Although IT security standards at some offshore development centres may seem shoddy, one Canadian outsourcing service provider says that shouldn’t deter North American companies from handing off work to reputable companies in Canada or overseas — as long as they do their homework first.
Police officials recently confirmed they are investigating the alleged theft of source code at Jolly Technologies’ Mumbai development centre in India. Jolly, a San Carlos, Calif.-based label and photo ID card creator and print software vendor, lacked a security policy at its Mumbai centre, and the company issued a statement this summer confirming that an employee uploaded and e-mailed files containing the source code and other confidential data to a Yahoo Inc. e-mail account.
Some IT security consultants allege that providers in India, China and Argentina do not have security and privacy standards comparable to those in North America. However, Kim Rowe, founder of Rowebots Research Inc., an Ottawa-based firm that develops and customizes group collaboration software products, said the risk of having intellectual property (IP) stolen is not specific to region.
In fact, he added, it’s a risk companies face whenever they outsource anything. “Anytime you have intellectual property going outside your company, there is some risk that it can be stolen by an employee and reused in some way,” Rowe said. “That’s just part of the cost of business.” He pointed out, however, that this risk is “extremely small” and that there have been “only a handful” of cases reported in the news in the past 15 to 20 years.
Rowebots, which does some work for Canadian customers but has mostly U.S.-based clients, currently sends some development work to Ukraine. Although Rowe said he chose the location because of its development standards and because of employees’ values and the respect they hold for information and peoples’ rights, he added that Rowebots still takes several steps to reduce the risk of IP theft for its customers. Security checks are a must for all people who will be accessing information or code, and that must be done locally where the employee resides, he said.
Strong physical and technical security measures are also necessary. Rowe explained that in some facilities to which Rowebots sends its development work, the security measures are “quite extreme.” Some employees are not granted the ability to copy anything off the computer. “There are no floppy drives or CD drives,” he said. “An encrypted network comes in from overseas, it’s in the lab and there is no way to take the information out …. In some cases we have the equivalent of a Class-3 (top secret) facility by Canadian standards.”
Sheena Woodhead, Calgary-based management consultant with IT solutions and services provider EDS Canada, said her firm also takes privacy and security issues seriously. On the technical side of data protection, when developers are working on a project, they only have access to the source code or data that they need, rather than the full code.
And whereas at Jolly the accused employee was able to send files through a Web mail account, “with EDS you would not be able to use Yahoo or Hotmail,” Woodhead added. “We have firewalls in place to block that out so employees can’t access (such accounts).”
In addition, EDS has a an online knowledge base called the Enterprise Security Information System, which contains a series of security-related documents, protocols procedures and processes employees must follow. “As part of [that system] we have audit controls in place,” she said. Depending on what it’s doing for the customer, EDS could “perform random technical audits where we would pull random IDs (of employees) to ensure that they have appropriate access and authorization.”
All EDS employees must review and acknowledge the firm’s code of conduct every year, and the firm does privacy and security awareness training. EDS also has an internal company agreement on privacy and data protection that all its employees are required to sign.
“It defines a common set of rules for managing data within EDS,” Woodhead said, adding that the policy establishes an environment of proper protection of personal data, ensuring compliance with Canada’s public sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) which covers the private sector, or, in the case of Alberta and B.C., provincial private sector privacy legislation.
Rowe said having sound software development processes in place tends to deter potential code thieves. “(Good processes) in some sense make it much harder for the individual to … even think about taking piece of intellectual property, because the IP is so big that it would make it more difficult to take anywhere. Usually it’s not just a piece of source code but the whole environment” that the thief is after, he said. “Anyone unscrupulous enough to steal source code is generally too lazy to work on it to make it their own,” he added, so spreading the development work amongst different employees and disallowing sharing of information between development groups can also effectively discourage IP theft.
On the contractual side, a company can “do the standard legal things” like drawing up non-disclosure agreements. But in the end it has to trust that it has chosen the right provider, he said. “At the end of the day it’s about people doing business with people — you have to have someone at the other end of the table that you trust,” he said. Any enterprise should be “very cautious” about who it outsources to, Rowe added. “It should be a reputable company of a good size. Those kinds of things ensure that the company is much more professional, which will reduce your risks.”
Rowe added that companies should be selective about what they outsource: they should determine what the key pieces of their business are and avoid outsourcing them. Meanwhile, non-core aspects of the business are safer to out-task because if they fall prey to a thief, at least it’s not competitive information or something crucial to the company’s operations that is at risk, he said.