Contracting with an overseas development partner can help your business save money while leveraging top-tier talent, but it’s not without risk.
Like it or not, offshore development security is something you must think about from day one, before even signing on with an outsource provider.
Trade secrets, sensitive customer data, and valuable IP all pass through the hands of your partners as they work to bring your new idea to life.
There are people out there who will try to steal that data. If they succeed, then they can threaten your entire business.
It’s important to take these risks into account. So, in this article, we’ll go through all the basic security implications of offshore development:
- The 3 main points of vulnerability when working with external devs.
- Breaches over the Internet.
- Breaches via physical access to your systems.
- IP theft.
- How to set yourself up for safety by integrating security from the beginning of a project.
- And of course, how to protect against breaches on an ongoing basis.
Let’s start with a close look at where things can go wrong.
Points of Vulnerability
In offshore software development, or local for that matter, there are essentially four vulnerable points where data can be stolen.
The good news is that they have quite a bit of overlap, and a good security plan will cover all of them.
When you’re starting to think about security, though, you need to start by considering all the possibilities.
Hackers and Thieves
Criminals come in many forms, and there are numerous bad actors who could potentially steal your sensitive data.
The idea that immediately leaps to mind is a hacker, working from home and gaining remote access to your development network, but that’s not the only possibility.
Just as effective is a burglar physically breaking into the office. In many cases, this might be an easier crime to pull off.
Or think of all the people who have legitimate access to your data, and how they could abuse that privilege.
A disgruntled employee, vandalizing servers on their way out the door.
A student or intern, touring the office and up to mischief.
A laptop or mobile device loaded with proprietary information, left behind in a bar or taxi.
The scenarios are endless, however unlikely. Taking a few precautions up front could save loads of heartache down the line.
IP Theft
Of course, there’s always the threat of good, old-fashioned plagiarism.
No matter how good your idea or how perfect your implementation, it could be all for nothing if someone else beats you to market.
Sometimes, the quickest way to do that is to simply copy your idea.
And the worst part is, sometimes it’s not even illegal.
A third-party vendor or contract worker can, in some cases, take your idea and roll with it.
It’s more common than you might think in some countries, and without the right precautions, you won’t be able to do a thing about it.
Protecting Against Network Threats
Network breaches are the most obvious threat your data faces at an offshore software development firm.
The nature of outsourcing means data will be traveling over the Internet, and it’s always possible for a breach to occur.
Because you don’t have complete control over the offshore facility, you also can’t maintain complete awareness of who is accessing your data.
In other words, outside vendors or contractors might have a hand in your project without your knowing, and that carries a potential risk.
Finally, it’s entirely possible for a project to complete successfully, and for the result to be insecure.
Server hacks after software is released can result in the loss of billions of dollars worth of data.
The world received a harsh reminder of this fact in 2017, as some of the largest global purveyors of data suffered massive breaches.
So, what can you do to protect against these threats?
With offshore developers, it all boils down to picking the right partner.
Strong IT Policies
When selecting your development house, take the time up front to ask the right questions.
Particularly if your project involves sensitive customer data, you need to make sure that the developers take security seriously.
Here are a few things that any vendor worth hiring should have:
- Active network monitoring to guard against breaches
- Enterprise-grade firewalls
- In-house IT policies that control access to file sharing and messaging services, as well as access to potential virus vectors like entertainment websites
- Regular security audits to ensure policies are up to meeting current challenges
Basically, if a development house doesn’t take data safety as seriously as you do, then you should reconsider the relationship.
Spec Security into the Project
Remember that offshore software development security doesn’t end after the project hits the market.
Once your software is out in the public eye, it becomes a much juicier target for data thieves. It’s more visible, more exposed, and potentially full to the brim with customer credit card data and other sensitive information.
When speccing out your project, make security one of your top priorities. Talk through with the developers precisely what methods will be used to protect data.
Encryption technology advances frequently, and you should make sure your development partner uses the latest and best.
Think about how to respond if a breach does occur, as well. Security holes need to be patched, and the personnel who created the product in the first place are often best positioned to do so.
Most developers offer post-release support services, and it’s a good idea to make use of them. Unless you have a large internal development staff, you should plan to rely on your offshore team for the entire life of the product.
Protecting Against Physical Threats
All of the network security in the world won’t do any good if someone gains physical access to an unlocked development machine.
Some of the largest data breaches in the last ten years occurred when hackers gained physical access to networks or computers, including the highly publicized Sony Pictures breach of 2014.
Just like network security, preventing physical breaches is a matter of planning and vigilance. Talk about these issues up front with your developers, and be ready to pivot and respond to threats before they can develop into major problems.
Secure Facilities
Although not every office, particularly internationally, can be a hardened bunker like in the movies, there are still plenty of steps a development firm can take to prevent a physical breach.
- Keycard or biometric access control
- Phishing awareness training
- Security cameras, preferably actively monitored
- Physical security personnel, in the form of guards or local police
- Redundant Internet connections and power supplies
Unfortunately, unless you’re putting together an offshore center from scratch, you won’t have much say in their physical security.
What you can do, though, is ask the right questions before signing a contract. Make sure your prospective partner has taken steps to protect your data physically as well as digitally.
No Off-Site Access to Sensitive Data
There is a flaw in all security.
It’s a threat that can bring down even the most thorough security procedures.
It’s human error.
No matter how secure your offshore development facility might be, it’s all for naught if a single employee leaves their laptop in a hotel room.
You can never fully account for human error, but you can do your best to keep its potential contained within a controlled environment, namely the office.
Implement a policy that sensitive data never leave sight of your security personnel.
Issue dedicated devices and laptops for business use, and enforce that they not leave the office except when absolutely necessary.
For additional security, you can go even further and dictate that flash drives, external hard drives, and unauthorized cloud storage services be verboten, as well.
Make clear that this policy is for the protection of the entire company, and institute penalties for violating it.
The alternative could be costly indeed, as organizations from Apple to the British government have found out the hard way.
Protecting Against IP Theft
Potentially the most dangerous offshore development security threat isn’t really security-related at all.
It’s the result of opportunism or simple misunderstanding as to the nature of outsourced work.
With more and more software development being outsourced, there’s a growing problem with unscrupulous developers doing work for one client, then selling it to another. Or simply releasing their own copycat product.
This happens frequently all over the world, and is often the cause of major disputes.
The issues here are legal ones. The answer is to simply choose a reputable partner, make sure their vendors are just as reputable, and build precise language into your contracts to prevent any problems.
Here are a couple of examples.
Strong NDA for Vendors
The best thing you can do to prevent a dishonest vendor from taking your IP is to provide a strong legal reason not to do so.
In other words, have them sign an NDA. A real one, that’s been vetted by an attorney, and preferably one familiar with the law of the country where the vendor resides.
In case of a dispute, you might need to sue the vendor. This is typically far easier done in their country of residence than by crossing international borders.
If your budget allows, consider retaining an attorney located in that country. In addition to providing applicable legal advice, they can act as your agent, serving papers or making court appearances as needed.
It’s a situation in which no one wants to find themselves, but it happens nonetheless.
Be prepared.
Ensure Full Ownership in Contract
Finally, be careful you, your offshore development firm, and any other vendors all understand the usage rights for any work performed.
Generally, you will want and require full ownership for any code written or other resources created for your product. This grants you sole usage of them, preventing those same resources from being used for any other purpose.
It’s important to have this written into the contract and clearly discussed. If you don’t, then any of your development vendors might simply assume that they are free to do as they wish with what they create for you.
And that could include selling them to your competitors, or even directly to end-users.
As with the NDA, it’s highly advisable to have a local attorney check over the contract before signing.
Conclusion
There’s a saying in the security industry that security is a negative sale. In other words, it’s not pleasant to talk about. It’s something you don’t want to need.
It’s a time sink, and it can be expensive, and it takes up attention and talent that could be directed towards creating your product.
But on the one day that you do need it, the day that your good preparation foils an attempted breach, you’ll be glad you put in the effort.
It could mean the difference between success and failure for your entire business.