×

Protective security considerations

Practical steps to manage risks, if taken in a timely manner, will protect your reputation, prosperity and the national security of the UK.

Protective security mitigations are more likely to be of value when the overseas party is looking to gain a minority stake in your organisation, or will be granted only limited access to your intellectual property and people. 

When an overseas party has total ownership or control of your organisation or property, it will be extremely difficult to mitigate the security risks effectively. In these situations, certain kinds of structural or financial conditions may be imposed by government or industry regulators – for example, restrictions on market share or requirement to divest shares. 

Your security and legal advisers will be key in assessing what the risks to your organisation are and how best to manage them, but who owns these risks at the Board-level?

Identifying a member of your senior leadership team as a risk owner will ensure that security and strategy are considered alongside each other as you do business and collaborate with overseas parties. 

Practical steps

The type of threat and risk faced by your organization will determine the best suited protective security mitigations. 

It is important to remember that protective security mitigations need to be adapted to each individual scenario and a one-size-fits-all approach will be ineffective and, potentially, costly. 

It is highly unlikely that a one-off protective security mitigation will eliminate the risks entirely for the full duration of your relationship with the overseas party.

In reality, any mitigation which is implemented will require constant monitoring and evaluation to ensure it is being complied with and effective.

This can be an expensive and resource intensive exercise and should be factored into your assessment of how valuable an international business venture might be.

A number of possible mitigations are outlined below. While this is not an exhaustive list, it should provide a starting point as you develop your own risk management strategies.

Espionage or disruption

Economic and state-sponsored espionage

Hostile actors may exploit an investment or relationship that you have with a private company or individual to carry out espionage or obtain access to sensitive information. Giving up access to your sensitive assets and data can open you up to theft, especially if appropriate checks are not put in place. This may be industrial espionage conducted by foreign commercial competitors or it could be state-sponsored espionage in support of a state’s economic development plans or national security objectives. The two types of espionage can be closely linked in an authoritarian state.

Disruption or destruction

Business ventures with overseas parties, particularly the purchase of company assets, or the supply of products and services can also be used as a way for hostile actors to preposition themselves at critical points in the operation of national infrastructure.

Managing threats to your physical location

The threats and risks associated with doing business with overseas parties may still affect you even if you are not a direct party to the deal!

A hostile state could access your organisation, its people, and its assets by targeting your supply chain, proximity to your physical location, or to similar organisations in your sector.

Being aware of how these threats may affect your organisation and building your internal resilience will affect how well you manage the risks.

Possible protective security considerations can include:

  • physical measures such as higher walls and reflective windows
  • access controls to your location and information
  • enhanced security awareness campaigns
  • relocating sensitive assets or information

There are conditions and mitigations that you can implement to limit the national security risks arising from an overseas party accessing land next to sensitive critical national infrastructure sites, or other sites of a sensitive nature.

Technical security risks are at their highest when physical features are shared. These include adjoining walls, sharing a single floor, or shared spaces in modern high rise buildings.

Some hostile actors also have the capacity to conduct information and intelligence gathering via the deployment of technical equipment or via surveillance. This includes the installation of eavesdropping devices, interception of mobile telephones or Wi-Fi networks, exploitation of CCTV and physical monitoring of individuals of interest. Taking advantage of natural technical vulnerabilities (e.g. Wi-Fi spillage or direct line of sight through windows) has the advantage that does not necessitate entry to premises. Mobile technologies such as smartphones can easily be converted into data collection devices.

To mitigate against this vulnerability it is worth considering zoning policies to exclude mobile technologies from particularly sensitive areas within buildings. Other mitigations can include the installation of next generation in situ monitoring systems.

Modern video conferencing systems present technical security challenges for overhearing by undesired parties – consideration should be given for adequate acoustic protection of these areas, potentially including purpose built safe speech areas.

The physical mitigations you consider could include:

  • enhanced physical security (e.g. obscuration film to external windows), higher walls
  • strong access controls, reinforced by a robust security culture
  • security campaigns designed to raise staff awareness of what is happening at the adjoining sites and the risks.
  • reducing opportunities to exploit line of sight and technical routes.
  • moving sensitive assets to a different location

Physical protection of sensitive assets or critical capabilities – creating an inner layer

Your organization may need to create an actual or virtual inner layer of extra protective security – supported by physical and cyber measures – around sensitive information holdings, capabilities or staff in sensitive roles. This can then be supported by a range of personnel security measures designed to support the integrity and strict observance of this inner layer and the wider regime that surrounds it.

There are two steps to developing an inner layer:

  1. Identify the areas in the relevant site where sensitive information or critical capabilities are located.
  2. Put in place measures to protect and limit access to these areas.

The principle is that physical access should only be allowed to those who need it, alongside a means of identifying and limiting access to those who do not. A range of measures should be used to reinforce the security of these areas, using physical (e.g. mechanical locks), electronic (e.g. automatic access control systems), and technical (e.g. technical surveillance counter measure sweeps) means.

You should be confident that the protective security mitigations you put in place cannot be easily sabotaged or tampered with. This requires a holistic view of all elements of security.

For example, an automatic access control system is a protective security measure but who has the responsibility of managing it? Those overseeing such a system will also need to be included in any personnel security measures to ensure that the overall administration of the system cannot be corrupted.

Risk Assessment of Certain Roles

Additional security arrangements will be valuable for people who work in roles requiring access to sensitive information or critical capabilities. These may also be relevant for other members of the workforce who work closely alongside personnel associated with the overseas party.

A risk assessment for such roles should be conducted covering the access to sensitive information or critical capabilities provided by the role. The assessment should include a review of the adequacy of existing measures against the threat.

Any additional roles created in the company should be carefully monitored and assessed. Decisions will need to be agreed as to what posts would be considered off-limits to those working for the overseas party.

Pre-employment screening

Following a risk assessment of roles, one mitigation measure is pre-employment screening which comprises the procedures involved in deciding an individual’s suitability to hold employment in a given job role. This is not limited to new joiners, but also individuals who are moving between job roles within an organisation. Decision-makers may impose a level of screening on all individuals who are provided access to the organisation’s assets. Screening processes to meet basic UK employment legislation as a minimum should be in place for foreign nationals – with further measures applied at the visa application stage if necessary.  

Additional checks or a higher level of screening should be considered for specific high risk posts (both those occupied by foreign nationals and those working closely alongside employees associated with the overseas party). Dual nationality of certain countries presents specific challenges – where the individuals potentially are pressured to act in the interests of a hostile state. Pre-employment screening will therefore provide only minimal protection in such cases, and decision-makers may want additional controls in place.

Further information on these measures can be found on the CPNI and NCSC websites.

Protecting cyber

Cyber security is one of the key considerations in the risk assessment and mitigation process when dealing with overseas parties. Top-level guidance on how organisations can protect themselves in cyberspace is covered in the NCSC’s 10 Steps to Cyber Security.

When conducting business with overseas parties, you should be aware of the following cyber security specific concerns:

  • loss of commercially sensitive information including your negotiating position, personal data, intellectual property
  • reduction or loss of long-term profits or competitive edge
  • reputational damage when hit by a data/cyber security breach
  • revealing other (non-commercial sensitive) information pertaining to your organisation that might be valuable to a would-be attacker
  • loss of partner organisations’ data
  • disruption to your systems

General principles for good cyber security practice are set out below, but the nature of your foreign relationship, including any network connectivity, will require a tailored approach. Some key aspects of cyber security are listed below, further advice can be found on the NCSC website.

Board Level engagement

Your Board needs to understand the additional Cyber Security risks that can arise when dealing with overseas parties. They will need to sign off these additional risks and approve the additional Cyber Security activities needed to mitigate them. Specific NCSC advice on generating constructive discussion around cyber security with your Board can be found here: Board Toolkit.

Risk Management

When entering a new foreign commercial relationship, you will need to understand the cyber security risks presented and the additional mitigation activities required. NCSC provide advice on governing, communicating and decisions about risk.

Appropriately Segregate Sensitive Networks and Systems

Detailed knowledge of IT networks, processes and systems will be of value to hostile states. Such knowledge can be used to aid the deployment of malicious technical capability into your organisation or your supply chain. Therefore, it is important to consider managing access to this information. Visit the NCSC website for advice on activities relating to the design, procurement and build of a secure enterprise IT system.

Access Control

Access to sensitive data should be controlled and strictly based on need to know principles. Only users and organisations who have a valid business requirement should have access to sensitive data. There should be measures in place to ensure that only those who need to access such data are able to do so. Visit the NCSC website for advice on identity and access management.  

Monitor and prevent unauthorised access

Even when critical or highly sensitive data is separated, and privileged access is limited to those with a need to know, there may be instances of unauthorised access attempts. These could be from system users (e.g. an insider threat) or from partners or other sources (external threat). Ensuring there are effective cyber security arrangements in place to monitor and defend against unusual or malicious network activities is key.

Supply Chain Security

Many issues around supply chain security are due to the poor security practices of partner organisations or managed service providers. Such cyber security issues are not limited to working with overseas partners but may nonetheless present a higher level of risk.

Additionally, hostile state actor access to supply chain components may provide an opportunity to introduce security vulnerabilities and put sensitive company assets at risk.

An understanding of the cyber risks associated with partner organisations, managed service providers and potentially vulnerable components should be developed at an early stage, drawing on technical advice from NCSC and other relevant departments where necessary.

Managing Cyber Incidents

Despite all these mitigations being in place, a cyber security incident may still occur and you should have contingency plans in place to manage such events. NCSC advice is available on activities to minimise the immediate and long-term business impacts of cyber security incidents.

Mitigation Image 2

Security Leadership and Culture

Developing and sustaining an effective security culture is an essential component of an organisation’s protective security regime. It will help build resilience against a range of threats which damage your reputation and prosperity. Security culture refers to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security.

Additionally, assigning a risk owner, at the Executive level, of your international strategy will ensure it remains on the Board’s agenda for the duration of any engagement with overseas parties. For more information on how building your security leadership capabilities, see CPNI’s Passport to Good Security.

Monitoring and review

The threats faced by your organisation will not remain stagnant over time and any mitigations you put in place will need to be monitored and reviewed to remain effective.

The programme of monitoring and review should enable potential security issues to be recognised and dealt with effectively and, where appropriate, reported both internally and to relevant regulators where necessary. The following measures could be drawn upon as part of a monitoring strategy:

  • a process for the effective reporting of security concerns across your organisation and for staff to be briefed on the additional threats posed by the overseas party
  • protective monitoring (e.g. IT audit logs) to identify behaviour of concern
  • incident reporting mechanisms for internal or external reporting
  • penalties for security breaches or failure to comply with conditions
  • a channel for security concerns which should be effectively reviewed, escalated for investigation and any necessary remedial action to be taken to reduce further security risks
  • compliance responsibility and long term monitoring arrangements should be considered at the time of the decision to engage with the overseas party.

Mitigation Image

Inappropriate leverage

Initial investment can be a way of slowly gaining undue influence and access to an asset or an organisation in order to steer future decision-making, including influencing wider diplomatic or political disputes. Hostile actors may influence foreign companies to take or threaten decisions which run counter to national interests like running down the quality of service; or diverting supply chains.

Structural Conditions

Due to the threats faced by your organisation, you may impose mitigation of a more financial and strategic nature. These will be relevant to situations where inappropriate leverage is the principal risk, or where the concern is related to national security.

The government or independent regulators in the sector you operate in may have an interest in your engagement with overseas parties, especially if national security concerns are present.

The government has a responsibility to protect the UK’s national security. This includes limiting the degree to which the UK becomes reliant on an overseas party for the delivery of essential services and ensuring emerging technology with military applications does not get into the wrong hands.

At times, financial or strategic conditions may address some of the concerns that the government has about your engagement with overseas parties. As a result, you may find that conditions like the ones outlined below are imposed on your international business ventures.

The financial or strategic conditions you consider could include:

  • ensuring the maintenance of strategic capability remain in the UK
  • ensuring economic viability and financial health of the organisation
  • the need to retain your organisation’s existing supply chain
  • a condition allowing the relevant lead government department to appoint and remove Directors and other key personnel
  • ensuring that operations and maintenance should only be run from the UK
  • a condition that data must remain onshore and only accessed from within the UK
  • a condition restricting changes to business models
  • a condition requiring notification of changes to the ownership structure and provisions allowing cancellation or amendment of contract arrangements if ownership changes

Monitoring and review

The threats faced by your organisation will not remain stagnant over time and any mitigations you put in place will need to be monitored and reviewed to remain effective.

The programme of monitoring and review should enable potential security issues to be recognised and dealt with effectively and, where appropriate, reported both internally and to relevant regulators where necessary. The following measures could be drawn upon as part of a monitoring strategy:

  • a process for the effective reporting of security concerns across your organisation and for staff to be briefed on the additional threats posed by the overseas party
  • protective monitoring (e.g. IT audit logs) to identify behaviour of concern
  • incident reporting mechanisms for internal or external reporting
  • penalties for security breaches or failure to comply with conditions
  • a channel for security concerns which should be effectively reviewed, escalated for investigation and any necessary remedial action to be taken to reduce further security risks
  • compliance responsibility and long term monitoring arrangements should be considered at the time of the decision to engage with the overseas party