Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

Corporate Security: Risk and Cost Tolerance in India

Fred Burton

Late last month, Indian police acting on an intelligence lead arrested a suspected Kashmiri militant near Jalahalli, a village just north of Bangalore. Authorities confiscated an assault rifle and 300 rounds of ammunition from the suspect, 34-year-old Bilal Ahmed Kota, as well as -- significantly -- a satellite phone, a cell phone, multiple cell phone SIM cards and a map of Bangalore. Several locations reportedly had been marked out on that map -- including the airport, the offices of Wipro Technologies Ltd. and the complex operated by Infosys Technologies, the global information technology (IT) services provider.

Since Kota's arrest on Jan. 5, Indian authorities have said that he confessed, under interrogation, to having been tasked with scoping out the security measures in place at Wipro, Infosys and the Bangalore airport. Authorities also said that Kota was acting under the orders of Pakistan-based militants connected to the Lashkar-e-Taiba (LeT) to plan and carry out attacks on those sites.

The Kota case is the latest in a series of incidents and threats connected to the high-tech industry during the past 18 months, and underscores that militant groups are paying greater attention to economic targets in India -- and to this important sector in particular.

However, the danger of attacks by Kashmiri militants (or even Maoist Naxalites) is not the only threat that foreign multinational corporations -- and particularly technology companies -- now face in India. These companies are confronting what is effectively a multi-pronged security threat that also includes growing concerns about personal security and kidnappings, a greater recognition of risks to intellectual property that stem from corporate espionage, and issues related to privacy and the risks of criminals stealing sensitive customer information. Security managers today have a very different perception of the risks associated with doing business in India than they did two years ago.

Significantly, dealing with each of these individual threat categories brings with it an associated business cost. For a large number of Western companies, particularly in the high-tech sector, India's chief attractions long have been based on cost considerations -- a plentiful, educated, English-speaking and cheap labor force. As the risk environment -- or perceptions of it -- shift, a new question emerges: At what point will the costs of doing business in India begin to outweigh the benefits?

Tracking the Militant Threat

In March 2005, when a police raid in New Delhi turned up evidence of plans for attacks against IT companies in Bangalore, many private security companies and security directors for multinational corporations assumed the threat was being exaggerated by the Indian press (where reporting can be, to say the least, emotional and melodramatic). These sources told Stratfor at the time that they believed the situation on the ground in Bangalore and southern India generally was not conducive for operations by an extremist Islamist Kashmiri separatist group. Bangalore was considered too far from Pakistan or Kashmir, and the locals believed militants would not be able to operate in the region without standing out.

The conventional wisdom, however, was shaken in October 2005, when the U.S. State Department issued a warden message warning of possible attacks against U.S. interests in New Delhi, Hyderabad, Mumbai and Kolkata. And in December 2005, the assumption of safety was shattered completely by an armed attack at the Indian Institute of Science (IISc) in Bangalore. The attack dispelled the myth that Kashmiris were not capable of operating in southern locations like Bangalore.

Perceptions of a growing threat to the Indian economy and the high-tech sector solidified with a series of events throughout 2006:

Jan. 3, 2006: Prime Minister Manmohan Singh confirmed that militants were targeting the technology sector. Singh was speaking at a scientists' convention in Hyderabad, the day after the arrests of two men suspected of planning attacks against the tech industry in that city and the recovery of a cache of explosives.

March 2006: The police presence around high-tech businesses in Hyderabad was increased, and authorities called for companies to review their security measures, after Indian authorities said they had received what they characterized as a credible threat against customer service and support centers in that city.

July 2006: A suspect arrested in connection with the train bombings in Mumbai was reported to have worked at the Oracle India facility in Mysore. The concern raised by these reports -- that militants might be infiltrating IT companies -- was reinforced later in the year, when India's internal security organization, the Intelligence Bureau (IB), quietly informed a number of multinationals that the LeT was attempting to infiltrate their companies.

Meanwhile, as the interrogation of suspects believed to be linked to the Mumbai bombings continued, Indian authorities said they had discovered plans to strike IT companies in Bangalore, and that, consequently, security measures in that city had been strengthened.

October 2006: In Mysore, a shootout ensued when two men -- who were subsequently arrested -- attempted to avoid a police check point. These arrests, like that of Kota near Bangalore, clearly demonstrated that Kashmiri militants are not having as much difficulty operating in southern India as previously had been believed. There is no longer any doubt that the threat to India's IT sector is real, and that militants have continued to target it despite several setbacks. The militants' strategy apparently is to launch attacks against the IT sector in order to damage confidence in the Indian government's ability to protect that industry. This, consequently, would lead to a drop in foreign direct investment and wider damage to the Indian economy and political structure.

From a corporate security standpoint, it must be noted that the December 2005 attack in Bangalore targeted the IISc rather than a foreign IT company. Likewise, the targets Kota allegedly surveilled were Indian firms and the Bangalore airport. However, foreign executives and VIPs are frequent visitors at the campuses of IISc, Infosys and Wipro, and a large number of foreigners travel through the Bangalore airport every day. Furthermore, both Infosys and Wipro employ a large number of foreign workers. Therefore, had any of these plots been carried to fruition, it is conceivable that they could have resulted in the deaths of foreign nationals and sent shockwaves through multinational corporations operating in India.

Finally, the end goal behind all of these plots and attacks -- to damage the Indian economy -- could be accomplished just as easily, if not even more effectively, by directly targeting the multinational firms that drive large investments into India.

Standard measures used by corporations around the world -- such as security perimeters around office buildings, access controls and vehicle inspection points -- can help to mitigate terrorist threats to individual corporations, but obviously they have little ability to influence or change the political environment that drives the threats.

Personal Security and Kidnapping Threats

As in most parts of the world, there is a thriving criminal element in India -- and the abduction of children is somewhat common (though the majority of these kidnappings stem from motives other than ransom, such as sexual exploitation or family vendettas). With the exception of Kashmir, where several militant groups have abducted foreigners as a way to secure the release of jailed comrades, it has been rare for foreign expatriates or the children of wealthy Indian business executives to be kidnapped. Consequently, kidnapping for ransom generally has not been viewed as a problem for multinationals operating in India.

It is little wonder, then, that the abduction of the 3-year-old son of Naresh Gupta, a senior vice president at Adobe India, in November 2006 caused an uproar throughout the business community in India and within the IT sector particularly. In the wake of the news, security contractors and the corporate security managers of multinational businesses operating in India have been working hard to quantify the kidnapping threat.

Sources within the Indian police force say they are aware of several kidnappings for ransom every month in New Delhi, Mumbai, Chennai, Hyderabad and Bangalore -- but as in most other countries, many kidnappings are never reported to the police. A reliable source from a major U.S.-based IT company advises that kidnapping in the northern state of Uttar Pradesh is well on its way to becoming a cottage industry, much as it is in Latin America and the Philippines. He calls this trend "disturbing" and is considering whether to step up security measures in place for employees and executives, especially those residing in and around New Delhi.

While the Gupta kidnapping involved the family of a high-profile Indian national rather than a foreign executive, it could be read as an indication of growing boldness among kidnapping groups in the country, and was almost certainly connected to the fact that IT executives are gaining greater prominence within India. If kidnapping gangs indeed are gaining confidence, more abductions involving Indian executives and their family members could be expected -- and those involving foreign executives or their families could follow. Thus, this trend bears careful monitoring.

The kidnapping of the Gupta child also appears to be causing some changes in the way Indian executives think about security. Prior to the abduction in November 2006, the NDTV news channel in India produced and aired a business news program called "Boss' Day Out." Each episode showcased a day in the life of an influential business executive -- beginning with his morning wake-up call and ending with his bedtime. The program took a candid look at aspects of the executive's personal life -- including his home, family, children (mentioning their names and even nicknames on occasion), school routines, work routines and travel patterns. This is all useful information for criminals in the course of planning an abduction, and Naresh Gupta was featured in one of the programs a few weeks before his son was kidnapped. The program reportedly has been discontinued.

There are a range of countermeasures available to corporations, depending on the severity of the kidnapping risk. These can range from -- at the low end of the cost spectrum -- educating executives, their families and household staff about the threat, and shoring up their residential security processes, to -- at the high end -- providing specialized training for drivers to recognize and avoid potential attacks, or providing high-value employees with an armored car and protective details. Kidnap-and-ransom (K&R) insurance policies also can be purchased to mitigate corporate liability and provide professional negotiation assistance in the event a crime does occur.

Industrial Espionage

Industrial espionage (IE) by corporate spies in India is focused primarily in the information technology industries, although the KGB-trained IB and the Indian foreign intelligence service -- the Research and Analysis Wing, or RAW -- also have been known to conduct physical surveillance of Western diplomats and high-profile Western business executives and foreign companies. In addition, electronic eavesdropping is still "perfectly legal and widely practiced" in India, according to a counterintelligence source there.

Most known cases of industrial espionage involve insiders downloading source codes and other proprietary business information. Foreign businesses that partner with Indian firms are at risk if they do not have full control over the vetting and hiring process. Additional susceptibility comes when Indian partners outsource tasks to third-party contractors, further reducing the multinational's ability to control and protect information.

The risks from industrial espionage exist worldwide, but technology companies can find they are greater in India than many other regions because of the research and development (R&D) work that often is conducted there -- and because of the work of the IB and RAW, which are more aggressive than many intelligence services when it comes to stealing proprietary information from foreign companies for domestic purposes.

In additional to industrial espionage, there have been several well-publicized cases in which Indian workers have stolen information -- such as bank account numbers, PIN numbers for automatic teller machines or birthdates and Social Security numbers (from American customers) -- for criminal purposes. In perhaps the most notable of these cases, a worker at an Indian call center allegedly sold the bank account information of 1,000 British customers to an undercover reporter at $7.68 per account. The call worker boasted that he was able to steal and sell up to 200,000 accounts each month.

Local police generally have little ability to halt IE and criminal theft of information, although the Indian government is working to pass laws that would give police greater enforcement powers. In one case, an Indian engineer was caught walking out of his place of employment with vital source code information stored on a flash drive. Police were called in on the case but they said they had no jurisdiction in the matter.

Certainly, employers can take steps to mitigate these risks -- but again, costs are an important consideration. Monitoring employees' activities is expensive, and conducting background investigations on potential hires in a place like India can be very difficult, since public records (such as birth and death certificates) are not readily accessible or verifiable in many municipalities. Furthermore, even in cases when a job applicant has a clean history, the IB and the RAW (or even local criminal syndicates) may find it is in their interests to pressure or influence that person.

Conclusions

India is an attractive location for multinational IT corporations for a number of reasons. Notably, it has a large pool of highly trained, technically competent and English-speaking workers who are willing to work for less pay than their counterparts in the United States or Europe. Furthermore, establishing or outsourcing customer service and support issues to call centers in India, with the time zone differences, makes it possible for companies based in the United States and Europe to offer support virtually around the clock. However, of all these reasons, the biggest motivator for multinationals to establish R&D and customer support operations in India, or to relocate those operations from other countries, has been cost. This is especially critical in competitive sectors like the personal computer and software industries, where profit margins are thin and any improvement in labor cost can dramatically help the corporate bottom line.

The array of security challenges -- some of them longstanding, some of them emerging -- now coalescing in India could have an impact on that bottom line. Security costs to companies involve not only cash outlays for physical security upgrades and technology, but also manifest in terms of contingency planning and salaries for in-country security staff. Demand for qualified and well-connected security managers in India has increased dramatically over the past two years. This trend is driven not only by perceptions of growing risks, but also by cannibalization within the corporate sector, with companies poaching security managers from one another. (The poaching trend also has indirect implications for cost structures, as it leads to escalating salary offers and expectations. Of course, that's a good thing for security managers, but bad for the bottom line.)

Corporate bean-counters will be watching these costs carefully and will factor them into risk/benefit analyses. The tolerance for risk varies from company to company, of course; but should the terror threat necessitate increased security for employees and facilities, or should the kidnapping threat require protective details, armored cars and expensive K&R insurance policies for executives, or should the theft of intellectual property and the personal data of customers require expensive efforts to vet and monitor personnel and IT security safeguards, the cost-efficiency ratio that has favored India for so long eventually could begin to tip in the other direction. This could occur with a dramatic spike in any one area -- especially terrorism -- but it also could be a slow bloodletting, with a steady escalation in all of these areas leading to death by a thousand cuts.


About the Author
Originally published in Strategic Forecasting Terrorism Intelligence Report, January 9, 2007.

© Copyright 2007 Strategic Forecasting Inc. All rights reserved.