Indian companies are lagging behind the rest of the world when it comes to implementing data security policies and tools, and the rate of breaches there is almost twice as high as the U.S. one, a PricewaterhouseCoopers report says.
The findings should be a warning to financial companies that have outsourced work to India or are considering doing so, according to the report, which was released last week and based on an online survey conducted by PricewaterhouseCoopers and CXO Media Inc. of Framingham, Mass.
“Folks have been so quick to rush things to India, but the controls just haven’t been implemented,” said Mark Lobel, a partner in the advisory practice for PricewaterhouseCoopers, and the author of the report. “There hasn’t been the time.”
The report, which did not name the companies that participated in the survey, said it may not “represent the security practices and levels of the popular Indian outsourcing companies.”
Still, Mr. Lobel said that even though some Indian outsourcing providers may have adequate security measures, the overall results from the country indicate that even this tech-savvy business faces significant problems in meeting global standards.
“We’ve seen folks screaming for a couple of years now, ‘Outsource, outsource, outsource,’ ” he said. “There’s always been an assumption that ‘Hey, the security will be OK,’ … and what came out of the survey was they are just behind.”
At least two data breaches have been reported in India this summer. In June, an employee of an HSBC Holdings PLC call center was arrested for allegedly leaking account details to criminals in the United Kingdom. Police officials in Bangalore said the breach led to nearly $426,000 of fraud.
Last month the Delhi call center V-Angels said it had filed police reports accusing several employees of stealing customer data. An attorney for the center said its clients included several major U.S. and U.K. companies, but the attorney would not identify their industries.
The report found that the percentage of Indian companies reporting incidents of fraud, extortion, and identity theft were higher than the rates in the United States or worldwide.
Nineteen percent of the Indian companies surveyed reported incidents in which customer or employee identities were stolen, compared with 10% worldwide and 9% in the United States, the report said. Sixteen percent of Indian companies said they had breaches that led to fraud, compared with 12% worldwide and 8% in the United States. Fifteen percent of Indian companies reported incidents of extortion, compared with 5% worldwide and 2% in the United States.
The survey, conducted online in April and May, generated responses from 7,800 technology executives from 50 countries. The fact that 470 of the survey’s respondents were from India “gives us a real sense of what’s happening across that geography,” Mr. Lobel said. “We have solidly statistically significant results.”
He said the survey did not distinguish between companies that serve an international clientele and those that work solely within India.
Madhavi Mantha, a senior analyst at Celent LLC in Boston, said that lack of distinction means the results may not accurately reflect the security practices at the Indian outsourcing providers.
“In India, you see a very different situation among companies that are in the outsourcing business,” which are the most secure, because they have to meet the stricter standards set by their clients, she said.
Though there have been breaches in India, they have been “quite a bit smaller than the breaches we have in the U.S.,” Ms. Mantha said.
This is not to say bankers need not worry about security, she said. “My sense is that the security practices in the [Indian banking] industry at large have some catching up to do.”
Kathleen Rizzo Young, a senior vice president and group director for public affairs at HSBC, said in an e-mail that in the five years in which it has operated call and processing centers in India, “our experience is that the error and fraud rates of our HSBC colleagues in these centres is comparable to those found in most other nations and better than many.”
In the incident at the HSBC center, according to police officials, an employee received $1,800 in exchange for stolen customer information.
Mr. Lobel said that even though such incidents are more common in India than they are elsewhere, the problem is controllable.
“It goes back to organizational maturity,” he said, and as the Indian operations mature, they become more serious about security.
Charan Bhalla, the vice president of risk management and compliance at the Bangalore outsourcer Wipro Ltd., said it has very strict security measures for its employees, particularly when dealing with sensitive information from financial services clients.
He would not discuss the PricewaterhouseCoopers report, except to say he has seen it.
Companies like Wipro “tend to pay more than what other industries pay in India, so the desire to work in this industry is very high,” said Mr. Bhalla, who is also the ombudsman of its business process outsourcing division.
The high pay means job applicants may be tempted to lie about their work histories, giving Wipro an early opportunity to weed out dishonest workers, he said. His company conducts four-week background checks before hiring someone.
For financial services and health care clients, Wipro enforces a “paperless office” policy, Mr. Bhalla said. “People are not allowed to take pens, papers, pencils inside” the work area, and papers left on the desk at the end of the day are shredded.
S. Hariharan, the senior vice president for infrastructure services at the Mumbai core processing software maker i-flex solutions ltd., wrote in an e-mail that companies in India face some common problems, such as a lack of awareness among employees about security directives, and poor security education in schools and colleges.
In the past companies had to develop their own security practices, but now many are using common standards and practices, which have improved security, he said.
