|
There is technology aid available to minimize man-made disasters
and their aftershocks in the BPO space
Security
is not always about certification. It is mostly about people, and, at times,
about the right technology, key stakeholders of the BPO industry feel.
Luminaries who gathered at a RSA-Dataquest seminar in Bangalore recently had
interesting thoughts, practical solutions and alarming examples to share, as
they dissected the challenges and explored issues related to information
security.
Sample this: A
miscreant calls up the help desk of a BPO company and says he wants to reset his
password and gives the exact name of another person. The help desk wants to know
his employee number and the guy says hold on.... He calls up the receptionist,
takes all the information and then calls back the help desk again. The password
can now be reset and the miscreant logs onto someone else's system.
So while we speak a lot
about the government's role, the legal side of things and also about
technology, one area which sometimes gets overlooked is social engineering. If
people are not aware of procedures and policies, one can easily carry out any
social engineering attacks on the entire system. Is the gist of the story then
'trust nobody? It's coming to that with internal threats rising, but help is
also around.
|
|
| Luminaries
at RSA-Dataquest Seminar: L-R – Bernhard Van Der Feen of
Eracom; Salil Agrawal of ECS; Ross Wilson of RSA Security, India; Prasanto
K Roy of Dataquest; Devender Kumar of EXL Service; and Davender Parulekar
of Ernst & Young |
According to Joy Nandi,
regional director with Eracomn Technologies, the first question any organization
should ask is what it is that constitutes confidential and sensitive, which
people might want, whether internally or externally. “It is important to
figure out what information is. Security, no matter what technology you use, is
never going to be 100 percent. What you can do is reduce your risk,” he said.
Recent reports have
stated that 81% percent of breaches are expected to happen from within the
organization. And the average damage caused by such internal threats is likely
to be 5 times that of those caused by external threats. “Currently, most
outsourcing organizations in India have, predominantly, a process-based approach
to ensuring data confidentiality within their organization. The majority of
organizations rely only on network perimeter security solutions-like Firewalls
and IDS solutions which are meant to keep external threats from entering the
organization. But these solutions do not address the internal threats within the
organization. Many of the privacy laws explicitly state that only in cases when
data is kept encrypted, organizations may be exempt of liabilities even in the
case of a breach. Outsourcing organizations need to focus on increasing the
internal security of confidential data by looking for solutions in two
additional areas of protection-access control solutions and data encryption
solutions,” Joy added. That way, one would be able to reduce the value of
risk.
Other participants in
the seminar, which included South Asia director of Sales for RSA Security, Ross
Wilson; group information security officer with MphasiS, Mitish Chitnavis; and
president, India operations of e4eVaibhav Tewari, felt the main challenge was to
translate basic policies into real activities while ensuring compliance on a day
to day basis.
So, is there a link
between security and how successful the business is? There definitely is, going
by the objects companies like MphasiS seek to protect: people, data, IP, and the
facility itself. That is the holistic view one can take of security to make sure
it trickles down to the lowest level.
Goutam
Das in Bangalore
goutamd@cybermedia.co.in
Page(s) 1
| 
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
