Although IT security standards at some offshore development centres may seem shoddy, one Canadian outsourcing service provider says that shouldn’t deter North American companies from handing off work to reputable companies in Canada or overseas — as long as they do their homework first.
Police officials recently confirmed they are investigating the alleged theft of source code at Jolly Technologies’ Mumbai development centre in India. Jolly, a San Carlos, Calif.-based label and photo ID card creator and print software vendor, lacked a security policy at its Mumbai centre, and the company issued a statment this summer confirming that an employee uploaded and e-mailed files containing the source code and other confidential data to a Yahoo Inc. e-mail account.
Some IT security consultants allege that providers in India, China and Argentina do not have security and privacy standards comparable to those in North America.
However, Kim Rowe, founder of Rowebots Research Inc., an Ottawa-based firm that develops and customizes group collaboration software products, said the risk of having intellectual property (IP) stolen is not specific to region.
In fact, he added, it’s a risk companies face whenever they outsource anything.
“Anytime you have intellectual property going outside your company, there is some risk that it can be stolen by an employee and reused in some way,” Rowe said. “That’s just part of the cost of business.” He pointed out, however, that this risk is “extremely small” and that there have been “only a handful” of cases reported in the news in the past 15 to 20 years.
Rowebots, which does some work for Canadian customers but has mostly U.S.-based clients, currently sends some development work to Ukraine. Although Rowe said he chose the location because of its development standards and because of employees’ values and the respect they hold for information and peoples’ rights, he added that Rowebots still takes several steps to reduce the risk of IP theft for its customers. Security checks are a must for all people who will be accessing information or code, and that must be done locally where the employee resides, he said.
Strong physical and technical security measures are also necessary. Rowe explained that in some facilities to which Rowebots sends its development work, the security measures are “quite extreme.” Some employees are not granted the ability to copy anything off the computer. “There are no floppy drives or CD drives,” he said. “An encrypted network comes in from overseas, it’s in the lab and there is no way to take the information out …. In some cases we have the equivalent of a Class-3 (top secret) facility by Canadian standards.”
Sheena Woodhead, Calgary-based management consultant with IT solutions and services provider EDS Canada, said her firm also takes privacy and security issues seriously.
On the technical side of data protection, when developers are working on a project, they only have access to the source code or data that they need, rather than the full code.
And whereas at Jolly the accused employee was able to send files through a Web mail account, “with EDS you would not be able to use Yahoo or Hotmail,” Woodhead added. “We have firewalls in place to block that out so employees can’t access (such accounts).”
In addition, EDS has a an online knowledge base called the Enterprise Security Information System, which contains a series of security-related documents, protocols, procedures and processes employees must follow.
“As part of [that system] we have audit controls in place,” she said. Depending on what it’s doing for the customer, EDS could “perform random technical audits where we would pull random IDs (of employees) to ensure that they have appropriate access and authorization.”
All EDS employees must review and acknowledge the firm’s code of conduct every year, and the firm does privacy and security awareness training. EDS also has an internal company agreement on privacy and data protection that all its employees are required to sign.
“It defines a common set of rules for managing data within EDS,” Woodhead said, adding that the policy establishes an environment of proper protection of personal data, ensuring compliance with Canada’s public sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) which covers the private sector, or, in the case of Alberta and B.C., provincial private sector privacy legislation.