An organisation’s assets are wide-ranging. They can cover people, the premises they occupy, the products and services they supply and the information and intellectual property they have. Assets can be physical and digital and be vulnerable in different ways.
Understanding which of these assets are critical to your organisation’s existence and operation, and which ones are most at risk when you are doing business with overseas parties, should be the starting point in completing a risk assessment.
Too often when protective security is applied in an ad-hoc and unstructured manner valuable resources are wasted with limited impact on security risk reduction. This can leave you and your business open to commercial and reputational damage.
What are the threats?
Once you have identified which assets are most critical to you, you should determine the possible threats. Consider threats from across the full spectrum of physical, personnel and people, and cyber vectors, and also how these threats might overlap or evolve over time.
Some types of threats to consider are:
- Economic and state-sponsored espionage
Hostile actors may exploit an investment or relationship that you have with a private company or individual to carry out espionage or obtain access to sensitive information. Giving up access to your sensitive assets and data can open you up to theft, especially if appropriate checks are not put in place.
This may be industrial espionage conducted by foreign commercial competitors or it could be state-sponsored espionage in support of a state’s economic development plans or national security objectives. The two types of espionage can be closely linked in an authoritarian state.
An international student was a part of an academic institute commissioned to undertake research with a defence company. The student was tasked by a state-owned entity in their home country to acquire and export specialist technology.
The student was able to learn about the sensitive technology as a part of the research work and, with support from the hostile state, was able to transmit intellectual property back to their home country, thereby circumventing export controls, national security checks, and the company’s own internal security standards.
- Inappropriate leverage
Initial investment can be a way of slowly gaining undue influence and access to an asset or an organisation in order to steer future decision-making, including influencing wider diplomatic or political disputes.
Hostile actors may influence foreign companies to take or threaten decisions which run counter to national interests like running down the quality of service; or diverting supply chains.
It is important to consider what the implications of this scenario may be dependent on the sector you operate in and the assets you own.
Country A mines and controls the majority of the world’s rare earth minerals.
A fishing trawler captain from Country A was detained in Country B after his vessel collided with two coast guard vessels. He had tried to fish in waters controlled by Country B but long claimed by Country A.
In retaliation, Country A cut off ministerial-level talks on issues like joint energy development but also used the control it had over the rare earth minerals market to disrupt supply and use it as leverage in negotiations. Country A blocked exports to Country B of a crucial category of minerals used in products like hybrid cars, wind turbines and guided missiles.
After two weeks of mounting pressure by Country A, Country B had no choice but to release the fishing trawler captain.
- Disruption or destruction
Business ventures with overseas parties, particularly the purchase of company assets, or the supply of products and services can also be used as a way for hostile actors to preposition themselves at critical points in the operation of national infrastructure.
A leading biochemist working for a global pharmaceutical company was required to travel to a hostile state regularly for work. The biochemist was an ideal candidate for the role as he was a dual-citizen and spoke the local language. However, this also made the individual more vulnerable to hostile state targeting.
The biochemist was successfully recruited by the hostile state and, over the course of three years, stole dozens of confidential documents and patents from the company by downloading them onto USB sticks.
The sensitive material was used to set up a rival company in the hostile state, costing the pharmaceutical company its competitive edge in an emerging market.
Conducting business with overseas parties can expose your personnel to undue influence and exploitation by hostile actors, creating insider risk.
The use of an insider is potentially one of the most damaging threats to an organisation.
An insider can offer hostile actors ongoing, privileged access to sensitive information. This could include insights not available through other means, including personalities, strategic thinking, politics within an organisation and explanations of complex data and concepts.
Staff travelling overseas on business may be operating in an unfamiliar environment where you have far less control. This can make your employees vulnerable to inadvertent security breaches (for example, losing items, forgetting basic security protocols) or being deliberately targeted (for example, manipulated to extract information, tampering with electronic devices, becoming a victim of crime -theft or terrorism).
This could put your staff in danger and compromise your organisation’s sensitive information.
You can visit the CPNI website for security campaigns designed to support organisations, offering a range of engaging material to improve security behaviours of their travellers.
The Foreign and Commonwealth Office (FCO) also provide security advice for UK citizens who travel or live abroad:
- Reduce your risk from terrorism while abroad - Summary of the terrorist threat abroad and tips on how to stay safe
- Foreign travel advice - Advice from the FCO on travelling to specific countries.
- Overseas business risk - FCO and UK trade and investment advice on managing business risks of operating overseas
What are your vulnerabilities?
Your vulnerability to threats being realised should inform the types of mitigations you put in place.
This should include a consideration of the likelihood of the threat eventuating as well as the impact.
- What is the intent and capability of the overseas party to act in a hostile manner? (For example, is there media reporting on the party in question or their home country acting in a hostile manner, in the sector in which you operate, or towards the UK?)
- What opportunity to undertake espionage or exert inappropriate leverage will the business venture give them if your business venture was exploited?
- What would the financial and reputational impact be?
- What are the wider national security consequences?
- What are the wider consequences on your long term profitability?
Mitigate the risks
An integrated approach to security is essential.
This involves thinking about physical security, information and cyber security and personnel security as well as other levers and controls available to you, for example, a contractual obligation on the other party or a change to your internal processes.
Your mitigation measures or actions should focus on the threats specific to your organisation’s critical assets, taking into account the amount of risk you are willing to accept. Here are some questions to consider:
- Who owns your risk mitigation measures information? How often is it reviewed and updated?
- Do your mitigation measures document the tasks that will be required to manage threats and the individuals that will be responsible for these tasks?
- How are your mitigation measures communicated to key staff, contacts and stakeholders?
- Do your measures include timescales for business recovery and required resources? Do they keep pace with technological advances?
Timing matters. The mitigations that you decide on will be most effective if they are put in place prior to any in-depth engagement with overseas parties, and definitely before any transactions are finalised.
Retrofitting security mitigations after business ventures have taken place – especially if it involves joint work or ownership – will have limited impact at best.
The same applies to cyber security mitigations such as compartmenting access to critical parts of your IT or segregating commercial and operational systems – and it is particularly important to think about your basic cyber security posture and resilience prior to interacting with any untrusted networks and second and third parties online.