Article by Cylance chief security and trust officer Malcolm Harkins
It’s no secret that China has emerged as an economic powerhouse over the past decade, with The Conference Board estimating that the country’s GDP will surpass the US in 2018.
For many Australian businesses, this is an opportunity for growth.
China is already Australia’s largest import and export trading partner, and President Xi Jinping recently implied that it’s unlikely to slow down any time soon.
However, many organisations know very little about doing business in China – or how the country’s political, cultural and cybersecurity landscape can impact their ability to carry out business.
For any business that plans to carry out work in China – whether choosing to base its entire operations in the country or launching a subsidiary – many challenges can be expected.
China’s commitment to cyber sovereignty, reinforced by President Xi Jinping in December 2017, poses a particular challenge for foreign companies.
Tough internet censorship and online data regulations have forced global behemoths such as Facebook and Google (currently banned in China) to consider whether it’s worth accepting China’s terms in order to access its 751 million internet users.
A cybersecurity law introduced in June 2017 requires organisations to store sensitive data domestically.
While the Chinese government has hailed this new law as a boost to privacy protection, it has many foreign businesses rattled due to its broad scope and vague definition.
The law is forcing businesses to re-examine the data that flows in and out of China, which can bring about complex challenges such as disaggregation from global data networks in order to remain compliant.
Businesses are also forced to work within the confines of China’s “Great Firewall”, where many popular cloud-based services such as Dropbox and Google Drive are blocked.
Limiting access to these collaborative tools can have major implications on day-to-day operations for businesses that have global offices or that require frequent interaction with foreign counterparts.
This challenge obliges businesses to think about their corporate culture and the needs of their staff in China.
Do you want to ensure your staff have freedom of expression?
Will you allow them unrestricted internet access through your global corporate network?
And if you do that, what are the implications?
There are many complexities involved in how you provide your employees with internet access, and how you go about doing so under China’s laws and expectations.
Many businesses follow strict cybersecurity rules for employees travelling to China; an increasing number enforce the “no corporate laptop” rule where staff are required to take a burner laptop and phone with them to China, so there’s no real data on the devices.
In some contexts, that’s a useful thing to do.
In other contexts, you could argue – depending on the cultural adherence of your employees – you’re really kidding yourself if think that giving an employee a blank laptop would stop them from logging into a system that you don’t want them to.
In situations like that, you might have to think about different control types, such as restricting the geographic IP addresses that are able to access your business’ critical resources.
One of the key perceived dangers of setting up shop in China is the protection of sensitive information and intellectual property theft.
This danger cannot be more exaggerated.
Local Chinese businesses are in fact just as afraid of information and intellectual property theft as we are.
They are hyper-focused on combatting the growing number of local threats, whether it’s insider activity or malicious groups located in different Chinese provinces.
Having operations in China doesn’t necessarily expose you to more risk.
In essence, attackers can get what they want from you wherever you are today.
But what it does mean is that local employees must be trained to maintain top security hygiene and compliance.
Due to the country’s first-to-file system, it is also recommended that businesses entering China consider registering their trademarks as early as possible.
Cyber threats are real.
It’s a cop out for businesses to think they cannot mitigate the risks and then speculate about how or why they have been victimised.
The reality is that a number of nation states do not employ very sophisticated security practices.
A recent Europol report into organised internet crime stated that the boundaries between threats from nation states and cybercriminals are blurring – and the attacks were neither sophisticated nor new, but rather were reused, reintroduced technical attacks.
These results reflect back on organisations and the poor job they’re doing to mitigate their risks against an attack.
Businesses need to put better controls in place so they can effectively and efficiently deal with vulnerabilities and threats, and ultimately make it harder for attackers.
It starts with understanding the risk and cybersecurity framework.
How do you identify the risks?
How do you take actions to mitigate these risks?
Are you doing all the preventative work you can upfront, so that you can lower the risk dynamic as much as possible?
And because you can never fully eliminate the risk, you need to step up your ability to detect, respond and recover from security breaches.
The chief security officer can play a role in helping the wider business understand the potential opportunities and offer thoughtful advice to navigate those risks.
The CSO could potentially come up with some scenarios around opportunities and risks in a dynamic fashion – and the business can then revise those risks and opportunities on an annual basis to stay on top of threats.
We don’t have full control of all the variables, but there are many things that we can do within our organisations to manage and mitigate data and security risks.