SmartSourcing, a Cubic Bay, Philippines-based provider of back-office Finance and Accounting (F&A) services was in advanced stages of closing a deal with a Canada-based water supplies company when it faced an issue that it had never encountered before. The work was to be executed in the Shanghai- and Santiago-based offices of the provider, and the Canadian company was bothered about quite a few issues. That included concerns over the likelihood of sensitive information being misused and the customer’s proprietary software platform for F&A and billing tasks being made accessible to other companies around the world. After much deliberation and doing a detailed audit of the provider’s processes and IT systems, the Canadian company was hesitant to offshore the business. Normally it takes six to eight months to decide, but here one year has passed and the decision to offshore the processes has still not been taken.
Now, that’s an issue which customers and service providers of BPO services routinely face while offshoring work. The BPO industry, having matured in terms of the tasks it does, has also spread geographically, with companies having multilocation operations spanning Latin America, Asia and East Europe.
A Bangalore-headquartered provider with more than 4,000 people and delivery centers in Guatemala and China says that this is an issue that is increasingly cropping up in discussions with customers. “By and large clients look from an engagement perspective and not from a country point of view. Country is a lesser worry if they know the information-security environment of the supplier. But as we scale up a relationship and the client offshores sensitive information, there is a closer scrutiny of how and where the work will be done,” says the Bangalore-based service provider.
Customers and providers enter into a relationship that is put down in terms of service-level agreements. Both parties also state their positions, which could elaborate that any customer information used by the provider will not be misused to do independent surveys or develop products/solutions for any other customer.
“The supplier can develop Intellectual Property (IP), but we own it,” says a customer of back-office services from the health-care industry.
Take the case of the Lionbridge with a work force of 4,300, with operations spanning 25 countries and a network of 25,000 independent partners. It is a provider of development, test and localization services for enterprise content and technology applications. Managing IP Rights (IPR) across such a vast global operation can be a nightmare. But it has built processes that ensure that nothing goes amiss.
“Protection of our clients’ IP and their confidentiality is paramount to maintaining the high degree of trust we have built with them. We talk about security in the framework of the three Ps: People, Process, Premises. The people are trained, asked to sign NDAs, non-competes and firewalled off as necessary for competitive vendors,” explains Satish Maripuri, COO, Lionbridge.
Process includes basics like automatic password time-outs and network-firewall security. Premises include cardkey access, video surveillance, locker room check-in, locked file cabinets, etc. In addition to these foundational elements, for specific clients like government agencies and others, Lionbridge establishes private networks, cipher-locked rooms for account teams and key code-secure equipment.
What Can Customers Do?
Customers also try and ensure that their information security is watertight to avoid any misuse of information. For instance, ensuring that the data being sent by a financial-services customer is not being misused by the provider depends on the information-security environment that he has. If the provider creates a new solution or a product using that data, it becomes an IP. Who owns that IP must be clarified at the time of signing the contract, lest the provider later uses it for other clients, resulting in misuse.
“To check such incidents, surprise audits have become common. The buyer might be 10,000 miles away but can come on a day’s notice to do an independent audit of the supplier’s security environment. Or he might say that he is coming next Friday and land up on Wednesday, catching the supplier unawares,” says a Delhi-based BPO services provider focused on financial-services tasks.
While surprise audits are becoming more frequent — at least once a quarter — before offshoring tasks, customers also look for certifications that a provider has obtained. Certifications work as a kind of public endorsement of provider processes and security environment by an independent body. While threats can emerge from technology, people and process shortcomings, certifications ensure that the basics are in place.
Broadly, security has two parts: Security of systems and security with respect to people. On the technology front, it has to be ensured that data is secure in the system, and access to the system is restricted. IT can provide high degrees of information security cover for operations through policies, prevention and detection. This should be followed up with rigorous audits and certifications such as BS7799 or ISO 27001, and SAS 70 for IT processes and safeguards. Document classification, clean-desk policies, clean printer and printing-regulation policies, data encryption for storage and transmission, access control restrictions, sophisticated event-correlation identification, regular penetration testing (to prevent internal and external hacking) and ensuring compliance with data-security laws of the land (whether it is the U.S. Data Protection Act, Financial Services Act, U.K., HIPAA, BASEL2, the Indian IT Act) are some measures to secure data.
“Standards play an important role in the evolution of the offshore services industry, but each element must be evaluated in terms of its value in a given geography. For instance, we expect to receive ISO 27001 certification for our India offerings next month and for our development and test centers in China by year-end. However, for our U.S. sites, while we have adopted many aspects of the standard, we will not invest in formal certification for those locations,” says Maripuri of Lionbridge.
Lionbridge had an incident of a breach but acted on it swiftly to ensure that things didn’t get out of hand. “We have had only one reported incident of an IPR breach, where a photo of a pre-release product was posted on a Website by an enthusiastic freelance translator contracted by us. Corrective action was taken within hours. Rather than damaging our relationship with the affected client, our response reinforced our commitment to confidentiality, and the client has continued to expand their work with us since the incident,” shares Maripuri.
Indeed, ensuring that processes are being executed in a secure environment and compliance with regulations is in place can help customers and providers build long term and fruitful global sourcing relationships.
