highlights that more than three-fourths of the organizations involve legal department in the initial stages of contract negotiation, and maintain an inventory of contractual/regulatory requirements for each client relationship. Only 30% of the organizations use enterprise level tool to help manage compliance.

BPOs Internal Processes

Over the years internal processes of Indian BPOs have matured. The survey indicates that internal processes of organizations have reached a point where most of the organizations are keeping track of threats and vulnerabilities. They have also established processes for employee background screening, security incident management, BCP/DRP and physical security control.

Data Centric Approach: Organizations are bringing a data centric approach in their security initiatives by understanding the type of operations, client requirements, and underlying resources and access patterns. The survey also reveals that 78% of the organizations involve process owners and lines of business in their data security initiatives.

Perceived Risk Based on Lines of Service: More than two-third of the organizations perceive the following business processes as high risk: Human resource operations, health information processing, finance and accounting, and payroll accounting.

Threats and Vulnerabilities: Organizations have established appropriate measures to keep track of new threats and vulnerabilities. However, the organizations should also consider stronger engagement with vendors/third parties and insist that they report new threats and vulnerabilities in their products/services, so that appropriate controls could be implemented in a timely manner in their internal processes.

The survey reveals that most of the organizations do not have a mechanism in place that is capable of swiftly testing the relevance of these issues in their environment.

Solutions Adopted Internally: The findings suggest that organizations have adopted solutions related to encryption, and started to develop fraud management and forensic capabilities internally. In the wake of data protection regulations, more than 50% of the organizations have deployed or planning to deploy solutions such as hard disk encryption, email encryption, data loss prevention, security incident monitoring, and mobile data protection, etc.

Background Screening: Employee background screening is one of the key controls in terms of security, especially when employees have access to critical/confidential information of clients. It also reflects in the survey wherein 72% of the organizations agree to doing the background screening of their employees. Realizing the importance of background screening, Nasscom has started the initiative called National Skills Register (NSR), to have a credible information repository about all the personnel working in the IT and BPO industry.

Business Continuity and Disaster Recovery Planning: The survey also underlines that organizations have a mature business continuity and disaster recovery planning process in place. The scope of business continuity and disaster recovery process covers strategies for client business processes and recovery objectives of each client relationship. The scope for most of the organizations also covers scenarios like local city outages and externally provisioned systems, applications, and networks.

The Way Forward

Over time, the Indian BPO industry has withstood customer and regulatory scrutiny. It is able to embrace data security and privacy governance processes. If Tuteja is to be believed, the survey ends on a positive note helping organizations to benchmark their security standards with that of the industry. In addition, he finds it helpful to the organizations wanting to outsource their processes. But Tuteja shares his concerns over the fact that large and small BPOs follow similar data security standards. Large BPOs need to invest into innovation on data security and privacy practices. Security is an area which needs continuous innovation. And large organizations need to invest for developing new technologies to strengthen their security shield. If organizations are capable of doing this, chances are high that there will be less data breaches, concludes Tuteja. The survey findings can be an eye opener as well as an assessment tool for the Indian BPO organizations.

Onkar Sharma
onkars@cybermedia.co.in