Data Leakage Risks When Outsourcing Software Development

Published: February 12, 2018 7 min. read
Svitla Team
By Svitla Team
Managed Operations Cybersecurity
790-data_leakage.jpg

 

High-profile cyberattacks create a growing concern for today’s businesses. Even a global accounting and auditing giant such as Deloitte can become the victim of a data leak, as well as other powerhouses such as Yahoo and Equifax who have suffered major hacks that resonated throughout the world this year. Three billion user accounts from Yahoo and 143 million accounts from Equifax were compromised this year alone.  

These massive data breaches may have served as a wake-up call for other business entities. However, despite the potential threat, EY's 19th Global Information Security Survey 2016-17 revealed that 62% of enterprises would be unlikely to invest more money into cybersecurity after going through a data breach that did not result in harm. Furthermore, 68% of the surveyed businesses would not increase their security spending even if they did suffer from the attack.

That said, Gartner research asserts that not all organizations are as apathetic about the issue. Indeed, some realize that security policies need a serious overhaul in order to resist different types of data security breaches. Unfortunately, the risks vary and are numerous: incomplete NDAs, fragile cloud services, malware, careless BYOD (Bring Your Own Device) policy, unreliable software development outsourcing providers, and more.

Still, data security solutions in custom software development involve taking a few essential data leakage precautions. Read on to explore these and learn how to strengthen your collaboration with outsourcing companies.

Data Loss Prevention Issues to Consider

In outsourcing software development services, costs and service level agreements (SLAs) are not the only aspects weighing on the success of the engagement as data security also remains an important factor. However, detecting offshore data security breaches may not be promptly discovered due to noncompliance in regulation and/or a poor security policy of the vendor. Also, some countries have different policies regarding the issuance of data breach notices as some may require an immediate notice, while the country where the outsourced company resides may not have such strict standards. 

Because of these concerns, entrusting sensitive customer data to third-parties should be a well-thought-out decision with a substantial data loss prevention system (DLP system) in place.

First, it is recommended to define what type of data a company is going to share with third-parties to ensure all risks are properly assessed. While one data set may be subject to laws on personal data, another may fall under intellectual property (IP) rights protection.

We also recommend having a Data Processing Agreement (DPA) in place which outlines the way data is to be processed, stored, transferred, and protected. When getting the document ready, it is crucial to consider rules, limitations, or obligations imposed on the vendor, since legislation may differ immensely. For example, if an outsourcing software company is located in the EU member state, the data owner needs to consider GDPR regulations. DPAs may also include information about subcontractors or affiliates that would be authorized to access the data. Here, companies should clearly define access rights and responsibilities of all parties so it is understood to what extent the data can be processed and who is eligible to do so.

Having a workable recovery plan at hand is another proven data security solution to have in place. Most organizations prefer storing sensitive data on corporate servers with regular backups rather than stored in the cloud. Data security experts at Svitla also support this decision and suggest sticking to this plan:

  • Doing data backups
  • Archiving data
  • Doing project backups
  • Making data storage safe

To ensure data is securely transferred, Svitla also advises using a dedicated virtual private network (VPN) connection. This would be a great addition to your security measures.  

 

Software Development Security Advice

The truth is, many software development outsourcing companies establish secure work principles, but not all of them truly enforce these policies which can make vendor selection tough to navigate. Due diligence, including legal and data security techniques assessment, is an essential element of this process, and when done properly, the level of trust between the two cooperating parties will significantly increase. So, what makes a contractor reliable?

  1. The vendor produces a documented Information Security Management System to ensure client data loss prevention and places emphasis on enforcing this policy as an important component of their business. The policy should cover the following points:
    • networks with password/access authorization;
    • a three-layer firewalled Ingress traffic;
    • domain authorization for client servers and client supported machines;
    • extensive logging to monitor both inbound and outbound traffic;
    • project specific subnet firewalled from the rest of the organization;
    • isolated VLAN network architecture;
    • intrusion detection along with spam and virus monitoring.
  2. The outsourcing provider stores all source code on internal servers with VPN or private network access, and users have individual logins and passwords to log their activities. If using cloud services is an integral part of software development, the most effective way to prevent a data breach is to apply approved encryption algorithms such as AES, RSA, and SHA-256.
  3. The vendor has obtained certifications like ISO 2700 which guarantees that they handle client data responsibly and take the necessary measures to avert the risk of data leakage. In addition to this, one should also evaluate how the data security policies are implemented inside the vendor company and what staff training is conducted.
  4. The provider has specially trained units to further monitor and control interactions with vendors. As a rule, regular audits are conducted as part of the risk mitigation policy, which we describe in more detail below.  
Cybersecurity Managed Services Require the Most Reliable Partners Explore how Svitla Systems can safeguard your business with expert cybersecurity management and innovative solutions. Contact Us

Effective Risk Management in Place

Evaluating risks in outsourcing software development is an ongoing process. By drafting risk mitigation strategy documents, Chief Information Officers (CIOs) assure their companies do not leave the door open for cyber attack and therefore do their best to avoid data leaks, brand damage, and financial loss.    

The planning should start as early as possible with identifying, assessing, and prioritizing risks as well as finding suitable risk mitigation and monitoring approaches.  

The data security techniques applied in risk mitigation strategies are often based on the evaluation of the risk occurrence and the consequences it might entail. Generally, CIOs make use of these risk management methods:

Accepting. Acknowledging that there is a risk that impacts the project without taking any further steps to take it under control or eliminate it. It requires top management approval.
Avoiding. Adjusting project schedule, goals, and scope to reduce potential risks.
Controlling. Taking action to handle risks or minimize their damaging effect.
Transferring. Changing stakeholders that would agree to accept the risk and bear the responsibility for taking this decision.
Watching. Monitoring changes in the project environment that may increase risks or change their nature.

Regarding risk management, CIOs advise a forward-thinking approach: considering local IP laws, getting risk management plans ready well in advance, and evaluating changing conditions. To successfully implement data loss prevention strategies, Svitla’s information security experts recommend making a list of the most serious risks to monitor and communicating about potential threats with contractors.

On top of the risk mitigation document, it is crucial to check business continuity plans, information security policies, certificates on data safety, and the ways outsourcing companies deal with the IP of their clients. Also, make sure Master Service Agreement (MSA) provisions are in compliance with company standards and data security policies.

Trust but Verify

Security in software development will always remain the first concern when interacting with software companies. Without due diligence of the overseas provider, DLP solutions will not operate as effectively as they should. However, after carefully evaluating the vendor’s security capabilities and agreeing upon a plan of action, this plan should be documented in the engagement contract so both parties clearly understand their responsibilities and obligations.

To reduce third-party perils, businesses need to continuously involve themselves in the software development process. Even if the vendor takes all necessary measures to avoid data loss, there is still a chance that some vulnerabilities may yet emerge. Obviously, DLP activities should include not only systematic security monitoring but also regular penetration testing, which will help uncover existing and new pitfalls long before cybercriminals would exploit them. This is especially important when adding new infrastructure or using open-source software.

The likelihood of being breached should never be undervalued. Security measures may seem to be overkill at first but will help prevent costly code fixing or worse, data leak recovery.
 

Written by
Svitla Team
790-data_leakage.jpg

FAQ

What are the main data leakage risks when outsourcing software development?

The major risks of data leakage when outsourcing software development include incomplete or weak NDAs, inadequate security policies or vendor noncompliance, differences in country laws regarding notifications of a data breach, and the third party being unreliable or careless with sensitive information. Others include insecure cloud service, malware, inadequate BYOD policies, and the absence of appropriate data processing agreements. Clearly defining what data is shared will go a long way in ensuring strong contractual agreements between parties involved, as well as utilizing secure methods of data transfer and conducting regular monitoring and auditing of the vendor’s security practices.

How can companies prevent data leaks when working with outsourcing vendors?

To prevent data leaks, a robust DLP system must be implemented to protect against all modes of data sharing or receipt, defining the categories or types of data that are to be shared. This should strictly develop a Data Processing Agreement which would clearly define how the data is processed, stored, and transferred, and protected under any applicable legislation (like GDPR). Vendor due diligence must also include having a documented and enforced Information Security Management System, in addition to secure data storage and transfer (e.g., the use of VPNs and encryption), with appropriate certification (e.g., ISO 27001 certification). Compliance should also cover regular audits and penetration testing in addition to having actionable risk mitigation plans.

What should be included in a data security contract with an outsourcing provider?

A data security agreement with an outsourcing provider should clearly define the types of data being shared and the rules on how data is processed, stored, transferred, and protected. Access rights and responsibilities of all parties must be defined, as well as relevant regulations (such as GDPR) compliance, and in cases where subcontractors or affiliates are used. The contract should also require security measures from the provider, including encryption and secure networks, plus regular auditing, as well as a recovery and backup plan. Regular monitoring and reporting, as well as immediate notification in any case of breach, must also be ensured.

How do you handle a data security incident with an outsourcing partner?

A data security incident involving an outsourcing vendor rightly invokes a plan that has been tested for practical recovery and clear lines of communication. Organizations, in their agreements, must require the vendor to notify them immediately about any lapse, as per their regulatory requirements. There should be a proper system for regular backup of data and its safe storage, presumably on corporate servers, to make recovery possible. Vigilance, combined with regular penetration testing, is a good housekeeping practice that identifies vulnerabilities before they become problems, thereby reducing the impact of any incident.

What are the best practices for limiting data exposure when outsourcing software development?

Best practices include sharing only the minimum data with the outsourcing vendor and clearly defining what information is accessible to them. Strong contractual agreements, such as Data Processing Agreements, should be established to include rules on data handling and access rights. Some elements of secure data transfer include using a VPN, employing encryption, storing sensitive data only on protected corporate servers, etc. Regular auditing, along with staff training and ongoing monitoring of the vendor’s security practices, will also ensure continuity and prompt detection of any potential risks.