SOMETIME IN LATE 2010. BANGALORE. A city-based electronics company, which specialises in designing innovative high-end components, was gearing up to launch a product that had been in the works for over a year. Except that it got wind of the fact that a competitor had hijacked the concept and was planning a far earlier launch. The company put the whole affair in the hands of its legal department, which then decided to call in the specialists. Enter Mahindra Special Services Group or MSSG, then headed by Dinesh Pillai.
Pillai swung into action, and in an operation worthy of a spy thriller, began an intelligence sweep of the company. His team—certified hackers, retired commandos, former United Nations peacekeepers, IT professionals—started with the time-consuming task of profiling employees and visitors. It took weeks, but the result was worth the mind-numbing hours. They discovered a telling discrepancy: An employee who had been signing in with clockwork regularity at 9.30 a.m. and out at 5.30 p.m. every day for close to six years, changed his schedule without any reason—he started coming in at 7.30 a.m. and leaving at 9.30 p.m.
Till Pillai’s team started studying the profiles, this employee had not been suspected of anything, other than perhaps over-enthusiasm by his less hard-working colleagues. But the profile that the team put together showed that this person needed money desperately. When questioned, he admitted to having sold data about the concept; further investigations revealed that he sold it to a middleman and not directly to the competitor. The company sacked the employee, and the MSSG team moved on to investigate breaches in other companies.
It’s all in the best traditions of Le Carre, but there’s more than thrill at the heart of the Rs 12,000 crore corporate security industry in India. In a recent survey by Akamai Technologies of some 200 senior executives across Asia, 40% of businesses admitted to economic loss as a result of data breaches and compromised systems, with financial companies being the most vulnerable. KPMG’s latest Cybercrime Survey for India reported that almost 90% of execs see cybercrime as a serious threat.
However, as Fortune India had reported earlier (‘You are Being Tracked’, February 2014), most companies are ignorant about how vulnerable they are. Some companies, especially those that send staff to politically sensitive countries, provide impressive physical security but leave computers wide open. There was also the instance of a company losing a bid to a competitor despite solid firewalls to prevent information leaks; the competition bribed a housekeeping staff member to wear a camera disguised as a pair of spectacles. When the bribed employee served tea at critical meetings, he was actually taking and transmitting photos of sensitive bid documents.
Before the age of networked electronics, it was somewhat easier to track theft. Companies restricted the use of photocopiers, so papers could not be taken out. And since e-mail was then accessed only on computers, it was simple to track what was going on. With the huge surge in smart devices even in supposedly highly secure offices, it has become virtually impossible to track every exchange.
The fallouts are way too expensive for companies to ignore. Vinayak Godse, director of data protection, Data Security Protection Council of India, says that in 2013, cyberattacks were responsible for Indian banks losing Rs 130 crore. Then there’s the case of EXL Services, a business process outsourcing firm, which lost a key client (The Travelers Indemnity Company) after news of a data breach broke. The Travelers account was worth approximately Rs 176 crore.
GIVEN THE MONEY AND REPUTATION AT STAKE, established companies are getting into the act. Conglomerates such as Mahindra & Mahindra, Tata, Reliance Industries, and GMR have set up in-house security firms. In the last decade, more and more of the largest Fortune India 500 companies have started private security companies or divisions, partly in order to service their own needs, and partly as commercial ventures. MSSG, for example, has worked with Tata Steel, Shoppers Stop, Tata Realty & Infrastructure, Ginger Hotels, and WNS—all companies that the larger Mahindra Group competes with through its subsidiaries. (It’s interesting that the Tata Group has its own security division, called Homeland Security, under Tata Advanced Security Ltd. or TASL, but still works with MSSG on some projects.)
For most large corporations, security is a hybrid affair, with the lower-value bits outsourced, and the company itself acting as an integrator. For example, Bombay House, Tata’s administrative headquarters in Mumbai, has third-party watchmen patrolling the ground floor and the entrance. Mahindra’s office in Worli also has a security van parked round the clock outside its gates. The contractor for both is the same: Topsgrup. There’s also the SISA Group, which specialises in physical guarding, cash-in-transit security, and emergency response services. SISA is hired by companies such as Essar, Adani Enterprises, HDFC Bank, and ICICI Bank. “Larger corporate houses retain their own security in sensitive areas such as R&D,” says Raghu Raman, former CEO of the National Intelligence Grid and MSSG.
As early as 2001, perimeter fencing, gate management, CCTV installations, and intruder-alarm systems were being managed by the same company, says Ananj Kumar, CEO, TAK Technologies, which focusses on systems integration and has provided services for the Indian Embassy in Afghanistan. “But over the past few years, the industry has grown so fast that no one firm can afford to do it all.” That’s resulting in a whole wave of specialisation. So, for example, Bosch and Honeywell are known for CCTVs and access control systems; Securico for intruder alarm systems; and Ibex Gallagher and Magal S3 for perimeter-fencing systems.
At the same time, it’s not possible for a company to run these diverse security systems, from access points to cybersecurity, which is why systems integration is the buzz phrase at corporate security outfits. “You’re only as secure as your ability to triangulate all the relevant data,” says Sukaran Singh, director, TASL.
Integration works like this: If an intruder tries to cut through an electric perimeter fence, a signal is sent to a command control, which then remotely manipulates a camera, which zooms in to detect and identify the intruder, and if necessary, signals the control room to issue a building-wide alarm. All the devices, made and installed by various vendors, are controlled at one point, which is generally run by the client company.
Not everyone agrees that integration is the job of one third party. “Companies that do risk management can’t do hardware and devices as well,” says Pramoud Rao, managing director of Zicom, a maker of electronic security products.
Lt. Gen. Sudhir Sharma, a former three-star military man who oversaw the logistics of the Indian army, says large corporations aren’t the only ones moving into security. The big four consulting firms have also jumped in. Even IT hardware and office automation companies Wipro and HCL have, in the past five to six years, begun offering managed security services across IT systems, surveillance, baggage screening, command control, and access control. Cisco India, too, has been in the game for a while.
The attraction: the big money in government and private security contracts. The government’s pilot project for Modernisation of Airfield Infrastructure (MAFI) is one such example. It’s an approximately Rs 2,500 crore initiative to modernise all airfields used by the armed forces in a phased manner, and requires mostly infrastructural work—but is likely to also be linked to a security tender.
CCTV installations across cities in India is another plum area. In London, Singh says, “You can’t go for half a minute without being photographed, and that has helped prevent attacks.” Mumbai is trying to install CCTVs for the fifth time. There are CCTV tenders in Delhi, Noida, and Indore as well.
TATA’S HOMELAND SECURITY had its roots in a division that included perimeter security at the Tata Motors plant in Sanand, Gujarat, and was later rolled up into the Homeland Security Division. However, it became a full-fledged business after the terror attacks of Nov. 26, 2008, in Mumbai; the terrorists had targeted key locations, including the Taj Mahal Palace hotel of the Tatas. The formal vertical was launched as Tata-AGT in 2010 through a joint venture with public safety company AGT of Switzerland, which was when Singh and his team decided to look at the sector as a commercial opportunity. “We said, ‘Let’s create the capability and see what happens,’ ” and they did. Today, Tata-AGT has implemented multiple projects for both Tata and non-Tata companies.
However, for most of these new-age security contractors, convincing the client that they need security is no easy task. If there is just one thing that Parag Agarwal, director of security at MitKat Advisory Services, a Delhi-based security consulting firm, could change in his clients, it would be the “do the bare minimum” attitude. Agarwal says that to meet compliance, managers at hotels and public buildings tell him they want a door-frame metal detector device with a basic sensor that just beeps when you pass through. Something like that can be built with a wooden box and a Rs 500 sensor, he says, lamenting the downward spiral of quality among many smaller vendors. “It’s the same with cameras—they don’t care if they can see anything on the recording or even if it works. It should just look as if it does.”
His point is valid. In a world of emerging new threats, being unprepared could mean it’s just a matter of time before a breach takes place. But most companies don’t realise how extremely porous they are until the chinks are split wide open, says Samrendra Kumar, a former soldier who is now managing director at security advisory MitKat.
This is something MSSG’s Pillai tries to hit his clients hard with. Often, Pillai instructs “dumpster divers” to probe latencies within their organisation by sitting around an office unobtrusively for a week or two and almost becoming part of the furniture. These divers chat with employees and visitors, and help themselves to information, which is just left lying around.
“We’ve seen performance appraisals picked up from the garbage, salary structures of the entire office, increment letters, the complete financial structure of an organisation,” says Pillai. When he presents his findings to the company, he makes it a point to stress that the competition could have got the same information as easily.
The positive rub-off is that the emergence of security is serving as a business transformation process for corporate houses. More and more companies are including new layers of security—physical and electronic. And, of course, they are hiring specialists to ensure the safety of their information.