Securing data when working with offshore is a well known yet a very challenging task. It’s especially serious if your company deals with financial or private data, such as ePHI (electronic protected health information). In some way though dealing with data protection in offshore scenario while complex is a straight forward task, especially for companies that are used to that kind of challenges in-house. Protecting Intellectual Property (IP) takes the challenge to a completely new level.
Risk of losing IP through offshore outsourcing is serious and real. I would venture to say that overall price tag related to IP loss in offshore outsourcing is measuring in billions. For example a friend of mine found himself out of the job after an IP ordeal with an outsourcing company in Eastern Europe. He was responsible for a product line in developer’s tools space in late nineties. He found a hired a group of vary talented engineers from Byelorussia. The requirements were coming from USA and development work was done 100% offshore. Source control and document repository were maintained offshore what seemed to be the right approach considering aggressive nature of the project and weak communication infrastructure. Cutting to the chase – when it came to transferring of the finished product into the hands of the owner the team in Byelorussia simply refused to do so. Initially the asked for some ridiculous amount of money but later on dropped out of negotiations, re-branded the product and took it to the market themselves…
To mitigate the risk you first need to understand channels of IP loss, here are the main few to consider:
- There is clear possibility of malicious / criminal acts relevant to your IP. Your product idea could be stolen, repackaged and sold by the very partner you have entrusted. Not just idea, the source code, processes, documentation.
- Even more probable scenario arises when a disgruntle or “entrepreneurial” employee of your vendor takes advantage of gaining access to your IP, source code, etc. Of course that could happen with your own staff; offshore just exacerbates the issue / increases the probability.
- Immaturity of vendor infrastructure (physical security, network security, etc.) could become a reason for massive IP loss / data exposure. Insufficient physical, network security and data security opens up data and IP for hackers of all sorts.
- Poor understanding of data and IP security, insufficient or non-existing security policy framework has the similar effect, often with even more severe consequences.
- Casual treatment of IP security by your vendor. I remember visiting one offshore outsourcer in Eastern Europe. During a tour of facilities my guide brought me to office which had a number of expensive physical guards in place. We still went inside and my guide started – “here where we have super secret project with the company I can not name, they are a major search engine that rhymes with “frugal”, wink, wink. Those guys use our Ph.D’s to…”
What can you do to minimize / mitigate risks of IP loss with your outsourcing partner? That would be a next post