Outsourcing: global security

The trend towards outsourcing and offshoring financial data processing is growing as cost savings prove irresistible. But the perceived security risks associated with allowing third parties to deal with sensitive data – particularly offshore – are of increasing concern and ‘will take centre stage alongside public concern over job losses’, according to analyst group Gartner.

Saving salaries doesn’t look so great on whatever the bottom line benefit if the payback is mushrooming incidents of data fraud, identity theft and privacy breaches. ‘As offshore outsourcing evolves from low value/low exposure projects to increasingly complex global projects involving core competencies, the cost and exposure of inadequate attention to security will increase significantly,’ warns Partha Iyengar, research vice-president of Gartner India.

The economic case for outsourcing functions such as payroll, however, is convincing. Research by Cranfield School of Management, sponsored by employer services supplier ADP UK, reveals that outsourcing payroll not only reduces obviously measured costs, but also slashes indirect costs. For instance, figures expose how 21% of departmental costs directly relate to the management time associated with software maintenance and quibbles on late payment, all of which can be slashed by outsourcing.

Gartner statistics show the tide is in favour of outsourcing. More than $270bn (£156bn) was spent on IT and business process outsourcing globally in 2002, and the analyst predicts the market will grow by over 7.5% a year to be worth $395bn in 2007.

Offshore outsourcing to India is especially buoyant. Only last month Norwich Union, Britain’s biggest insurance company, joined a host of other firms including HSBC, Barclays, Marks & Spencer and Tesco, by deciding to ship jobs to Asia. But some, including the Royal Bank of Scotland and Alliance & Leicester, have pledged to keep jobs in Britain, partly in response to the backlash that turned offshoring into a political hot potato.

Politics aside, one of the factors in deciding to keep operations at home is distrust over the lack of regulatory protection in areas such as security and privacy. India, for example, has no equivalent of the Data Protection Act, although legislation is in the pipeline.

‘Service providers are unable to provide standard security solutions because regulations, legislation, and consequently risk vary vastly between industries and geographies,’ says Iyengar.

But UK companies have an obligation under the European Union directive on data protection and the Data Protection Act 1998 to ensure that personal information transferred outside the EU is safeguarded. As data controllers, they are liable for any processing of personal data carried out by their supplier.

The Information Commissioner’s Office recommends that companies should conduct a risk analysis prior to any overseas transfer of personal information, and check that the overseas company’s information is sent to have security arrangements in place. ‘If there is any doubt about the adequacy of protection, the transfer should not take place,’ it warns.

Currently, the data protection watchdog is investigating a union-backed complaint by a Lloyds TSB customer, who has accused the bank of violating data protection law by failing to gain explicit consent before sending personal financial information, including records of standing orders and credit transactions, to India for processing.

Graham Titterington, principal analyst at Ovum, believes the complaint will not be upheld. ‘If the information commissioner comes down on the union’s side, an awful lot of operations will have to be rolled back.’

Iain Bourne, senior compliance manager at the Information Commissioner’s Office, says: ‘You do not need explicit consent to legitimise an overseas transfer of personal information. There are other means of doing it.’

Elizabeth Weir, a senior associate at international law firm Shaw Pittman, advocates including EU-approved standard clauses covering data protection compliance in contracts with offshore suppliers located in countries not recognised by the European Commission, as affording the requisite level of protection. ‘India, although it has not yet been recognised, is making progress with framing a data protection and privacy regime that will be scrutinised by the EC in due course,’ she says.

India’s leading IT body, the National Association of Software and Services Companies (Nasscom), acknowledges: ‘A secure and reliable environment – defined by strong copyright, IT and cyber laws – is an imperative for the growth and future success of the ITS/BPO industries.’

It is conducting a security audit of its 860 members and has proposed strengthening India’s IT Act 2000, which covers data security and cyber crime. Until this happens, ‘a breach of data protection is not an offence’, says Rajiv Shah, vice-president in AT Kearney’s financial institutions practice.

But Shah adds: ‘Most Indians service providers will subject themselves to be bound by global acts and will be subject to litigation in the courts of the user’s country.’

Weir cautions against solely relying on legal action through domestic courts. ‘If you’re outsourcing to any jurisdiction different from your own, it is vital to get local advice to make sure there are no laws that may override the contract provisions.’

She also suggests that mediation or informal dispute resolution can offer a quicker remedy than the courts. ‘In India, for example, arbitration may be easier than enforcing an English court judgement,’ she says.

In mitigating risk, Weir advises that communication is crucial. ‘An auditor should look at customer references and talk to the people on the ground. If the supplier is offshore, they should go there and check security, including the physical security of the building and the vetting, recruiting and training of staff. Installing your own personnel in the supplier’s office, typically an operations person who understands effective governance procedure, is advisable,’ she adds.

Another pointer Shah suggests to curtail the security risk surrounding outsourcing critical financial processes is ‘securing bonded spaces for your sole use’.

Leading Indian business process outsourcing companies, such as Wipro and WNS Global Services, already work within UK data protection laws and comply with BS7799, the international standard on information security. TK Kurien, resident of Wipro Technologies, says ensuring security and integrity of data is now essential for gaining competitive advantage.

‘Security has moved up the agenda. Sarbanes-Oxley is driving chief financial officers in the US and UK to see how things are working at the ground level. They must certify the correctness of accounts based on facts, so the underlying data that judgements are based on is becoming more and more critical. The outsourcing environment is becoming increasingly control-oriented.’

Kurien believes customers are most likely to encounter security problems if they ‘sign up with bugs-bunny outfits that spring up overnight, making a decision on pricing without undertaking due diligence.’

But he is dismissive of the notion that the Indian security environment poses a greater threat than the UK’s. ‘People have a perception they can control data security of an outsourcing contract if it is taking place in the office next door, but if the right infrastructure is not in place, they can’t.’

David Tibble, chairman WNS Global Services, agrees: ‘We follow a rigorous methodology. In India we have a seven-strong compliance team. The problem is that you may have 100 security breaches in the UK and there will be nothing in the press, but one in India makes the headlines.’

Security safeguards at both companies are strict surrounding staff and systems. At Wipro, for example, workers backgrounds are checked – they can’t browse the internet at their PC ‘to prevent trojan horses infecting systems and monitoring data’, says Kurien.

Copying data is banned and no pencils or mobile phones are allowed in the processing shop. If anyone leaves their machine, it locks after a minute. Systems are protected by multiple-level firewalls, anti-virus and encryption software and there is a reporting mechanism in place for any violations. ‘We have a whole chapter on compliance in our service-level agreements,’ says Kurien.

Similar procedures are followed by WNS Global Services, but Tibble advises they must be thought out well. ‘Everything must be in place before day one to create a secure environment,’ he says.

Mark Kobayashi-Hillary, author of Outsourcing to India: The Offshore Advantage, is keen to play down any data protection concerns that may be felt in the UK.

‘I don’t think FDs need fear India as a destination for accounting outsourcing. You can lose valuable information to third parties in the UK just as easily as you can in India. India is actually leading the world in quality practices. I have witnessed far stronger security than in any UK accounting practice.’

Whether you choose the UK or overseas to outsource, ‘you de-risk outsourcing on the legal and technical side by making sure you are part of the process,’ says Andrew Dunlop, a partner specialising in outsourcing at law firm Burges Salmon and a board member of the National Outsourcing Association. ‘Nobody should hand over the keys if they don’t know where they’re kept or who uses them.’

Related reading