A new survey out today commissioned by PriceWaterhouseCoopers and the Department for Business Enterprise and Regulatory Reform (BERR), indicates that 13 per cent of Britain’s large businesses have faced malicious network penetration by cybercriminals.

This is an interesting observation, not least because the survey took the views of over 1,000 companies, but also because the figure was a marked leap from the 2 per cent reported only two years ago, and could even underestimate the problem, given that many firms do not admit to successful attacks on their IT systems.

Malicious attacks are estimated to cost the UK economy several billion pounds a year. The same survey also revealed that despite falling victim to 94 serious data breaches in the past year, 90 per cent of businesses still let staff take sensitive information off site on USB sticks and in laptops – a disaster waiting to happen with various examples of pub laptop thefts proving the point.

Outsourcing can provide two sides to the coin. Sometimes it can be a benefit to get some standards written up, procedures in place, and relationships with a specialist IT company that understands the value of digital information. On the other hand, sometimes it means that company-to-company hand-offs of information need to take place where previously everything was internal, and that itself can cause issues.

Protecting intellectual property (IP) has become a key part of the outsourcing debate, especially as service providers are now offering more valued knowledge services that potentially create value outside the established physical walls of the organisation. Digitised content ends up everywhere and even in our non-work role as consumers, the rules around digital content are unclear. I mean, is it still really illegal to rip a CD that you have bought and paid for to an iPod or have they changed that rule yet?

Though most outsourcing contracts draw up some form of IP protection on a case-by-case basis is it also useful to be aware of what is going on in  digital rights management (DRM) – which tends to focus more on the ownership of content such as music or literature. I believe that as we advance more and more into knowledge process outsourcing (KPO) in our part of the business, all the cross-border intellectual property arguments we hear about involving Apple and iTunes will become more relevant to what we are doing in sourcing services, because we are talking about services that create knowledge and content.

A guy I know from my local BCS branch in north London, Jude Umeh, has just written a book about the whole debate over DRM and IP protection and he is going to give a talk about the subject in central London on 23 October (details here). I plan to go and hear what he has to say and to see if there is anything we can learn in our part of the industry from what is going on in the music and entertainment sector. In any case, it will be a good opportunity for a bunch of IT people to see who has got the biggest iPod song list.

India has finally bowed to international pressure and has set up a new body to oversee data protection in the IT and business process outsourcing (BPO) industries. The new body, named the Data Security Council of India (DSCI), is a self-regulating member organisation. It has been instigated by the IT trade association Nasscom, and will be managed at arms-length by them – I would guess until it is of a sufficient size to manage as a completely independent association in its own right.

Nasscom has been instrumental in addressing the perceived threat to data processed in India. They recently set up the National Skills Registry (NSR), which aims to certify the background of individuals working in the industry – in much the same way that bankers in London need to have their CV checked out by the Financial Services Authority before taking on a senior role. Nasscom has applied the same principles to the entire outsourcing services industry in India, and they are getting a very good take-up from the companies and individuals there.

As I have mentioned before in this blog, I do believe that data security is partially dependent on the processes used, and partially dependent on the local legislation available to prosecute any errant companies or individuals. There is a lot to be said though for companies that go beyond these prescribed measures and apply their own standards. This is what most of the Indian suppliers have been doing – going far beyond what is required to give reassurance to the customer. What we all need to be asking of India though, is how long before DSCI can actually put some proposals together that end up on the statue book – so India can at least claim to have some thorough laws in place for the protection of data.

Commentators in Computing have been writing a lot about the security threats facing us all in the IT industry these days and offshore outsourcing opens companies up to cross-border risks far beyond the usual organisational threat. With global supply chains comes greatly increased risk to the company.

Recently, I’ve been fielding more calls than usual from commentators in the industry trying to gather information on the security threats involved in offshoring. Newspapers have been calling, company leaders have been calling, and even the UK government has called me on this topic. And yet, I’m wondering to myself, what has changed recently? It’s always worth recalling a few basic points about offshoring risk though and keeping those thoughts fresh.

The main security threat everyone is afraid of in the offshore environment is a breach of personal data – employees or customer data being ‘lost’ or sold on the information black market. This is typically the fear of those with customer contact centres, and therefore employing a large number of people with access to the customer data of your own organisation. There have been a number of newspaper sting operations and even a Channel 4 documentary about this over the past couple of years. We all know the story – low-paid offshore call centre worker ready to sell personal financial data on UK consumers for a few meagre dollars. Only the money is not so meagre these days, so we might expect the risk to be increasing, as criminals are getting savvier about how outsourced operations function.

I think there are three quite separate areas you need to audit and examine if you have an existing commitment with an offshore supplier that involves the processing of sensitive data, or if you are considering which supplier to use:

Legal: In the legislative environment you have chosen, what kind of deterrent is there from the law to help prevent information theft? If there are measures in law to protect you then what actual case precedents exist – it may be that the law exists, but the process of going to court takes many years or is just too painful for other reasons so try to determine how well the law really protects you.

Process frameworks: You want the supplier to guarantee it will use process frameworks such as BS7799 to ensure that the business processes are secure, according to internationally agreed guidelines.

Additional measures: On a company-by-company basis you will observe that some suppliers go much further and are more secure than the process frameworks require. Make sure you determine how secure you need to be and work with a supplier who understands that data will not be secure, just because they passed a security audit.

I was speaking recently at an event in London hosted by The Indus Entrepreneurs (TiE), which is a network of over 10,000 professionals in nine countries all focused on various entrepreneurial activities, and usually with some link back to India. TiE is a global not-for-profit network of entrepreneurs and professionals dedicated to the advancement of entrepreneurship. TiE's mission is to foster entrepreneurship globally through mentoring, networking, and education and they host a lot of events such as this, combining information and networking.

The talk I took part in was focused on the new frontiers and challenges to India within outsourcing. The debate was chaired by Arun Aggarwal, who is the European head of consulting at Tata Consultancy Services. Others on the panel included Rishi Khosla, the founder of Copal Partners and Peter Brudenall, a partner at law firm Simmons & Simmons.

I ran into Peter recently at a drinks reception in Mumbai, but we’ve interacted quite a bit in the past as he is the UK chairman of the International Association of Outsourcing Professionals and he edited a book, that I contributed to, titled ‘Technology and Offshore Outsourcing Strategies’.

Of course the debate touched on a number of topics, particularly on where the next threat to India may emerge, but one of the most interesting sections was when Peter gave quite a spirited defence to India and the issues suffered around data protection in the past couple of years. He didn’t claim any in-depth expertise of Indian law, but he probably still understood the nature of the laws there better than anyone else in the room and he made a strong case for Indian service firms being as secure, if not more so, than their local counterparts.

I chipped in with some of my own experiences as well at this point. I know that it’s hard to get into any of the more secure Indian back-office operations with any form of storage device - phones, iPods, USB keys – they are all removed at the entrance lobby. There is a greater culture of security in most of the Indian service firms that we would find unusual here in the UK – would you tolerate being frisked every time you had popped out for a sandwich? I know that my friend Kevin wouldn’t mind a daily frisking from a burly security guard, but that’s beside the point.

The general debate over security and the comparison of security reality and perception was recently brought home right here with the news that retailer TK Maxx had suffered at the hands of hackers for 18 months, compromising secure credit card information detailing some 45.7 million cards owned by UK and US consumers. And the scale of the problem is so vast that they can’t even predict if any of those with compromised details will have suffered a loss – it’s up to the consumer to check back on their card statements.

This does contrast with most of the issues in India, which have often been sting operations mounted by journalists determined to prove that Indian contact centres are not secure. The fact is we live in a society that is far more dominated by information than ever before. We give our banking details to strangers every time we buy dinner or a round in the pub using a card. It’s a bit harsh to single out one specific geographical domain as ‘less secure’, especially when the experience of most people in the industry is that this perception of insecurity has actually led the Indians to take security a lot more seriously than we do back at home.

I recently took part in an event focused on intellectual property (IP) at the Hardwicke Building in the centre of the Lincoln’s Inn law chambers. Lincoln’s Inn is such a beautiful part of London, but if you don’t have any business with the legal community then it’s easy to miss it entirely in the rush to use Holborn or Chancery Lane tube stations.

BACFI, The Bar Association for Commerce Finance and Industry organised the talk, which was attended by a large group of employed lawyers – employed in the sense that they work as legal counsel within regular organisations, rather than within law firms. I was one of four speakers within a one-hour slot so rapid-fire information was the name of the game.

The other speakers focused on defining intellectual property itself, outlining the type of protective frameworks a company can use for IP, then a description of the Tata brand - as Tata Consultancy Services is now working within the Legal Process Outsourcing environment – then me talking about some of the issues regarding data protection and IP.

I focused particularly on India, because that is where most of the negative news stories have originated. There was a front-page story in The Sun almost two years ago, detailing a sting operation where a reporter managed to purchase personal information on UK consumers from call centres in India. I talked about some of the steps taken by Nasscom to counter this issue, the reality that we see more breaches in the UK, the required changes to the IT Act of 2000 in India, and how many of the doubts about doing this work in India has led the marketplace to become much tougher than the regulatory environment demands.

I made the point by producing one electronic gadget after another from various pockets and pointing out that here I was inside a law firm with enough storage in my pocket to capture everything I wanted, and then some more. Getting into an Indian BPO firm with all that kit in my pocket – especially the 60Gb iPod - would be a lot harder.

Something I have observed in my own new book is that the market for Legal Process Outsourcing is significant, but growth at present is flat or very slow. This is partly because of the conservative nature of most law firms, often partnerships with very well established ways of doing things. It’s also a result of the type of information these law firms are dealing with – it’s just not the kind of data you want to leave the room, let alone the office, let alone the country. Yes, data protection measures are improving within the offshore outsourcing supplier community, but there will always be some processes that are best kept local.

I read in one of the Indian newspapers that their security services were on the verge of closing down a terror operation focused on the international outsourcing industry. It claimed that the Indians suspected a new threat where well-trained Pakistanis would obtain jobs in Indian companies where the service provided formed a critical part of the supply chain for a Western company, allowing them to strike at the very heart of Western civilisation by bring various companies to their knees in some form of co-ordinated effort.

It all sounds far-fetched and positively paranoid – rather Casino Royale. This reporting also perpetuates the animosity that still simmers between India and Pakistan. For all the diplomacy and recent thawing in relations there is still a great mistrust between these two nations. I recall being at the Indian Independence Day party of one of the larger technology firms in Bangalore a couple of years ago. I was there to interview the chief executive, who was held up, so I joined the staff in their Friday afternoon celebrations.

One group were conducting various ‘what-if’ scenarios – asking each other what they would do in certain outlandish situations. They question to one young software developer was: “What would you do if you personally could control the Indian nuclear arsenal?” His immediate reply was: “Destroy the whole of Pakistan!” Cheers went all round. I was shocked. These kids were young, in good jobs, and had the benefit of a college education yet they still continued to hate their smaller neighbour - for no apparent reason I could see.

I don’t want to get into the rights and wrongs of the India and Pakistan conflict – there are plenty of other bloggers doing that job, but I did want to comment on the idea that supply chain terrorism might be a genuine threat and not just because of this particular geography. There are conflicts in many other regions beyond just this one alone.

Think about the changes in technology over recent times. Technology used to be physical; there was a tactile quality to it. You could go to an equipment room within your office and touch the servers, even if backups were located offsite. In addition, the architecture was all locked together and tightly coupled – systems that integrated together did so in a very pre-determined way.

Now we have far looser architectures, such as services-oriented architecture (SOA), that focus far less on the physical kit and far more on defining the service you need from technology. You no longer care where the kit is located, so long as the service is delivered when you push a button. Changes to the services are far more likely to be outsourced to someone outside the company, and possible even outside the country.

Imagine the chaos if the website of every retail bank in the UK was brought down simultaneously, or the customer helpline of every major insurer was cut off. There are many new routes to terrorist disruption that may not result in lost life, but can cause financial loss and disruption and in all our plans for a new era of outsourcing we need to bear some of these real issues in mind.