Managing Project Security with a Distributed Workforce
Every time we talk to clients about their outsourcing/contractor needs, especially when it comes to tech projects, the issue of security is foremost in their mind. Managing a distributed workforce that works from multiple different locations, especially when it includes international contractors, can be a security nightmare if it isn’t handled well – and people are right to be concerned. With the right precautions, however, the security risks of a contractor-based workforce can be largely mitigated – and you can develop your project without having to worry about the theft of your intellectual property or the compromise of your sensitive systems.
Compartmentalization of Projects
The first concept that you should be familiar with is compartmentalization. Basically, contractors that are working on your projects should only every have access to project files that are directly related to their jobs – and individual projects should operate autonomously of the rest of your corporate network and systems. If one contractors is a “bad apple” and tries to steal information and records, they should not have access to anything sensitive that is held by other departments in your company. For example, a graphic design contractor shouldn’t be given access to the same server where your company’s financial information and client records is stored.
Compartmentalization can be both physical and administrative. To begin with, don’t give access to your corporate network to anyone that doesn’t absolutely require it. Many companies (including retail giants like CostCo) use “air gapped” networks specifically for contractors and third parties – basically putting them on their own 4G powered network so they can’t compromise internal corporate security but can still have full connectivity and can get their work done. Administrative compartmentalization is done through the permissions that you can alter in collaborative software and project management systems. You want to give your contractors access to everything that they need to do their jobs – but you can also restrict that access to read-only if necessary for certain documents, and can track their changes to other files to ensure that everything is above board.
Divide and Conquer
For some companies, the value of the company lies in closely held intellectual property and business plans that could be “stolen” and replicated elsewhere if security is compromised. For example, say you have an innovative idea for an app and want to have a freelancer design the app for you… how can you prevent that freelancer from simply taking your idea and selling it themselves?
You can protect yourself with legal barriers and by dividing the project up. Legally, you should always have non-disclosure agreements signed by your freelancers – and the terms of your contract should spell out your ownership of the deliverables and the terms by which they must delete your intellectual property upon project completion. Be aware though, that these contracts might be hard to enforce when broken by international contractors because of the relatively high costs of legal action against international companies and individuals. In these cases, your best protection is to divide the project so no single contractor has the complete picture of the app/project that you are building – a tactic that is commonly used by hardware companies that want to protect their designs before assembling the product in their own domestic location.
Last, but not least, the best protection against a security breach is to only hire trustworthy contractors and firms to begin with. Most freelancer websites have a heavy focus on reputation and reviews so companies know that they are getting a highly recommended freelancer – and you should be wary of hiring someone without the record of completed projects that suggest their former employers are happy with them. If you hire a contractor locally, or find one through another website that doesn’t keep reputation records, ask to contact past employers and to see their portfolio. A contractor that hesitates to provide contact information for their past employers may be hiding a bad experience, or they may be trying to take credit for a project that they weren’t instrumental in completing. The vast majority of contractors and freelancers are reputable people that will genuinely do their best for your company – but you should always trust your gut feeling and interview everyone that you consider bringing into a project.