Most steps only gestures for clients’ sake or in response to peer, media pressure.
Domestic IT and BPO service providers are yet to grasp the basic spirit behind data security even as their overseas clients worry more and more about terror strikes in India, according to a survey of Indian firms and their overseas clients.
The survey, conducted by Forrester Research, found that Indian companies were confusing gadgets and technology for the real need — a culture of security.
“Most vendor initiatives are merely gestures or marketing activities rather than genuine efforts at holistic change,” concludes the report titled ‘How secure is your offshore work?’, targeted at the customers of offshoring companies.
The primary problem that the survey hit upon was the underestimation of the human element by Indian firms. Forrester’s interactions with employees revealed that companies had not communicated the need for data security to their employees fully, but were instead relying on gadgets and gizmos.
“Many of them (employees) had a very casual approach toward this issue, complaining that steps like physical security measures of access control, patrolling guards and screenings are out of proportion to risks. Some claimed that management is only partially serious as most steps taken are only gestures for clients’ sake or in response to peer and media pressures,” the report pointed out.
Indian IT and BPO firms have come under increased scrutiny in the last three to five years after a series of data breaches. In April 2005, for example, three former employees of MphasiS were arrested on suspicion of stealing more than $350,000 (Rs 1.65 crore) from four customers of a US Bank. In the next year, an employee at HSBC’s Bangalore center allegedly leaked the personal information of more than 20 British customers to criminals in London, resulting in the loss of nearly £233,000 (Rs 1.6 crore) from their bank accounts.
In response, both the industry and the government had announced a slew of measures, including passing the Indian IT Act and setting up of the Data Security Council of India (DSCI).
Since then, Forrester found that most firms have implemented tools such as antivirus and antispyware, network access control, stringent user ID/password controls, and antispam etc.. But Forrester says they are yet to take the tough steps.
“When asked what their top initiatives are, most security executives described what tools and new technologies they will implement. Achieving certifications, publishing policy statements, and writing white papers were also at the top of the list.. firms have taken relatively easy and client-facing steps. Their emphasis is on showcasing what they are doing to build client comfort, rather than trying to coherently reduce threats,” the report authored by lead analyst Sudin Apte said.
Even though most companies have a chief security officer reporting directly to the CEO, many of them noted that they get attention only when there is a security breach or when an incident is reported in the media.
Another area of concern for clients was the increasing frequency of terror strikes in India, including the recent blasts in Pune. “Many clients told Forrester that they are compelled to prepare for the possibility of service outages as the risk profile of some Indian cities increases,” the report said.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}