Archives
Readership Profile    |    AD Rates   |    Feedback
Home | Editorial | Cover Story | Feature I Focus I Survey I Perspective I News
 
Current Issue
 
Outsourciong
Bi-Monthly
Issue: May-Jun 2006
 
 
 
   
 
 

NASSCOM-Police joint initiative on data security

How to Catch a Cyber Thief?
By Dev Varam

With the ITES-BPO sector growing by leaps and bounds, the aspect of data security and customer confidentiality has assumed immense significance. The discovery of fraudulent thefts indulged in by call center employees and its implications on the fast-growing BPO industry has forced the National Association of Software and Services Companies (NASSCOM) concerned state government authorities to initiate steps to stem cyber crime.

In the cyber city of Bangalore, the Capital of Karnataka, NASSCOM and Karnataka police have joined hands to launch a joint initiative for effective policing, particularly in the areas of Internet banking frauds and hacking.

While the police will investigate incidents relating to cyber crimes, NASSCOM will provide the necessary technical and intellectual inputs, apart from training and updating police personnel on a regular basis. Representatives of NASSCOM and police officials have started discussions on the modalities of operation.
Our knowledge on changing trends in cyber crimes is limited. Though we have been successful in a majority of the cases, we lack an in-depth specialty in this domain. Updating our skills and intellect will assist us in the investigation process. In all, we want a better understanding of issues relating to cyber crimes. Therefore, this joint initiative has been launched," Karnataka Inspector General of Police (economic offences) Sushant Mahapatra said.

NASSCOM's mandate is to train police personnel on IT laws, detection of cyber crimes and the effective enforcement of laws relating to cyber security. A hi-tech cyber crime laboratory will also be set up in Bangalore as part of the initiative. The laboratory will be housed in the corps of detectives (CoD) office. The laboratory is expected to be commissioned within three months. A computer network equipped with forensic software and cyber crime detection tools will be part of the laboratory being set up in association with IT firms.

NASSCOM Director (cyber security and compliance) Nandkumar Sarvade explained that personnel would be exposed to the basics of cyber crime at the laboratory. "The evidences in cyber crimes are of a different nature. Much of the collection of evidence depends on their Internet skills. The training programme will focus on all these aspects. We intend to create a huge database of evidence relating to cyber crimes in the process," said Sarvade, an officer from the Indian Police Service (IPS), who is on a deputation to NASSCOM.



The Bangalore laboratory will be the third such facility coming up in the country. Mumbai already has a cyber crime laboratory, which has been functioning for the last two years. The Pune laboratory is expected to be operational shortly. Next in line is Hyderabad, where a similar laboratory will be launched by NASSCOM.

The police have their own problems. There is always a shortage of staff. Low salaries do not attract the best of brains. The police have to do with what they have. “By updating the skills of our personnel, especially, the inspector cadre, who have a flair for using computers and technology, we want to ensure that investigations do not suffer," Mahapatra said.

For the cops, who are only conversant with the ancient IPC (Indian Penal Code), its difficult to understand the nature of laws governing IT&C (Information Technology and Communication). The police can be forgiven for their lack of exposure to cyber crime because most of the frauds are not reported, unless they are of the magnitude of the HSBC case. In 2003-2004 (April/March), the number of cyber (crimes reported across the country was nearly 60 and the following year it was 68. It was hardly any striking increase, considering the fact that the ITES-BPO sector had been growing at an impressive pace.

"Reporting is not adequate and another crippling provision of the IT Act is that only an officer of the rank of a Deputy Superintendent of Police (DSP) can book cyber crime," said Saravade. When a cyber crime is reported, an officer below the rank of a DSP simply prefers to book it under the normal IPC, without understanding its nature. The NASSCOM laboratories has planned are expected to bridge this ignorance gap through teaching investigating officers the basics.

"The six-day programme includes the basics of the internet and how it works. So far we have trained about 2,000 officers from the Maharashtra Police," said Saravade.
Since the breaking out of news about the HSBC fraud involving a call center worker, who had allegedly siphoned off £233,000 from the accounts of about 20 HSBC British customers, NASSCOM has been striving to undo the damage the incident had wrought on the image of the Indian BPO industry.
The worker employed at the HSBC Electronic Data Processing center in Bangalore, allegedly leaked personal and debit card information of more than 20 UK customers to unauthorized persons in London. Using this information the thieves stole 233,000 pounds from bank accounts of the customers via ATMs, debit cards, and telephone banking. Quickly reacting to the incident, a HSBC officials said, "The affected customers have been contacted. Genuine victims of fraud will not suffer a financial loss."



NASSCOM Vice President Sunil Mehta, who visited the UK shortly after the HSBC incident, sought to correct the perception that the underpaid Indian workers were more prone to commit frauds.
“If morality was a function of income then the most rich would be the most honest," Mehta observed. Ironically, the arrest of the Indian HSBC call center worker coincided with the story of a man being jailed for 10 years for defrauding the Royal Bank of Scotland for £21 million in Edinburgh. The amount involved in the Indian fraud pales into insignificance compared to the magnitude of frauds occurring in Britain.

HSBC had insisted that its Indian centres suffered less fraud than those reported in the UK. Police officials in Bangalore gave credit to HSBC for detecting the fraud in its initial stages. The bank had taken enough security measures without which the fraud "would not have been limited to this extent, said a senior police official.
The Financial Services Authority (FSA) said British banks are more reluctant to report or prosecute their in-house fraudsters, as doing so could tarnish their reputations.

According to the Attorney General's review of frauds published recently, the under-reporting of these crimes is chronic in the UK. A report by Ernst & Young says a majority of all financial frauds occurs in developed markets. The reported incidents of fraud in UK banks involved a whopping amount of £1 billion in 2005.
Despite the insignificant incidence of frauds involving their companies, Indian services firms, on the other hand, have had to try harder to prevent fraud. They went as far as a biometric database of employees working in the Indian offshore services industry. They have to protect themselves from media glare as a negative image will harm the whole industry.

India's Minister for Communications and Information Technology Dayanidhi Maran said that an Act had been amended with a view to providing legal framework relating to theft of data, transmission of images and video voyeurism.



Addressing a seminar on 'Cyber Crime: Today and Tomorrow' organised by NASSCOM, Maran said that about 1,400 websites of Indian companies and government agencies had come under attack in the past six months and 55 percent of these threats were from outside the country. According to official data, the major IT crimes in the country are related to the denial of services, defacement of websites, spam, computer virus and worms, pornography, cyber squatting and cyber stalking.
Although baking fraud is a universal phenomenon, research firm Forrester said the impact would be big for the Indian domestic IT industry. In a recent report on offshore security breaches and captive risks, Forrester said, "This is a major blow. The massive media glare, coupled with limited Indian government action to prevent further reoccurrence will further slow down offshore BPO growth."

However Kiran Karnik, president, Nasscom, said the Indian police had acted promptly in arresting the HSBC employee and are investigating further to identify his accomplices in London. "Even the last time a major fraud incidence was reported, the police acted quickly in bringing the criminals to book," said Karnik. He was referring to the fraud that involved three former employees of the call centre firm MphasiS BFL's Pune centre for stealing $350,000 (over Rs 1.5 crore) from four Citibank customers in the US.

Karnik said India was the safest country to outsource and would become safer once the Skills Registry, an initiative by NASSCOM, where a track record of the previous employment details of the employees would be maintained.

Referring to data of the previous years where the industry grew at 48 per cent in 2004-05 and 35 per cent in FY 2005-06, the Forrester report said, "In addition to security concerns, challenges such as high attrition rates and staffing costs, rising competition, and margin pressures are contributing to the slow growth. In the next 12 months, the growth will decrease further to 28-30 per cent."

Affirming the growth rate for 2006-07 at 27-30 per cent, NASSCOM in its half-yearly fact sheet published in beginning of June stated, "The ITES-BPO industry will register exports of $8-8.5 billion in 2006-07. The industry is growing in volumes as it gains base.

Raghuraman, CEO, Mahindra Special Services Group said, "Growth cannot slow down because of security, because when work needs to be outsourced there are no two ways. Besides, India is comparatively safer to the advanced economies as less frauds take place here."

Meanwhile, Indian enterprises are either establishing or reinforcing network security architecture, and IT budgets, with a focus on developing an effective IT security management processes are becoming substantial.

Cyber security is also an issue addressed at higher levels by governments. India and the United States recently agreed on greater cooperation to protect electronic transactions and critical infrastructure from cyber crime. In a joint statement, the two sides recognized the importance of capacity building in cyber security and greater cooperation to secure their growing electronic interdependencies, including to protect electronic transactions and critical infrastructure from cyber crime, terrorism and other malicious threats. the Indo-US joint statement said. The Indo-US cyber security forum has identified risks and common concerns in cyber security and crafted an action-oriented work plan on securing networked information systems.

  Cyber Security Industry Posed For A Take-Off

The Cyber Security industry is poised for a great take off. Its growth is expected to be as spectacular as that of the IT industry in the 90s. Design, development and deployment of systems that enhance security are gaining currency. Today, global organizations consider enterprise network security as a strategic priority.

India has emerged as the second fastest growing IT security market in the Asia Pacific region. Indian enterprises are in the process of either setting up or upgrading their network security architecture. IT budgets, with a focus on developing an effective IT security management processes are becoming increasingly substantial.

Rising global IT spends
To begin with, IT spend is definitely on the rise again, from a global perspective. In the US, IT spend was around US $1 trillion (International Data Corporation 2004 estimates). Global IT spend was US $2.1 trillion (roughly 6.6 percent of world's GDP). IDC found that the major spenders were the US at US $762 billion, Japan at US $362 billion and Germany at US $139 billion. Others in top 10 are Britain, France, Italy, Canada, China, Brazil and Australia (all IDC 2004 estimates).

In accordance IT spend, IT security spend is the fastest growing segment at 25 percent CAGR. As per estimates from IDC, it is likely to grow from US$ 17 million in 2001 to US $45 million in 2006. An Information Week-PwC survey found that 10 percent of corporate expenses are incurred on security.

Threats and vulnerabilities are growing as well. According to Mayurakshi Ray, principal consultant, PriceWaterhouseCoopers (PWC), largest number of targeted attacks have been on the following segments - financial services, manufacturing, transportation, media/entertainment, telecom, high-tech, nonprofit, power and energy, etc.

 
Ray was speaking at a r oad show on ICT & Network Security 2006 International Exhibition and Conference held concurrently with the 14th Convergence India 2006 event in New Delhi in March 2006. Organized by Delhi based Exhibitions India Pvt. Ltd., the ICT & Network Security 2006 focused on five areas deemed critical to better information security - consumer awareness, early warning systems, corporate governance, technical standards and security across software development.
According to Ray, the reported vulnerabilities have been increasing at a rate of over 40 percent year-on-year, which is an alarming trend. Next, large pools of computers are getting infected as well, especially where it matters. She further highlighted that the IT complexity has been increasing as well. Technology is becoming more sophisticated and technology environments are no longer homogeneous. The threats are real and businesses are losing money.


Indian infosecurity scenario not encouraging
The Indian scenario is not very encouraging. Indian corporate sites are more often hacked than others. As per a study by CERT India, among the Indian corporate Web sites, the .co.in domain is the most hacked, followed by the net.in and gov.in domains. Sites hosted in India are hacked more often than those located outside India.
Ray added that Indian PCs are more affected than the global average. New Delhi is the leading center with 41 percent of Indian bot-infected PCs, followed by Mumbai with 29 percent, Chennai with 10 percent, Bangalore with 6.0 percent and Hyderabad with 3.0 percent, as the top five centers, respectively.
According to a CII-PWC survey, larger numbers of Indian companies face breaches as well. It found that 58 percent of the companies faced one to two breaches, 24 percent faced three to five breaches, and 18 percent encountered more than six breaches.

Opportunities in managed security services
The Indian network security market is currently valued at US $29.9 million. About 62 percent of network security revenues come from the IT, ITeS and BFSI sectors. According to Frost & Sullivan, the overall network security market in India is likely to grow at a CAGR of 25 percent till 2010. All of this means lot more opportunities in the Indian market.
According to Ray, the opportunities would arise from the offshoring front. Managed security services (outsourced to third parties) have been growing at over 50 percent a year for last two years. A number of players are in the foray as established network companies (BT, Verizon, etc.), OEMs (Symantec, ISS, Computer Associates, etc.), and ISPs/ ASPs (AT&T, PSINet, Sprint, etc.). While some of the firms have established R&D and NOC in India like CA, Symantec, Verizon, etc., others would come to India as well, largely, a matter of time and availability of skill sets.
According to estimates from Gartner, the global revenue from managed security services would be at US $5.8 billion in 2005. IDC estimates that this segment is likely to grow by 50 percent every year till 2006.

Challenges before India
All of the above would require a clearly laid legal and policy framework, creation of skill sets/capabilities in India, and an improved Indian posture for security. Regarding the legislative and policy framework, Ray said that data protection issues are considered as critical for the global companies and India does not have one as of now. The IT 2000 Act is still said to be evolving. The IT Act is said to be very draconian and could be prone to misuse.

Employee security clearances and background verifications are considered as a second critical component. Indian states do not have one that could support high security/ confidential/sensitive work to be offshored to India. Each country has a policy on electronic evidence gathering for forensic purposes as well. India does not have one, which is acceptable to judiciary and the outside world. We also need to develop the ability to solve cases and tackle litigations faster.

Regarding creation of skill sets/capabilities, the IT security skill sets are currently on high demand with low supply. Nearly no universities/technical colleges offer any specialized degree on security. Indian technical staff are perceived to be insensitive to IT security requirements as well. Finally, creation of awareness on security and Internet access at schools and colleges is negligible.

Ray also added that there is a current requirement of 68,000 professionals, while the various engineering colleges and technical institutes are able to churn out only 19,000 students, annually. This needs to be addressed as high priority.

As for the Indian corporate posture on security, she said that the Indian corporate IT security posture is low globally. Spend on security in India is the lowest among the networked countries (CII-PWC survey). Over 40 percent of the Indian computers do not even have anti-virus programs installed (CII-PWC Survey). The sites hosted in India are more often intruded as compared to those outside (CERT-IN). India has the lowest level of reporting on incidents as well (CERT-IN). Awareness on IT security among CEOs is low. There is also a lack of IS security function and its independent reporting among the corporates.

Way forward
So what is the way forward? Getting the views of the potential companies for their requirements is prime. Next, there is a need to involve the academia for developing the necessary skills, and also creating and increasing the awareness among students.

There is a need to involve the police and investigation agencies to create a framework for forensic evidence capturing policy. The CERT must be involved for creating a co-operative framework to demonstrate the active participation between the industry and the agency. Various industries must also be involved to create better corporate posture and security compliance. Finally, leading industry associations, such as CII, FICCI, NASSCOM, etc., should be involved to drive member participation in the initiatives.

Earlier, Aninda Sen, regional head, Exhibitions India, remarked that the ICT & Network Security 2006 would focus on deploying, developing and investigating security solutions. The organizer is committed to delivering positive RoI for the exhibitors. The IPCC and the WCA are the two supporting associations for this event.


IL&FS invests in
BPO firm EBS Worldwide

Private equity fund management company IL&FS Investment Managers Ltd. (IIML) has invested Rs. 25 crore in BPO firm EBS Worldwide Services, a marketing services company.
EBS, a Rs. 50-crore company has around 200 employees, with offices in India and the US. With this investment, IIML aims to put a cap on its marketing expenditure, improve quality and free company resources from these activities. EBS offers niche, technology-based customer relationship management (CRM) and direct marketing back-office solutions.