India has built an amazing tech sector. The global outsourcing market shows that India holds a 55 percent market share. The value of IT in India is vigorous – in the year 2018-19, India’s IT & ITeS industry was worth $181 billion USD. The IT sector and IT outsourcing is a valuable and successful market which is a crown in the jewel of India.
But India and its IT sector are being impacted by worldwide cybercrime.
In 2018, the Home Minister Rajnath Singh, discussed the impact of cybercrime in the country, he stated:
“I am afraid, cyber attack would occur very often”…
“…With the growing volume and sophistication of cyber attacks, each one of us is required to protect sensitive information, as well as safeguard national security,”
In this article, we will look at the cybercrime landscape in India and their IT sector. We will also explore how outsourcing to India can still be a great option with the right processes in place.
Cybercrime and India
In a report by PWC and ASSOCHAM “Securing the Nation’s Cyberspace” they identified a growing cybercrime trend in India. The report found that the country was experiencing at least one case of cybercrime every 10 minutes. This level of attack reflects the growing connectivity of a nation with the 2nd largest internet user base in the world. The report also highlighted the fact that the ransomware WannaCry, hit India badly, the country being the third worst affected in the world.
As India embraces technology, it opens up avenues for cybercriminals to take advantage of new technologies and entry points. And, unfortunately, there is often a lag between digitization and threat prevention. India is a nation that takes tech seriously. Its citizens are some of the most connected in the world with 813 million mobile device users in the country. India has the largest digital identity initiative too. The Indian government’s Aadhaar biometric ID system is the largest national identity scheme of its kind in the world. In 2018, Aadhaar also became the victim of the largest breach in the world. This was recorded by the World Economic Forum’s (WEF’s) “Global Risks Report 2019” which pointed out that the 1.1 billion personal records in the Aadhaar scheme were compromised.
India is one of the most targeted countries in terms of cyber-attacks. In 2018, a Sophos report revealed the country was the third most targeted by cybercrime; with 76 percent of Indian businesses being victims of a cyber-attack. The country is experiencing many threats and cyber-incidents, examples include ATM fraud and cloned debit cards – involving malware in the bank switching system: Cosmos Bank lost a large sum of money using this method.
Looking at CheckPoint’s Cyber Attack Threat Map shows that India is in the top ten targeted countries. Only the USA having a higher infection rate.
India is riding a tidal wave of cybercrime because of its innovative nature and willingness to take technology to new levels of connectivity.
India and IT
India has become a powerful force in the world of technology. Firms like Tata Consultancy Services (TCS) have a market capitalization of over $100 billion USD and employ over 400,000 people. The market for Indian IT outsourcing is buoyant; according to the National Association of Software & Service Companies (NASSCOM) around half of Fortune 500 firms use Indian firms for software development outsourcing.
India has seen a transition too in the technology sector. Previously using a service-driven model of supply there is now a strong movement to a product-driven philosophy in the country. The Indian startup scene is blossoming. NAASCOM initiatives like “10,000-Startups” are driving this culture of creative development.
The result is a spate of software apps that are taking the world by storm. Indian software firms have found a particular liking for fintech. According to NITI Aayog, the digital payments market in India is set to be worth $1 trillion USD by 2023.
As India becomes an app development center, the need to control source code development becomes even more apparent.
The Indian Software Development Outsourcing Scene and Cybercrime Concerns
There is no doubt that India has created a strong and vibrant software development outsourcing scene. Strong support from government and external drivers like cost and speed to market has allowed India to build a globally recognized software development outsourcing hub.
But the wave of cybercrime casts a long shadow on all organizations, including those that choose to outsource development. A survey by Deloitte ”2018 global outsourcing survey” found that in the top five concerns about software development outsourcing were:
- 68 percent of companies were concerned about cloud-based outsourcing
- 35 percent worried about the loss of intellectual property (IP)
Bengaluru (also known as Bangalore) which is often called India’s “Silicon Valley” is the IT hub for the country. In 2018, the city also registered the highest number of cybercrime cases in India. The technically savvy residents of the city are a target for cybercriminals. The city registered 5,035 cybercrime-related first information reports (F.I.R.). Online fraud in Bengaluru has also doubled in recent years with 1,951 online fraud cases being registered with the single cybercrime police station in the city.
The movement of software development to outsourcing hubs like Bengaluru, must include the cybercrime element as a consideration. Cybercrime happens everywhere, nowhere is immune to security threats and cyber-attacks. However, when you hand over your intellectual property, such as source code to a third-party, their vulnerability becomes your vulnerability. You need to take steps to ensure that your source code is protected.
Protecting Your Source Code When You Outsource Development
Outsourcing software development is often a must have for a company. Companies are under a lot of pressure to get products to market quickly. Coupled with this is the lack of skilled resources in software development. According to research, by 2020 there will be around 1 million unfilled computer programming jobs in the U.S. This leaves no choice but to look for the most cost-effective and efficient option, outsourcing to an emerging market like India is one such option.
To do so effectively means ensuring that the code developed, and any knowledge transfer of IP has to be done in a secure environment. This is a pro-active choice in protecting your source code and therefore your company.
Below, we have outlined the most important aspects of protecting your source code when it leaves your organizational perimeter. These areas of management and control of source code IP are a process. They form part of your expanded strategy in protecting your most precious property – your source code.
Security Considerations When Working with an Indian Software Development Outsource Company
India is a good choice to outsource your development in terms of cost-effectiveness. However, cost alone should not be your only decision point, especially with highly sensitive intellectual property like source code. The key to optimizing the use of an Indian development outsourcing company is to manage the risk. Below, we have identified some key areas to use in an overall process of software development risk management.
Do your homework. Before taking on an outsourced Indian company, check out their credentials. This is not just the skill set they offer and their price differential:
- Check the outsource vendors own security policies.
- Do they provide security awareness training to their staff, for example?
- Have they achieved certifications for secure data handling?
- Do they carry out regular risk assessments
- Do they implement modern security measures and practices such as Data Loss Prevention (DLP) software? More on this below.
Use robust contracts. Make sure you have strongly enforceable contracts in place with the outsource vendor. These contracts must have copyright and code ownership clauses that are enforceable in the appropriate jurisdiction. Backup your invention using copyright and patents that cover the country you use to outsource development. For example, check out if you can get copyright in India as their copyright laws cover source code. Get a lawyer to check over these areas.
Check attitude towards privacy. It’s not just the cybersecurity credentials of the firm you outsource to that should be of interest. Attitudes towards your firm’s trade secret privacy should be discussed. One of the most common ways that proprietary data is exposed is through insider threats either maliciously or via sheer carelessness. We are also seeing forums on the dark web actively seeking employees that will leak corporate secrets for financial gain. Does the firm have privacy policies in place? Do they enforce measures to tackle insider threats?
Wherever possible you should augment and enforce your non-technical considerations when choosing a software outsourcing company, from anywhere, not just India. The most important outsource vendor security measures that must be in place to mitigate the risk to your source code are:
Data Loss Prevention (DLP): DLP platforms for source code leak prevention are designed for the complex nature of source code. Rules can be applied that look for specific identifiers in your source code. These then apply policies that can prevent the code from being intentionally or accidentally leaked. DLP can stop any source code being sent out via emails, portable media, posted to forums and other social sites or uploaded to websites. DLP is a fundamental way to prevent source code leaks.
Access Control: The vendor should use a policy of “least privilege”. This ensures that source code will be accessed on a need-to-know basis. This helps to mitigate accidental and malicious insider data leaks. In addition, robust authentication should be used. At least second-factor authentication (2FA) should be used, especially when administrator access is used. Risk-based authentication should be used if at all possible.
Safe storage and data transfers: Encryption of the transfer of source code to and from the repository should be mandatory. Encryption of data in the source code repository itself should also be explored – depending on the repository used.
Disaster Recovery and Backup: If you lose your source code because of a disaster the outsource vendor may be able to recode but you will lose precious time to market. A robust disaster recovery strategy must be in place.
Audit and employee monitoring: The developers employed by outsourcing companies should, wherever appropriate, be monitored for source code repository access and use. Pull and push requests can be audited, and reports generated for review. Employee and environment monitoring are also options and can help prevent insider threats from becoming an insider incident.
PWC and ASSOCHAM, in the report mentioned above, have described cybersecurity as a “journey of social, behavioral and governance transformation”. One of the issues that India has in terms of cybercrime is in the management. The ASSOCHAM research finding that slower responses to cybercrime by an emerging market like that in India, makes it a more attractive proposition to a cybercriminal. If we, as an organization, outsource the development of our source code we cannot do so in a totally hands-off manner. We must be part of the overall process.
By using non-technical and technical measures like DLP, we can create an effective risk management process for software development – even if it is outsourced to a third-party. As the cybercrime climate in India continues to evolve, we can feel more confident in using an Indian software development outsourcing company by managing the risk. It may seem like a hurdle to set up the measures needed to outsource to India, securely, but it will be worth it for peace of mind.