Cyber fraud: Wake-up call for Indian firms

Share:

April 26, 2005 06:58 IST

A business process outsourcing unit in India loses about half a million dollars and prophets of doom pronounce the sentence on the Indian BPO industry.

Web sites are flooded with articles berating India's information security standards and even its judicial processes. And most of this emanates from the United States, a country that has set new records in financial fraud (Enron, WorldCom, Martha Stewart, etc) or has the largest number of casualties in a single security failure (World Trade Center).

Welcome to the reality of information warfare.

I was in London when the MphasiS story hit the headlines. Virtually every customer we were speaking to pre-empted our services pitch to ask us pointed questions about levels of security in India.

A couple of enterprising ones even had printouts of articles that 'conclusively' proved how dangerous it was to outsource to India -- or indeed -- outsource at all. That is the power of information and it's a pity that India is not using it.

It's a well-known fact that while Indian companies continue to aspire to climb up the value chain, much of the climb in revenue figures is achieved by playing the 'cheaper price' card.

BPOs routinely try to undercut competition by reducing price and cutting corners. And it is time we realised that the Indian IT industry will have to pay a dear price for it.

What happened at the MphasiS call centre was bad. Point conceded. Let's move on and look at what went wrong and how it needs to be fixed instead of throwing the baby out with the bathwater.

I happened to read a very imaginative and frankly ludicrous article written by Anthony Mitchell, now doing the rounds on various influential news sites. In one broad rush stroke, he has painted the Indian legal system, the judicial system, low conviction rates, custodial deaths (where did that one come from?), etc as the downside of doing business in India!

But while the detractors of outsourcing, in general, and India-baiters, in particular, are bound to use such an incident to further their agenda we need to do away with the ostrich mentality and tackle the problem head on.

The core issue of information security (or even security, in general) focusses on three essential facts:

  • Is there an opportunity placed in front of people who have the capability and motive to exploit it?
  • Are the checks and balances efficient and capable?
  • Is there an independent, in-depth, periodic and objective assessment of the situation?

The fact that there is an opportunity for fraud to be committed is obvious. BPOs routinely handle sensitive information about clients including credit card details, pin numbers and addresses. Despite the hype -- fact is most customers end up giving such details to the BPO operatives because the process virtually drives them towards it.

Even the much-vaunted 'key in your pin number' gives the tonal signal that can be used to work out the number.

I know of the experience of an Indian customer who lost his credit card while traveling from the United States to India and had to deal with a BPO based in India (paying ISD rates, of course) trying to convince the operator about his case.

There were no less than four distinct instances during his 20-odd minute conversation, when he had to give sensitive details to the operator. Failure to do that would mean an exposure of identity theft which conservative estimates peg at several thousand dollars, apart from the trauma and lost time. Where is the choice really?

Expecting the customers to be wholly responsible is also naïve. The information (and economic) ecosystem of a company includes its customers. For instance, in the famous phishing attacks -- wherein customers of several banks received a fake mail asking them to confirm their password -- it will be downright irresponsible for a bank to hide behind the fine print, though, sadly, many of them did.

To those who say it is totally the customer's responsibility, my question is -- can you show the amount of resources you spent in educating your customer about the information security hygiene they need to follow?

Didn't you in fact constantly underplay the threats and overemphasise the security certifications you have got in place? Didn't you propagate a sense of security while putting the risks in the finest possible print?

I think a more complex and subtle phenomenon is being missed here. What we are witnessing is the clash of two cultures. The young minds working in BPOs are being exposed to standards of living that are very 'aspirational' from their viewpoint.

Given their usually modest background, they are being exposed to and taught about a lifestyle that is alien and mostly out of reach. They are bombarded with confusing signals that question core values.

Originality is out -- parroting a foreign accent is in. Stress is on mastering sports scores in Pennsylvania not the realities of Pune.

And young impressionable minds are caught in this vortex of aspiration and opportunity. Combined with low checks and balances, it is a disaster waiting to happen.

An Air Force colleague of mine once told me about a study done on flight accidents taking data from all over the world. The startling result of the study was that more than 90 per cent of the accidents had occurred because some element of the pre-flight check had not been done.

In other words nine out of ten accidents need not have occurred because the reason for that was already known and could have been prevented.

Unfortunately that has been my experience in the field of information security as well. A majority of losses take place -- not because of some highly sophisticated attack perpetrated by skilled attackers, but because of the ignorance of employees and structural process failures within the organisation.

Hate to burst a bubble here but the truth is, there are no 'Ocean's Eleven' out there -- only pre-flight checks that are not followed.

And anyone, who is not convinced, just needs to take a leaf out of the latest incident. Half a million dollars get whacked, over twelve people are involved and the fraud was eventually discovered by the customer!

John Simpson of the BBC once gave an example that proves my third point. During the Iraq-Iran war, the US was supporting Iraq. In the fog of war, an Iraqi jet fired an Exocet missile on a US warship by mistake. The US administration promptly released a press statement warning Iran that any attack on US assets would be treated as an act of war!

A majority of Americans logically believed that it was an Iranian aircraft that had attacked the US ship. That is the power of perception.

The Pune episode is undoubtedly a serious incident. And my experience in the field has been enlightening enough to know that it is neither a one-off event nor specific to India.

Having said that, an industry and indeed a country's determination to walk the talk, is demonstrated by the steps it takes to discover the underlying root causes and remedy them rather than persecuting the manifestations of those root causes.

For the apex body of the IT industry to give a clean chit to MphasiS in such haste is not going to augur well for either. That will only fuel speculation from persons like Mitchell who insist that Nasscom -- the National Association of Software and Services Companies -- is focussed on the needs of the company rather than the industry. Especially given the relationship between the two in this specific case.

What is needed is probably the establishment of a neutral and objective body whose only interests are improving security. A verdict from a panel like this is more likely to be convincing, objective and reassuring to customers who are understandably apprehensive of company's self-proclaimed security standards.

The author is CEO, Mahindra Special Services Group (MSSG), a company focussed on providing enterprise derisking solutions to organisations worldwide. He is an information security veteran since 20 years.
Get Rediff News in your Inbox:
Share:
   

Moneywiz Live!