What are the Security Implications of Outsourcing

Let's face it, many corporations are now outsourcing work to India and in doing so are making available personal and financial information that can be stolen.

BBC News (Zubair Ahmed) reported that employees from a outsourcing firm (Mphasis) were recently implicated in a $400,000 fraud in which four Americans were the victims. Mr. Ahmed brought up other concerns in the article, such as the lack of screening of personnel working at some of these firms (10-25 percent submit fake information) to obtain employment. This "fake information" includes, phony credentials and diplomas; which can be bought in India.

He also cited a source that 80 percent of the companies don't use integrated security management tools in India, which allowed the most recent fraud to occur. For the entire story, please read: BBC NEWS Business Outsourcing exposes firms to fraud.

According to the article, there are fears that if too many of these episodes come to light, it could hurt the industry as a whole.

BUT what if all the fraud isn't being reported? After all, in most (individual) cases of identity theft, the point of compromise is never found. With the borderless aspects of internet crime, information is transmitted with a click of the mouse.

There are also cultural considerations to consider. Having lived in Pakistan and traveled in India, I learned very quickly that one needs to pay money (baksheesh) to get a lot of things done.

"Baksheesh" (roughly translated as bribe money) is a cultural aspect of South Asian society. Although written in a humorous vein, here is an article written by Melvin Durai (who is himself of Indian descent): Humor: Corruption in India.

Mr. Durai writes in his satirical essay:

"Yes, corruption is a serious problem, but despite what some believe, India is not the most corrupt country in the world. That distinction belongs to Bangladesh, which finished dead last among 91 countries surveyed for the 2002 Corruption Perceptions Index of Transparency International. India ranked 71st, while Pakistan was 79th, allowing Indian politicians to brag that they're more honest than their neighbors. "If you want to see real corruption, just cross the border. Even husbands have to bribe wives just to have children."

For a more serious look at (not only India), but corruption everywhere, here is the Global Corruption Report 2005 by Transparency International.

A little "baksheesh" in South Asia can go a long way and can open a lot of doors. I've heard this can even be true with law enforcement, who like many underpaid South Asians view it as a means of survival.

In another vein, since there is a perceived lack of security procedures at these firms, could they become greater targets for criminal activity? There is growing evidence that a lot of this sort of crime is being done by organized "international gangs." It would seem logical that if it is easier and safer to steal the information in India, we are going to see them take their activity there.

BUT should we blame corruption (AND the potential for information theft) in India on the Indians, or the corporations themselves? My guess would be the corporations, who in their quest for profit are exposing our personal information without ensuring it is properly protected. After all, India is a poor country, where we have been told (for years) that some don't even get enough to eat. The corporations, who enjoy the vastly reduced payroll costs, are making record profits by outsourcing work to India.

From a different perspective, these jobs have helped created a new and more prosperous middle-class within India. I cannot and will not argue against bringing up the standard of a people that historically have gone without some of the things we enjoy and in fact (my opinion) sometimes take for granted. There is no shortage of corrupt people in the West, either.

Internal plants, fake documents and fraud aren't only a problem in India. There is plenty of this activity to go around and with technology, it seems to be getting worse throughout the world.

The goal needs to be to protecting people from becoming victims, EVERYWHERE! If we are going to be business partners with these firms, it is imperative, we assist them in bringing their security infastructures up to par with ours. Otherwise, we expose them as easy targets.

With the Sarbanes-Oxley act in full swing (United States), outsourcing to far-away places might become more attractive. Compliance costs money and to some, it might be counterproductive to their primary focus, which is profit. After all, Sarbanes-Oxley and similar legislation ensures the very due diligence, I refer to. Perhaps, the answer is to enact further legislation forcing corporations to adhere to the same standards that have to be in place here, as well as, India.

In a perfect world, corporations would do this on their own, but sometimes laws are necessary for the good of all.

In fact, it seems to me that the international corporation of the future will need to consider security as more of a "customer service" and "profit protection" entity rather than a necessary evil. In the long run, should they fail to do so, they will lose the trust of their customer (who in the end) is the one who dictates their future.

Last, but not least, I would like to acknowledge my friend, Paul Young (author of prying1), who sent me a note with an article on this that inspired me to write this post.