Offshore disaster

Here’s the tip of a nasty iceberg for all those multinationals that have happily offshored various functions in recent years. You sort of expect a bank to get its security right, don’t you? Maybe not…HSBC is now in pursuit of a former Indian employee who has compromised the bank’s security and defrauded 20 customers to the tune of $425k.

Is this a case of a bank failing to adapt its security policies and procedures to the local environment, or is it just a case of lax bank approaches to information security? It seems to me that banks spend an inordinate amount of money on technological security – all of which, one way or another, makes life more difficult and complicated for their long-suffering customers – but are unable to take appropriate actions at the human level. Yet, more than half of all information security incidents are generated by people inside an organisation’s secure perimeter.

I’m sure that the national skills registry the article talks of is a step in the right direction, but HSBC hadn’t even bothered to join it. The fact that this particular criminal wasn’t in the registry database is a separate issue; HSBC clearly doesn’t have a robust employee vetting process in place – something that ISO 27001 insists on as a basic information security management requirement.

While NatWest Bank in the UK seems to be doing nicely by boasting that its call centres are not offshored (although there is a big gap between the quality of their service and their rhetoric), Powergen is not alone in reversing its offshoring policy. But if offshoring made sense in the first place, why not follow through on that initial investment and develop an appropriate information security environment? Wouldn’t it be cheaper for these organisations to focus on the human aspects of information security – on proper employee vetting and on training and supervision, for example – than on investing in offshoring and then, equally expensively, reversing that decision?