Data Leakage Risks When Outsourcing Software Development

High-profile cyber attacks create a growing concern for today’s businesses. Even a global accounting and auditing giant such as Deloitte can become the victim of a data leak, as well as other powerhouses such as Yahoo and Equifax who have suffered major hacks that resonated throughout the world this year. Three billion user accounts from Yahoo and 143 million accounts from Equifax were compromised this year alone.  

These massive data breaches may have served as a wake-up call for other business entities. However, despite the potential threat, EY's 19th Global Information Security Survey 2016-17 revealed that 62% of enterprises would be unlikely to invest more money into cybersecurity after going through a data breach that did not result in harm. Furthermore, 68% of the surveyed businesses would not increase their security spending even if they did suffer from the attack.

That said, Gartner research asserts that not all organizations are as apathetic about the issue. Indeed, some realize that security policies need a serious overhaul in order to resist different types of data security breaches. Unfortunately, the risks vary and are numerous: incomplete NDAs, fragile cloud services, malware, careless BYOD (Bring Your Own Device) policy, unreliable software development outsourcing providers, and more.

Still, data security solutions in custom software development involve taking a few essential data leakage precautions. Read on to explore these and learn how to strengthen your collaboration with outsourcing companies.

Data Loss Prevention Issues to Consider

In outsourcing software development services, costs and service level agreements (SLAs) are not the only aspects weighing on the success of the engagement as data security also remains an important factor. However, detecting offshore data security breaches may not be promptly discovered due to noncompliance in regulation and/or a poor security policy of the vendor. Also, some countries have different policies regarding the issuance of data breach notices as some may require an immediate notice, while the country where the outsourced company resides may not have such strict standards. 

Because of these concerns, entrusting sensitive customer data to third-parties should be a well-thought-out decision with a substantial data loss prevention system (DLP system) in place.

First, it is recommended to define what type of data a company is going to share with third-parties to ensure all risks are properly assessed. While one data set may be subject to laws on personal data, another may fall under intellectual property (IP) rights protection.

We also recommend having a Data Processing Agreement (DPA) in place which outlines the way data is to be processed, stored, transferred, and protected. When getting the document ready, it is crucial to consider rules, limitations, or obligations imposed on the vendor, since legislation may differ immensely. For example, if an outsourcing software company is located in the EU member state, the data owner needs to consider GDPR regulations. DPAs may also include information about subcontractors or affiliates that would be authorized to access the data. Here, companies should clearly define access rights and responsibilities of all parties so it is understood to what extent the data can be processed and who is eligible to do so.

Having a workable recovery plan at hand is another proven data security solution to have in place. Most organizations prefer storing sensitive data on corporate servers with regular backups rather than stored in the cloud. Data security experts at Svitla also support this decision and suggest sticking to this plan:

• Doing data backups
• Archiving data
• Doing project backups
• Making data storage safe

To ensure data is securely transferred, Svitla also advises using a dedicated virtual private network (VPN) connection. This would be a great addition to your security measures.  

Software Development Security Advice

The truth is, many software development outsourcing companies establish secure work principles, but not all of them truly enforce these policies which can make vendor selection tough to navigate. Due diligence, including legal and data security techniques assessment, is an essential element of this process, and when done properly, the level of trust between the two cooperating parties will significantly increase. So, what makes a contractor reliable?

1. The vendor produces a documented Information Security Management System to ensure client data loss prevention and places emphasis on enforcing this policy as an important component of their business. The policy should cover the following points:
   • networks with password/access authorization;
   • a three-layer firewalled Ingress traffic;
   • domain authorization for client servers and client supported machines;
   • extensive logging to monitor both inbound and outbound traffic;
   • project specific subnet firewalled from the rest of the organization;
   • isolated VLAN network architecture;
   • intrusion detection along with spam and virus monitoring.
2. The outsourcing provider stores all source code on internal servers with VPN or private network access, and users have individual logins and passwords to log their activities. If using cloud services is an integral part of software development, the most effective way to prevent a data breach is to apply approved encryption algorithms such as AES, RSA, and SHA-256.
3. The vendor has obtained certifications like ISO 2700 which guarantees that they handle client data responsibly and take the necessary measures to avert the risk of data leakage. In addition to this, one should also evaluate how the data security policies are implemented inside the vendor company and what staff training is conducted.
4. The provider has specially trained units to further monitor and control interactions with vendors. As a rule, regular audits are conducted as part of the risk mitigation policy, which we describe in more detail below.  

Effective Risk Management in Place

Evaluating risks in outsourcing software development is an ongoing process. By drafting risk mitigation strategy documents, Chief Information Officers (CIOs) assure their companies do not leave the door open for cyber attack and therefore do their best to avoid data leaks, brand damage, and financial loss.    

The planning should start as early as possible with identifying, assessing, and prioritizing risks as well as finding suitable risk mitigation and monitoring approaches.  

The data security techniques applied in risk mitigation strategies are often based on the evaluation of the risk occurrence and the consequences it might entail. Generally, CIOs make use of these risk management methods:

Accepting. Acknowledging that there is a risk that impacts the project without taking any further steps to take it under control or eliminate it. It requires top management approval.
Avoiding. Adjusting project schedule, goals, and scope to reduce potential risks.
Controlling. Taking action to handle risks or minimize their damaging effect.
Transferring. Changing stakeholders that would agree to accept the risk and bear the responsibility for taking this decision.
Watching. Monitoring changes in the project environment that may increase risks or change their nature.

Regarding risk management, CIOs advise a forward-thinking approach: considering local IP laws, getting risk management plans ready well in advance, and evaluating changing conditions. To successfully implement data loss prevention strategies, Svitla’s information security experts recommend making a list of the most serious risks to monitor and communicating about potential threats with contractors.

On top of the risk mitigation document, it is crucial to check business continuity plans, information security policies, certificates on data safety, and the ways outsourcing companies deal with the IP of their clients. Also, make sure Master Service Agreement (MSA) provisions are in compliance with company standards and data security policies.

Trust but Verify

Security in software development will always remain the first concern when interacting with software companies. Without due diligence of the overseas provider, DLP solutions will not operate as effectively as they should. However, after carefully evaluating the vendor’s security capabilities and agreeing upon a plan of action, this plan should be documented in the engagement contract so both parties clearly understand their responsibilities and obligations.

To reduce third-party perils, businesses need to continuously involve themselves in the software development process. Even if the vendor takes all necessary measures to avoid data loss, there is still a chance that some vulnerabilities may yet emerge. Obviously, DLP activities should include not only systematic security monitoring but also regular penetration testing, which will help uncover existing and new pitfalls long before cybercriminals would exploit them. This is especially important when adding new infrastructure or using open-source software.

The likelihood of being breached should never be undervalued. Security measures may seem to be overkill at first but will help prevent costly code fixing or worse, data leak recovery.