Protecting Your Company’s Security Posture When Doing Business OffShore
Look before you leap when offshoring critical processes
By Vicki Phelan, Cliff Justice and Charles Arnold, EquaTerra
In their rush to find ways to slash steadily mounting domestic R&D costs, pharmaceutical companies should pause to consider a number of factors before outsourcing processes offshore to make sure their intellectual property is protected and other guarantees are in place.
Among the questions pharmaceutical companies must answer before outsourcing offshore are:• Will my security be compromised?• Will offshore employees be screened properly?• Will adequate training be provided for those who will represent my company offshore?• Is the country where my processes will be outsourced safe and stable?• Does the country provide incentives to further reduce my operating costs?• What are the country’s Intellectual Property protection laws?
For those ready to make the move to offshore processes, here’s how to make sure you find an outsourcing service provider that will protect your valuable resources:
Employ Vast HR Security Measures
Protecting your company’s intellectual property (IP) often starts at the HR level. Your service provider should have a vast number of hiring and screening safeguards in place. For example, does your service provider conduct standard background checks of offshore employees? Are they aware of country-specific nuances in conducting such checks? Because the background check process is more labor-intensive in other parts of the world, is your provider doing proper due diligence? In India, for example, companies can’t run background investigations at the same level they can in the United States. Companies must utilize sources like Interpol and local police stations to conduct comprehensive checks. All employees should be required to sign a non-disclosure agreement before they are given access to any secure or confidential information and you should reserve the right to review and audit your provider’s HR practices at all times.
Work with Providers that Value Training
A service provider that has an extensive employee training process in place is one committed to ensuring its employees work as a single uniform entity. You’d much rather work with employees with shared corporate practices and values than a group of individuals who vary in work styles (after all, you hired a firm to do the job, not individual employees!).
Look for Separation of Duties and Controls
Make sure your service provider has proper separation of duties and controls in place. This means there should be clear outlines of individual responsibilities within the provider organization in terms of what data each employee can access, view, print, manipulate, etc. Your service provider should have firewalls, security systems and passwords that protect your company’s trade secrets, patents, clinical trial data and other IP. These systems will ensure your information is not misused or pirated. Also consider building into your service provider’s contract a process for conducting ongoing security audits. This will ensure security processes are being evaluated and updated constantly.
Outsource Work to Countries in Good Standing
Pharmaceutical companies should look to conduct business only in stable and developed countries. Never offshore work to countries with a history of terrorist activities or links to known terrorist organizations. Never offshore work to countries combating civil unrest. Any country where you establish business dealings should have a formal legal system in place, including a court process for recourse and standard law enforcement. Countries that are members of the World Trade Organization (WTO) have agreed to general principles on enforcement of intellectual property; however, each country and its legal system should be well understood prior to committing major investments of capital and/or personnel.
Consider Incentives Each Country Offers to Grow Outsourcing Business
Look to outsource in countries with governments that continually and vocally support outsourcing at the highest level. Countries such as Dubai, Ireland, and the Philippines offer significant tax incentives to encourage sourcing in their countries. Such government backing could mean you’ll be more successful in getting your initiative operational. The Canadian province of Ontario, for example, offers province-wide tax incentives for companies that relocate R&D there. While the labor costs in Canada are not as low as in other countries, these tax incentives can often offset the higher labor costs.
Understand a Country’s IP Laws
Even conducting business in a country regarded as trustworthy, you will still need to know and follow that country’s laws and regulations. Research past case law to learn which countries have set good precedent for protecting IP laws. China, for example, has a poor reputation for enforcing IP law, however recent history following its membership in the WTO has shown that China has been quite aggressive in enforcing patent rights. However, patents are awarded in China, like in Europe, based on the first to file, not necessarily the patent’s originator like they are in the United States. Some countries are also good about enforcing patent laws but don’t enforce trademark laws like they are enforced in the United States. Few IP laws are enforced universally around the globe, so make sure you and your provider understand all the risks involved.
Consider Security Frameworks
Laws are only a small part of what protects a company when doing business off-shore. Make sure your provider follows a number of internal security measures to prevent any IP breaches. See that your provider follows generally accepted standards in security framework such as the ISO 27001 series, which is a comprehensive and verifiable set of security practices. Also look for your provider to follow the SAS 70 audit standards to ensure that professional standards are transparent and maintained by your service provider.
Continually Evaluate Technology Position
Companies look to invest in technology safeguards to protect their IP and data when working off-shore. Obviously technology has the most opportunities for information leakage and must be secured at many levels. Make sure your service provider has proper checks and balances in place and those check points are continually evaluated and improved as new technologies become available and as old technologies become obsolete.
Technology should play a key role in controlling which employees have access to specific information, who can view information and who can manipulate data. Companies also should make sure they have policies in place to control the usage of USB ports and to secure VPNs. Measures should be in place to secure the provider’s telecom systems, firewalls, etc., properly.
Stay on Top of Your Company’s Security Posture
Ensuring the security posture of your company’s processes is key to protecting your company’s IP and data confidentiality when doing business offshore. With pharmaceutical companies’ R&D costs topping $58.8 billion in 2006 and the cost of developing a single new drug topping $1 billion, offshoring can be an attractive and lucrative opportunity for pharmaceutical companies looking to cut costs and lessen the time to market for new drugs. However, it’s important that your outsourcing service provider takes every possible precaution to protect your valuable and confidential data. Remember, the necessary due diligence up-front will help your company achieve those cost savings in the end.
About the Authors: Vicki Phelan is EquaTerra’s pharmaceutical practice leader, Cliff Justice is the managing director of EquaTerra’s globilization practice, and Charles Arnold is a managing director in the firm’s pharmaceutical practice. For more information, please contact Phelan via email at Vicki.Phelan@equaterra.com or visit www.EquaTerra.com.