IT/BPO industry innovations to cut risk

According to a latest survey jointly undertaken by the Data Security Council of India (DSCI) and PwC. Indian service providers in the IT/BPO industry are exploring new and innovative methods to mitigate risks associated with insider threats such as social networking and credit card history check.

The survey used a three-pronged approach i.e. industry survey and inputs, analysis of the insider theft cases and secondary research to understand the security environment of the Indian IT/BPO industry from an insider threat perspective and the perceptions of the organisations.

The survey seeks to provide a better understanding of the challenges and risks associated with insider threats and an enhanced ability to manage them for both the industry service providers and organisations in the Indian IT/BPO space. The magnitude of the impact of an attack from an insider is at least ten times more than that of the total impact that an external attacker can cause, though the likelihood of the attack from insiders may be very low as compared to external threats.

Commenting on the survey, Dr. Kamlesh Bajaj - CEO, DSCI said: 
“It is generally thought that while the external threats can be handled by deploying appropriate technology solutions, controls, and by developing the required processes, the internal threats are difficult to track. But this is only partially true since there are behavioural indicators that companies can look for in the people who work there.”  

Siddharth Vishwanath, Executive Director, Risk and Regulatory practice, PwC India added:
“It is encouraging to note that more than 88% of the service providers have defined the insider incident response plan to manage insider incidents in their organisations. Audit and review is still the primary source of identification and learning about insider incidents with both the service provider and organisations”.

Here are some of the other key findings of the DSCI–PwC survey:

• Behavioural motivation to break existing norms is the primary motive leading to insider threat as per 89% of the service provider organisations while 75% of client organisations believe personal financial gain to be the prime motive at service provider organisations.
• All client organisations have mandated their service providers to conduct employee background; but employee verification processes are not standardised as providers are subject to client-driven data.
• All service provider organisations believe current employees are primary source of insider incidents.
• More than 50% of the service provider organisations revealed that insiders who are not working in IT department and therefore not having privileged access have carried out insider incidents at their organisations.

• All client organisations and only 33% of service provider organisations believe that lack of education and awareness is a major barrier in addressing insider threats.
• More than half of the respondents believed that social engineering and ‘someone else’s computer account’ is used by insiders to commit a breach in service provider organisations.
• 89% of service provider organisations resolved the cases of insider incidents internally, without involving a legal agency. Only 22% service providers initiated legal action against perpetrators.
• Almost 67% service provider organisations and 75% of client organisations believed that unintentional exposure of private and sensitive information is still one of the major challenges faced by both service provider and client organisations.

Ends

Notes to the editor

About DSCI 
DSCI is a focal body on data protection in India, setup as an independent Self-Regulatory Organisation (SRO) by NASSCOM®, to promote data protection; develop security and privacy best practices and standards; and encourage the Indian industries to implement the same. DSCI is engaged with the Indian IT/BPO industry, their clients worldwide, banking and telecom sectors, industry associations, data protection authorities and other government agencies in different countries. DSCI is focused on capacity building of Law Enforcement Agencies for combating cyber crimes in India and towards this it operates several cyber labs across India.

About PwC

PwC firms provide industry-focused assurance, tax and advisory services to enhance value for their clients. More than 161,000 people in 154 countries in firms across the PwC network share their thinking, experience and solutions to develop fresh perspectives and practical advice. See pwc.com for more information.

In India, PwC (www.pwc.com/India) offers a comprehensive portfolio of Advisory and Tax & Regulatory services; each, in turn, presents a basket of finely defined deliverables. Network firms of PwC in India also provide services in Assurance as per the relevant rules and regulations in India.

Complementing our depth of industry expertise and breadth of skills is our sound knowledge of the local business environment in India.  We are committed to working with our clients in India and beyond to deliver the solutions that help them take on the challenges of the ever-changing business environment.

PwC has offices in Ahmadabad, Bangalore, Bhubaneswar, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune.

PwC has changed its brand name from PricewaterhouseCoopers to PwC.  'PwC' is written in text with a capital 'P' and capital 'C'.  Only when you use the PwC logo is the name represented in lower case.

"PwC" is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.

2011 PwC. All rights reserved.