TrendAs offshoring development work grows, so do risks to intellectual property
More and more organizations are eager to enjoy the benefits and advantages of offhoring development work; they should be aware that this entails a growing risk of trade secrets’ thefts and leakage
The problem of theft of trade secrets and intellectual propery is not new (did somebody say “China”?), but globalization and outsourcing of development work has made it more acute. How can companies ensure that their intellectual property is safe and doesn’t get into the wrong hands? Joel Christner, manager of product management at Mountain View, California-based Reconnex, offers useful advice. He writes that there are many benefits and advantages to offshore development, buit organizations eager to enjoy these benefits must also put in place the right security and guidance measures to ensure that sensitive information which provides market advantage does not end up in the possession of a hungry competitor or potential competitor. He emphasizes that these security measures must not only prevent the intentional or unintentional distribution of confidential or otherwise sensitive information, but also provide guidance to employees who may not be aware of the sensitivity or confidentiality of the data being distributed.
One of the primary challenges of managing confidential information in offshore development environments is distance, and, by definition, offshoring means increaing distance. “The further away an office, a facility or a team is from headquarters, the more challenging it is to manage and ensure the dissemination of corporate policy about data confidentiality,” he writes. Often there is a perception of inverse relationship between distance and the perceived criticality of a business process, and it is often the case that an employee in a distant location may not feel as compelled to adhere to a business process such as corporate standards for handling confidential information as an employee who is part of the team at headquarters which is trying to enforce the process.
Christen says that only a multi-faceted approach will do. Such an approach would include an analysis of the security posture of the network perimeter (who can get in or out), validation of appropriate information access control (who can access what information), examination of information storage repositories (what is stored where and why, and determining how sensitive it is), control of information leaving a controlled repository or the network itself, and capture of forensic data for investigation should sensitive data leak through the corporate boundary. In addition, three approaches to data security
