Industry act to contain offshore scandal
- 16 October, 2006 07:53
Australian IT managers last week sought assurances from offshore providers that their data was safe in the wake of a controversial documentary showing identity thieves purchasing the credit card details of 200,000 customers in Bangalore.
The National Association of Software and Service Companies (Nasscom), which represents major outsourcing providers in India, went on the offensive after the explosive documentary was aired on Channel 4 in Britain. It is not the first identity theft scandal to hit India.
But providers and industry came together to ensure strict standards are in place and to hose down public fears around the use of offshoring, especially at a time when Australia's largest banks and airlines are increasing their use of Indian-based providers.
Qantas is announcing a deal this week to move IT development offshore and the airline's CIO, John Willit, told Computerworld that local companies have little choice but to seek out capability and depth of expertise that isn't available in Australia.
"If people want Qantas to be competitive and successful and continue to employ tens of thousands of Aussies, as we currently do, we need to be able to achieve the greatest possible flexibility in all areas of business, and IT is no exception," Willit said.
"People have to understand we need to replace the ageing legacy IT systems and skills; to do this in a cost-effective way that will provide efficiency benefits we need skills that simply are not available in Australia."
Local industry also sought to ensure confidential data was protected and the Australian Prudential Regulation Authority (APRA) this week released a practice guide on outsourcing for authorized deposit-taking institutions (ADIs) and general insurers.
Some prudential standards will take effect in January 2007, dealing specifically with outsourcing to an offshore party.
APRA chairman John Laker said the guide sets out minimum requirements for managing outsourcing risks.
"The use of third parties to perform business activities can be beneficial, but can entail additional risks," Laker said.
"Well-run institutions already address these outsourcing principles as part of their operational risk management systems."
Commenting on the documentary, Indian-based outsourcing company Satyam said the company uses a strict business model built on the ISO 27001 standard, which includes criminal background checks for staff and biometric controls.
Virender Aggarwal, senior vice president and head of Satyam Asia Pacific operations, said the company has various measures in place across the organization to prevent data theft.
"At Satyam we believe in creating a 'vigilant' workforce as against a 'participative' workforce, and these associates are our biggest asset in ensuring data security. Training is a very important factor since it has been seen that maximum data misappropriation happens inadvertently," Aggarwal said.
"All associates have mandatory induction training on information security before they are deployed to any engagement and this is reinforced through focused campaigns (such as road shows, posters, movies, screen savers and the like) and regular training on information security also is conducted."
Page Break
Because of the way outsourcing deals are structured, John Bligh, director of outsourcing for Accenture, said it is near-impossible for overseas workers to get hold of personal information to sell "down the street".
"Our employees in India are employees of Accenture and they go through strict confidentiality training and all applications have security embedded into them so we can do reports at any time on who has accessed data and know who has accessed files, but not what was in the file," Bligh said.
"A lot of the time offshore workers don't get access to client data and when it does [happen], more often than not in a call centre, the customer information never leaves the country as the person working offshore signs in through a secured application.
"Our advice to clients is if there is sensitive information then use technology to disguise the information."
However, despite all the assurances Australian IT managers said even with strict procedures in place, data still appears to go missing.
Nintendo Australia IT manager Peter Stroud said despite the use of standards and governance controls, it is still a concern that breaches exist.
"I'd imagine from a compliance point of view that attempting data security breaches would be very hard if the business was subject to legislation similar to Sarbanes-Oxley," Stroud said.
"It's not worth alienating your customers, because the savings you would accrue from this kind of outsourcing may be worth the risk in the short term; but in the long term, savings must be compared to risks and wages in India are increasing which reduces the profitability anyway."
Mazda Australia IT manager Tim Ballingall said the most important part of these contracts is the service level agreements (SLAs).
"Business must go into these deals with eyes wide open, because in the long run breaches will cost a lot more and there is almost nothing anyone can do to restore a ruined company image," Ballingall said.
"I'd like to think that business would not compromise data security for cost cutting, so I'd expect the contract would need to include strict SLAs when using these providers."
Other offshore providers, Tata, Wipro, IBM and Infosys did not comment on the documentary.
But despite the data theft controversy, Australian banks are moving ahead with their offshoring plans.
The National Australia Bank (NAB) currently has 20 people based in India and is looking to increase that figure to around 80.
Westpac is currently deciding whether it will move 300 positions from its personal loans division to India.
According to Westpac spokesperson David Lording, the organization is still reviewing a number of issues.
ANZ currently has 1400 data processors employed in Bangalore.
One bank that has resisted offshoring is the Commonwealth Bank. Earlier this month the bank issued a statement claiming that research indicates "there may be a labour shortage looming in Australia in the next five to 10 years and the bank will continue to prepare for this by keeping all opportunities under review, including developing people policies to ensure it is able to attract and retain staff in Australia".