From an information security perspective, my company’s offshoring strategy has been a nightmare. I have seen very little awareness of information security requirements among our offshore partners, and cultural differences extend to what constitutes intellectual property and how it should be handled.
But despite all the grief offshoring brings me, it’s a practice we can’t afford to abandon. Thus, I am in the midst of a world tour, visiting China, Korea, Singapore and Taiwan last month, heading to India this month and then making my way to Europe and Russia next month.
We have employees in each of these countries doing very important work for us, and without those relationships, we would have a hard time surviving in our industry. Our competitors are cutting the costs of the goods they produce by offshoring, and so we must conduct business in the same manner.
This fact of life can be hard to keep in mind, though, when I am constantly getting calls from our CIO and legal department telling me about suspicious behavior of overseas employees and allegations of intellectual property theft. The same sorts of things can happen with employees in the U.S., of course, but there has been an increase in reports of such activity in certain overseas locations. Worse, the laws in these areas are not always clear or completely enforceable, so even if we do catch someone, there’s not much we can do other than fire him.
These trips, then, are giving me an opportunity to make some firsthand observations about security practices at the various sites and to try to educate our overseas employees about the serious ramifications that come with ignorance of security policies.
On the East Asian leg of my tour, I visited some of our company’s major customers. They regularly call our service technicians to conduct routine maintenance on our equipment, which is very sensitive and requires a considerable amount of calibration on a regular basis. I have talked before about the value and importance of the intellectual property that’s contained in the service manuals used by our technicians and about my investigation into digital rights management (DRM) as a means of protecting this intellectual property. As I said then [”Intellectual Property Is Focus at New Job,” Aug. 22, 2005], the service business generates a significant amount of revenue for my company. If the service manuals fall into the wrong hands, a third party or rogue employee could offer our customers discounted service, and we’d be out a lot of revenue.
But by being on the ground at customer sites, I learned how the service technicians really work and found out that simply instituting DRM without taking other measures will do nothing to protect our intellectual property. For the most part, the service technicians just print out a few pages of the PDF manual to bring into customer facilities. It seems that many of our customers have strict policies on bringing in laptops, CD-ROMs or other external media. In addition, the printed copies are easy to take notes on. So, security needs are crashing up against the operational needs of our technicians.
