The time period globalization — the growing interconnection and interdependence among the many world’s nations, cultures, and economies — is shaded in optimistic hues for the humanitarian bridges it builds and benefits it guarantees in commerce and unity. Whereas in the present day’s companies actually obtain development and scale from increasing their markets to a boundless record of potential patrons, we have to splash only a little bit of chilly water of realism into the equation. From a safety viewpoint, interconnecting networks, information, and programs with some areas is simply extra harmful to us than it’s with others.
Wars are fought amongst nations, and risk actors are concentrated in and goal particular areas. As an instance, risk actors that concentrate on US corporations are generally inside Russia. Russian risk actors even have geopolitical causes for concentrating on Ukrainian enterprises. In different areas, firm property is taken into account state property and will be seized, invaded, or inspected at a second’s discover and at occasions, digitally inspected with out detection. Different nations, together with China, have lengthy histories of capturing the mental property of personal corporations. Contemplating these apparent truths, it is necessary that corporations with places of work in international lands — regardless of how small and at occasions forgotten — perceive the chance publicity that tiny satellite tv for pc workplace in Saudi Arabia or Shanghai might pose to the house workplace in Chicago (for instance), ought to they freely share the identical networks, functions, and information with out restriction.
It is Extra of a Downside Than You Assume
Many world organizations have places of work in worldwide areas that pose not less than some threat to them. Whereas IT groups work to make use of stringent safety practices to their group as a complete, they need to take into account particular controls with regards to areas which have:
- A longtime historical past of hacking/ransomware
- Legal guidelines in opposition to private and business privateness
- Advocate/apply nation-state spying
- Require nation-state filters (Web inspection and proxies)
- A historical past of raiding business places of work
- A largely oppressed inhabitants or economic system
- A major historical past of stealing mental property
Beneath are some threat group breakouts and really useful ranges of safety protections and controls. Every group is itself prioritized numerically by threat (highest to lowest).
Threat Group 1 (excessive threat):
- International locations with which your area is in energetic or potential army/ideological battle or engaged in important financial or technological competitors.
- Areas that generate essentially the most hacking actions, apart from your personal nation or its allies. This record will change dynamically, as will your allies. For instance, the US and its allies are sometimes discovered on these publicly accessible lists; nevertheless, US corporations would not phase out their very own company places of work and take into account their allies low threat.
- International locations that don’t respect company privateness legal guidelines. Such nations signify a threat of spying or stealing mental property beneath government-sponsored raids or digital infiltration.
Threat Group 2 (average threat):
- Politically impartial nations (no present army battle or heightened stress) which might be economically depressed and present greater charges of digital crime.
For all different nations, we all the time should assume there’s some threat—so we’ll take into account them “Threat Group 3.”
Securing Workplaces Throughout the Threat Teams
In a perfect world, we’d phase and isolate every workplace that resides in a separate nation. However we won’t dismiss usability, price, and well timed response. Beneath are some common safety pointers per nation group.
Threat Group 1: These signify the best degree of threat, and places of work right here ought to be fully remoted from the company community. Such places of work ought to preserve separate programs, databases, backups, functions, and share no software-as-a-service (SaaS) options with the company main operations. Whereas this represents price and inconvenience, the chance from these nations is just too nice to disregard. Workplaces ought to adhere to safety finest practices together with zero-trust rules, layered safety throughout individuals, course of, and expertise, and stringent lateral motion defenses.
Threat Group 2: These nations signify modest hacking and company privateness dangers. Workplaces right here ought to adhere to safety finest practices, and customers in these areas shouldn’t be given blanket entry to world programs. Leverage strictly enforced role-based entry management and allow this entry by way of a US-based digital desktop infrastructure (VDI) machine (by no means over the WAN). Person entry granted to people ought to be logged within the threat register.
Threat Group 3: Whereas we do not advocate particular protections for this group, the worldwide group ought to be using safety finest practices and each absolutely perceive and implement identification, endpoint, and lateral motion defenses.
An Intentional Technique in an Unsure Panorama
There isn’t a such factor as “zero threat,” and in these selections, there are severe usability and price tradeoffs. In the end, management should set up their threat tolerance and deliberately resolve the controls they want to make inside these tolerance ranges to show that they’ve taken affordable care to guard the enterprise. We’ve aided within the restoration of many organizations by which a breach has occurred because of safety points with the group’s places of work or third events in riskier nation states.
We’re one world, however we should nonetheless be sensible about how we work together with our varied counterparties inside that world to function safely in an at-times adversarial panorama.