Outsourcing Insider Attack?

Written by

I know one or two other bloggers have spotted the following news piece too, notably Bruce Schneier, but it’s hard to pass up an opportunity to not only comment, but to draw some wider parallels with other market trends in IT. The BBC reported a few days ago that the good folks at Charlapally Central Jail in Andhra Pradesh, India, are setting up an outsourced data-entry business using, perhaps unsurprisingly, the cheap labor pool of prisoners.  It gets better. Apparently they’ve identified the target market for these services as, you guessed it, banks. 

The project is headed up by a Mr. Charyulu from a private sector company working with the jails, and according to the BBC article:

Mr Charyulu said 200 people would be recruited and trained for the job initially. The unit, which is expected to undertake back-office work for banks, will work round the clock with three shifts of 70 staff each.

Call me a cynic, but hiring convicted criminals to do data entry for banks, while they are still in jail, seems like a rather poor risk-management bet. Assuming, of course, that you knew the people doing your data entry were behind bars.

Which really brings me to the main point of this blog – however good the economic reasons may be, the further you are (from a process and visibility perspective, not geography) from the people handling your data, the less able you will be to measure risks to your data.  And, as we move full speed ahead into the ill-defined and poorly lit world of Clouds For Everything™ it becomes ever more difficult to measure those risks. I have nothing against “Cloud” per se, nor do I have anything against prisoners in Andhra Pradesh for that matter, but I do try to keep track of where my personal and financial data is popping up, and I’d like to think that someone else is keeping track of it too -- like, say, my bank.

On the plus side, at least no one has to worry about expensive background checks for the data entry team, right?

What’s hot on Infosecurity Magazine?