The move to internationalize creates huge compliance and data security challenges. Unfortunately, security policies and procedures are frequently an afterthought, especially in overseas remote offices.
Why is this consequential? First, critical or sensitive data may be stored in the remote office. Second, remote offices are often simply WAN connected with no security or monitoring differentiation. Although the insider threat is well recognized, a survey of enterprise networks reveals the majority are still “security eggshells” (e.g., a secure perimeter with little inside apart from client anti-virus). Third, the legal protections available are often limited because protections don’t exist or are unavailable to foreign corporations, and the costs involved and risk-to-reputation are too high.
To improve security in remote offices, technology alone will not suffice. Staff attitudes, motivations and cultural norms must be better understood. The following relationship and technology guidelines are critical:
Build relationships: To minimize expenses, Americans may avoid lengthy overseas trips or funding visits by foreign staff to headquarters. However, overseas business is oiled by relationships that develop trust. Failure to understand this and build on common goals can be more costly than the expense of building relationships.
Understand cultural motivations: What is important to the IT staff, or those with access to critical data? Consider that working for a Western company is often highly valued, as are training and certifications.
Money talks: In developing countries, “team spirit” takes a back seat to compensation for creating loyalty. On the other hand, an excessive package suggests the organization is naïve and ripe to be exploited.
WAN edge security: Router/switch ACLs, IPS and proxies should be implemented on the WAN, preferably on the domestic side. Limit access to the minimum needed for the remote office to function.
Monitoring: Central security staff should monitor activity at the remote location. Consider appliance-based offerings that are harder to circumvent and do not require local staff support.
Securing international remote offices is challenging, but the risks can be reduced through understanding cultural motivations and applying security controls more typical of extranet connections.