Your Intellectual Property Deserves Iron-clad Security From Your Outsourcer

Posted by Copyright Law on July 15th, 2009 at 12:41pm

Insight

Intellectual property security breaches are making headline news with alarming frequency and creating headaches for consumers, businesses, governments and institutions everywhere. The specter of identity and intellectual property theft hangs over everyone’s head, brought home by incidents like the following:

? Two 200-MB files containing incomplete portions of the source code for Windows 2000 and Windows NT operating systems were stolen and posted to the Internet. An individual downloaded the code and offered it for sale. An undercover FBI agent bought the code and the seller was indicted under the U.S. Economic Espionage Act. 1

? The over $20 billion video game industry shook when news came out about the hacking of the computer network and Internet-leaking of the source code at Valve Software, the maker of the mega-popular Half-Life 2, a first-person shooter (FPS) video game. The financial ramifications of source code already licensed to developers, but now available for free on black-market sites, is something no executive wants to encounter. 2

? The U.S. Federal Trade Commission (FTC) announced that consumer data broker ChoicePoint, Inc., will pay $10 million in civil penalties and provide $5 million for consumer redress to settle FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. Because of the security breach, at least 800 cases of identity theft have been reported. 3

Today companies must employ safeguards across the entire enterprise to ensure that intellectual property is secure. As outsourcing vendors are increasingly being entrusted with a company’s intellectual property in order to leverage cost savings and productivity gains, these vendors must also fall under the firm’s security checks. It is imperative that companies scrutinize every aspect of an outsourcer’s security protocols to protect valuable intellectual property.

What can companies do?

When intellectual property is breached or stolen, any business is in for a rocky ride. All too often, a company believes its security measures are satisfactory but then something happens and it becomes evident that what security was in place was not good enough. And “not good enough” is unacceptable if your company’s intellectual property is at stake. Like the proverbial locking the barn door after the horse already bolted, improving security after data theft happens is too late.

When companies outsource their valuable intellectual property, the potential for increased risk is there. Although the governments of China and India have made strides to address copyright infringement, clearly work still needs to be done. The wheels of justice turn slowly and outsourcing vendors cannot rely on government agencies to police intellectual property. Unfortunately, not all outsourcers value their customers enough to invest in state-of-the art security, nor do they have a culture where integrity is at the core.

As part of the due diligence process when selecting an outsourcing vendor, organizations should determine that the outsourcing vendor adheres to the highest security standards to ensure their valuable intellectual property is safe and specific security arrangements should be detailed in the contract. A reputable outsourcing vendor would respect and applaud these efforts.

Practice IP-safe outsourcing.

It is critical that an offshore outsourcing company invest and employ a multi-faceted safe-guard approach to protect the client’s critical business information. A good vendor regards their clients’ intellectual property as central to their own business success. To achieve maximum intellectual property protection, Long Circle recommends that, as part of the security due diligence process, a company examines how an outsourcer addresses the following areas.

? Weak links: Unethical or unsuspecting employees

Unethical employees are an obvious risk to vulnerable data. Development departments everywhere have to be on guard to ensure that back-door code doesn’t slip by, ensure “do not enter” safeguards are in place so hackers can’t get in, as well as have “does not leave the premises” protection in place so employees can’t steal intellectual property. However experts caution that yet another serious security challenge faces corporations today: social engineering.

Mobile phone accounts of 400 T-Mobile customers – including socialite Paris Hilton’s Sidekick II device — were compromised by hackers. Hilton’s videos, personal phone numbers of her celebrity friends and messages immediately hit Internet sites, as well as provided fodder for late night TV monologues. According to a story reported by the Washington Post, a hacker posing as a T-Mobile employee obtained access to security information that was provided by an unsuspecting employer via a phone call. The practice of social engineering – tricking someone with legitimate access to restricted data to reveal confidential information – underscores the need to train employees to guard against inadvertently giving away sensitive data over the phone, in person, or in public.

? Secure the perimeter

Intellectual property should be locked in a remote site which has a strong security defense against unwanted access. The building itself, the entrance, and the sensitive areas should be guarded to ensure end terminals cannot be tampered with. In addition, a bag check policy should be applied to employees and guests alike: no data copying device can be brought in the door and no data can leave the premises. Protocols should include measures such as guest and contractors sign in when they enter the premises, wear identification badges, are always accompanied by designated employees, and access is limited and monitored.

? Many eyes

The outsourcer should have a culture where each employee takes security, privacy, and integrity to heart. Security is about patrolling the beaches. Privacy is about keeping information in only the right hands. Integrity is about demonstrating the proper care, behavior, and attitude towards protecting the client’s intellectual properties. Alert and vigilant employees are one of the best guards against threats to a client’s intellectual property.

? Separate and secure

The confidential information of each client should be physically segregated. The client’s software and hardware design should be stored on secured servers that can only be accessed by authorized personnel and network traffic should be contained on a dedicated Ethernet network (LAN).

In addition, development teams should work in physically separate areas with restricted access. As a general policy, proprietary client information should not be shared between employees who work on separate teams; violation should a result in severe consequences.

? Stops leaks

It goes without saying that background checks should be conducted on all employees. An outsourcer should enforce a strict policy that forbids any employee to remove, copy, print, or transmit any data and the physical plant should support the policy. Computers that handle client information should be physically bolted down, stripped of all copying devices and external device interfaces, and connected to an isolated LAN that allows only traffic destined to pre-programmed, legitimate addresses. Although employees have e-mail and Internet access; but there should be no Internet access on any client-dedicated workstation.

Conclusion

IP-based businesses now represent the largest single sector of the U.S. economy and, according to the U.S. Commerce Department, intellectual property theft costs U.S. businesses an estimated $250 billion per year and 750,000 American jobs.

An outsourcer is not only tasked with R&D development, but equally important, is expected to keep that intellectual property safe. No company can afford to do business with an outsourcing vendor that bypasses or takes shortcuts with security. As a company moves its intellectual property offshore, it must take care that security is not left behind.

About Long Circle

Long Circle provides outsourced engineering services to companies whose products and services rely on embedded software and hardware technology. Long Circle and the Long Circle China Center of Excellence enables U.S. companies to reduce costs, increase engineering bandwidth, and broaden market reach by providing low-risk, strategic access to China’s engineering talent, manufacturing industry, and emerging markets. To learn more about Long Circle, visit http://www.longcircle.com.

Tags: China, Embedded, Engineering Service, Firmware, Hardware, Made-in-china, OFFSHORE, Outsource, Product Development, R&d, Software