Offshore security can be compromised by cultural differences

Gartner has warned companies that outsource to countries like India and China not to overlook the impact of cultural differences...

Gartner has warned companies that outsource to countries like India and China not to overlook the impact of cultural differences on security.

"India is seen as an answer when outsourcing applications but is actually a problem in the security space," said Gartner's India research vice-president Partha Iyengar.

Standards of privacy are often looser in India because, for instance, reading someone else's e-mail would not be considered much of an intrusion there, Iyengar said.

This more relaxed attitude toward privacy could have serious consequences when it comes to protecting corporate data, experts warned.

Companies that outsource operations overseas are advised to train local staff to adhere to the company's global privacy standards and to check into the risk of government interception of sensitive confidential information.

"Fifty percent of companies understand that there are security issues with offshoring, but the real issues are cultural, and in compliance and regulation," said Lawrence Lerner, senior technical architect of the Advanced Solutions Group at Cognizant Technology Solutions.

Lerner said his company advises its clients to document its processes when outsourcing and to get all parties involved to sign off on procedures to ensure transparency. He also suggests background checks on local staff.

As a result of the high demand from western companies looking to cut costs some outsourcing service providers in India and China are growing rapidly, hiring thousands of new employees in a month. "When you are hiring 5,000 people at a time, you need to make sure that they all adhere to the same standards," Lerner said.

RK Raghavan, consulting advisor on security at Tata Consultancy Services, one of India's largest IT services companies, said that his firm is feeling the effects of these client demands. "We are bending over backward on security, primarily to cater to our US customers," Raghavan said.

Tata has recently enhanced its background checks on potential employees amid volume hiring and increased customer demands. It used to require two references from each applicant as a security measure, but did not ensure the applicant had no criminal record.

Tata found that fingerprinting is considered offensive in the Indian culture, Raghavan said, so it decided to outsource security checks to the local police by requiring that applicants have an Indian passport - this can only be acquired by passing vigorous security checks conducted by law enforcement officials, Raghavan said.

In addition to shoring up its own security checks, Tata has worked to increase security awareness among staff through training, according to Raghavan. "Employees need to think about security all the time to be competitive," he said. 

"We understand that India is still seen as a mythical place to many people and we need to assure them that we can provide the same kind of security as they are used to," Raghavan said. 

But the differences between doing business at home and doing it abroad should not be minimised, said Nigel Balchin, chief architect at Dun & Bradstreet.

"We are all a little naive going in," Balchin said. One way of ensuring that security and regulatory compliance concerns are met is to put the onus on the outsourcing provider and write it into the contract, he said. "It pays dividends to have the provider responsible for these issues. For us it is a distraction from our core business."

Lerner advises clients to take a more hands-on approach, however. "You must physically go and check any outsource centre you have. Do it regularly, and consider these centres as part of your own company," Lerner said.

Scarlet Pruitt writes for IDG News Service

Read more on IT risk management