How to mitigate security risk in international business environments
Gone are the days when international business was a unicorn in the business world. Instead, “going international” is becoming more common, with most large organizations having some sort of an international presence.
This article will detail how to mitigate the security risk in international business. We will explore what this security risk is, how to mitigate this risk and how to operate in multiple countries that are governed by different laws.
The security risk associated with international business
Risk is defined as follows:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security controls
International business carries a degree of risk with it. Instead of being subject to the information security risks of the home office country of origin, an organization doing business in multiple countries also subjects the business to the different information security risks associated with the country. This is complicated by the fact that each country has its own security risks to account for, as well as local laws and regulations which may impact business.
The Allianz Risk Barometer is a global business risk management report. It’s based on the input of 2,718 experts in risk management hailing from 102 different countries and territories. This report ranks the top risks to global business.
It should be noted that 2020 is the first year that cyber incidents (for example: cybercrime, IT outages and failures, data breaches) have taken the #1 ranked position on the top security risks list. Below are the top security risks to global business:
- Cyber incidents
- Business interruption
- Changed in legislation and regulation, including tariffs and trade wars
- Natural catastrophes
- Market developments
- Fires and explosions
- Weather/climate change
- Loss of reputation/brand value
- New technologies, such as AI
- Macroeconomic developments
- Political risks and violence
- Shortage of a skilled workforce
- Critical infrastructure blackouts, such as power disruption
- Product recall, quality management, serial defects
- Theft, fraud, corruption
- Environmental risks, such as pollution
- Health issues, such as COVID-19 pandemic
How to mitigate security risk in international business
“Know thyself” means making sure your organization has a strong situational awareness if you are doing business in multiple countries. You will need to ensure that in every country your organization is operating, it is addressing the information security risks inherent to that country.
Can I speak with the manager?
All platitudes aside, with it being established that information security risk is a necessary evil of conducting international business, what is important is that you manage this risk. To manage risk in an international risk environment, organizations should use an information security risk management (ISRM) tailored to where the organization conducts business. ISRM helps an organization handle risks based upon the organization’s risk tolerance.
ISRM is composed of the following:
- Identify assets
- Identify vulnerabilities
- Identify threats
- Identify controls
This is the element of ISRM that you will want to focus on to mitigate risks involved in international business environments. Mitigation is defined as lessening a risk’s impact or likelihood of occurring and not preventing it entirely. This gives your organization a realistic expectation of avoiding the risk and not an ironclad promise that the risk will not affect business. The types of risk mitigation you want to use depend upon what risk you are mitigating.
Mitigating risks is situational and diverse, and depends on what your assessment has revealed about the country you are doing business in. Let’s say theft is one of the top risks in the respective country. Implementing strict physical security will help lessen that risk.
For some countries, such as Brazil, Switzerland and Italy, business interruption is the top risk. Lessening this risk may take the form of providing a robust business continuity plan for extended periods of business interruption.
Other countries, such as India, have cyber incidents as their top risk. Mitigating this risk may take the form of using advanced security tools loaded with the signatures and indicators of compromise associated with that country.
Risk mitigation controls
Risk mitigation controls are measures an organization takes to reduce the risk of doing business (or any other activity). Organizations typically have anywhere between five and ten risk mitigation controls in place at any given time, with the following being the top risk mitigation controls:
- Recovery exercise
- Recovery strategy
- Recovery team
- Recovery plan
- Business impact analysis
- Third-party supplier risk
- Training and awareness
When it comes to risk mitigation controls, the more you can implement, the better off you will be and each of the risk mitigation controls above have their place. And with the nature of international business, third-party supplier risk may be heightened. For example: if your international third-party supplier is using software made in countries such as China, a recent incident involving China-made tax software loaded malware that a firm connected to the US defense industry.
Local laws and regulations
Part of the Assessment element of ISRM is that you take full stock of the laws and regulations in place in the different countries your organization operates in. This is in order to ensure that your organization is legal and in compliance. You may want to consider hiring local legal counsel to help you navigate this part of risk mitigation.
Risk is an inevitable part of conducting business in an international business environment. By implementing an information security risk management plan and a comprehensive risk management controls scheme, and ensuring compliance with local laws and regulations, your organization will be better able to weather the storm of risk that global business can bring.
2020 Allianz Risk Barometer, Allianz
The Top 7 Risk Mitigation Controls, in Order, BCMMetrics