Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Out of Sight, Not Out of Mind

Our competitors are cutting the costs of the goods they produce by offshoring, and so we must conduct business in the same manner.

Getting outsourcing to practise what you preach

From an information security perspective, my company's offshoring strategy has been a nightmare. I have seen very little awareness of information security requirements among our offshore partners, and cultural differences extend to what constitutes intellectual property and how it should be handled.

But despite all the grief offshoring brings me, it's a practice we can't afford to abandon. Thus, I am in the midst of a world tour, visiting China, Korea, Singapore and Taiwan last month, heading to India this month and then making my way to Europe and Russia next month.

We have employees in each of these countries doing very important work for us, and without those relationships, we would have a hard time surviving in our industry. Our competitors are cutting the costs of the goods they produce by offshoring, and so we must conduct business in the same manner.

This fact of life can be hard to keep in mind, though, when I am constantly getting calls from our CIO and legal department telling me about suspicious behaviour of overseas employees and allegations of intellectual property theft. The same sorts of things can happen with local employees, of course, but there has been an increase in reports of such activity in certain overseas locations. Worse, the laws in these areas are not always clear or completely enforceable, so even if we do catch someone, there's not much we can do other than fire him.

These trips, then, are giving me an opportunity to make some firsthand observations about security practices at the various sites and to try to educate our overseas employees about the serious ramifications that come with ignorance of security policies.

On the East Asian leg of my tour, I visited some of our company's major customers. They regularly call our service technicians to conduct routine maintenance on our equipment, which is very sensitive and requires a considerable amount of calibration on a regular basis. I have talked before about the value and importance of the intellectual property that's contained in the service manuals used by our technicians and about my investigation into digital rights management (DRM) as a means of protecting this intellectual property. The service business generates a significant amount of revenue for my company; if the service manuals fall into the wrong hands, a third party or rogue employee could offer our customers discounted service, and we'd be out a lot of revenue.

But by being on the ground at customer sites, I learned how the service technicians really work and found out that simply instituting DRM without taking other measures will do nothing to protect our intellectual property. For the most part, the service technicians just print out a few pages of the PDF manual to bring into customer facilities. It seems that many of our customers have strict policies on bringing in laptops, CD-ROMs or other external media. In addition, the printed copies are easy to take notes on. So, security needs are crashing up against the operational needs of our technicians. Another complication is that some of the DRM technology I've been looking at requires an Internet connection to obtain policy information, yet all of the facilities I visited restrict Internet access.

As the Cookie Crumbles

Next up was security awareness training. Because of the workload of the employees, I was given only an hour, but I could have gone on for six hours on this topic. Needing to be brief, I first spoke about intellectual property. Needing to get my point across to people who don't have the best command of the English language, I started out with a basic definition and then related intellectual property to chocolate chip cookies. Everyone likes cookies, I said, and everyone has a favourite brand. But what makes one taste better than another? It's the recipe - the ingredients, the amounts and the baking temperature - and a cookie company's recipe must be kept secret from competitors; it is intellectual property. For my company, the recipe is the "bills of materials", the specifications of the components, which are intellectual in nature and set us apart from our competitors. I seemed to get my point across, and I had enough time left to discuss the need for basic awareness of issues such as virus protection, incident reporting, social engineering, our acceptable-use policy and wireless security.

At each site, I also conducted some limited vulnerability assessments. I had my laptop, which I dual-booted to Linux. On the Linux partition, I had a fresh install of Nessus, a freely available assessment tool, and I used it to run some scans of the local network, including desktops and servers. Nessus discovered ports that were responding on some of the desktops, which indicated that some users' machines might be infected with malicious code that operates by opening a port and waiting for a remote connection. I prepared a report and presented it to the local IT guy at each site.

I had also brought my handy PDA with AirMagnet software installed, which I used to detect several wireless access points connected to our network. We were able to find out which user had deployed these access points. As I suspected, the access points were available for a few dollars at a local market, and the user thought it would be convenient to be able to roam around the office without being tied to Ethernet ports. He didn't understand the security ramifications of installing rogue access points or the policy that we have in place prohibiting them. Apparently, that policy wasn't fully translated into the language he speaks.

With four countries behind me, this trip has already been worthwhile, and I anticipate that the same sorts of issues and challenges will arise as I continue my travels. v

"Mathias Thurman" is the nom de plume is a real security manager whose name and employer have been disguised for obvious reasons

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: AirMagnet

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis
    Enterprises adopting business process management (BPM) software have wide-ranging needs, from highly dynamic task management to complex, high-volume processing with a focus on straight-through automation and the ability to rapidly detect exceptions. This IDC MarketScape focuses on what we call business process (BP) platforms, which are optimized to support midrange to more complex use cases. Read on.
    Learn more »
  • Pathways Advanced ICT Leadership Development Program Brochure and Course Outline 2012
    Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
    Learn more »
  • Leveraging the Service Catalog to Scale Your MSP Business
    When assessing an MSP’s maturity and prospects, one question provides more insights than any other: “What’s in your service catalog?” A well-defined service catalog can set the framework for growth. The lack of a service catalog can significantly impede an MSP’s ability to scale. This paper explores why the service catalog is so vital, and provides some practical guidelines MSPs can apply in order to ensure their service catalog provides maximum utility and benefit.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments