How WNS Global Services Tackles Data Leakage

Employed IBM mobility management platform to implement policies such as disabling copy paste, access to internal sites using IBM secure browser and the ability to erase corporate data only in specific scenarios.

WNS is a BPM firm with over 31,000 employees working across 13 different countries and 39 delivery centers. Data loss prevention (DLP) was a prime cause of concern for the company in the wake of the increasing demands for PCI DSS and HIPAA certifications, the frameworks for complying with legal guidelines that ensure the protection of underlying data. They deal with data from across business verticals including BFS, healthcare, travel and insurance, hence, any sort of data leakage would not only put the client's reputation but also the image of WNS at risk. It was vital for them to steer clear of any accidental deletion of data or handing out crucial data to incorrect ID outside the organization. To effectively deal with this problem, the company embarked on a DLP initiative which would cover all aspects of possible risks to data exit points. ‘More than the technology, educating the operations and other stakeholders was the key in achieving the objective,’ says Amit Khanna, Head of Business Technology, WNS Global Services. The solution Unlike the traditional Blackberry model, where data could be controlled to some extent, the native controls in Microsoft Exchange on handhelds were primitive and did not offer any DLP capabilities. The company implemented IBM MaaS 360, the mobility management platform, which enables analyzing all data exit points including endpoints and emails. The program was broken down into three separate projects rolling up into the program in achieving the goal. They segregated personal and official data with the use of containerization. This also allowed to implement policies such as disabling copy paste, access to internal sites using IBM secure browser and more importantly the ability to erase corporate data only in specific scenarios. Second was the implementation of DLP on laptops with a phased approach. First they revoked admin access to all laptops and later installed McAfee DLP client in the machines which monitored outbound file transfer through external devices. This is how they ensured 70% of data leakage prevention. This was followed by email DLP. They implemented Proof Point email DLP through which they implemented specific rules on all outbound emails which were scanned for social security numbers as well as credit card numbers. This was an extremely important implementation because email as a source of data leakage is not considered by many organizations as a serious threat. Although this is an effective means of communication, it is also the easiest way to loose data. With this in mind, configurations were designed which scan emails, attachments and URLs which not only block suspicious emails but also notify security operations team to take appropriate action on the  same. While these initiatives in entirety were very effective, it was also deemed essential to implement certain HR policies so as to ensure that employees were effectively informed as well as warned if they tried to leak any data through emails. Business benefits ‘The combined projects effectively gave us a competitive advantage, and a mature SOC which was appreciated by business leaders as well as clients,’ says Amit. The DLP and laptop policies blocked usage of Torrents thus avoiding accidental leakage of data. The company won a business deal in insurance vertical by showcasing their email DLP capabilities, says Amit. Plus, this solution offered them the competitive advantage where no BPM providers guarantee such thorough capabilities in areas of Information security and information technology, claims Amit. The change management The IT Teams at WNS collaborated with information security division and carried out awakenings across the organization including how it can benefit them at large. Effective planning of the infrastructure along with long term planning on capex spend ensured that there were no issues from budgeting perspective. ‘It was also ensured, to move all mobile devices under the DLP radar by enforcing strict policies and adherence to PCI- DSS compliance,’ says Amit. Since this change was on such a large scale, dedicated project managers were assigned for each business vertical and a governance was appointed to track the project and communicate effectively to the clients about the initiative and compliance status. Future plans With the growth and innovation in new technologies and with such a large scale adoption of social network and media for cost effective campaigning of organization’s effectiveness, it has become challenging for IT to adhere to compliance. With this in mind, there are continuous enhancements being carried out by the organization through innovative uses of technology.

  1. Quarterly training programs to all the employees of the organization
  2. Thorough testing and audits for each aspect of technology.
  3. Understanding and mitigating operational processes and risks.
‘These initiatives have allowed us to effectively develop capabilities using security operations center as a service to our end clients, adds Amit.


Around The World