Fri, Mar 25, 2022

When Your Company Exits a Country, Does Your Technology Do the Same?

Currently, many companies are reconsidering their operations in overseas markets.  Such reconsiderations have a wide range of effects, particularly on the company’s technology function, that must be  thoroughly addressed by the company’s management team and board. Other effects, however, might fall under the law of unexpected consequences.

Regardless of the type of presence that a company has in any given country, it’s important to be able to define the way that the country–as well as its team members, including employees, contractors, business partners or customers)–are connected to the company’s data network.

It’s perfectly understandable that when deciding to disconnect from a geographic location, the initial questions that come to mind are likely about the effect on employees in that region and  how to rapidly wind-down any operations that are no longer going to exist. While it is certain that the CEO, CFO, general counsel, human resources director and risk manager will be immediately and heavily involved, it is equally important to have the input of the Chief Information Officer and Chief Information Security Officer as early in the process as possible.

Global networks are complex. Questions about how a network is accessed (particularly in light of substantial changes in office/work from home policies due to the COVID-19 pandemic) and where data is stored can be equally complex. Separating a global network from a specific location is not easy, and questions of who should have access to a particular network or system become more important than ever. If a business determines that it will cease operations in a country, what does that mean for employees living and working there? Will they be expected (or physically able) to return company hardware, like computers or phones? Does the company have an obligation to keep certain levels of access operational during or after a shut-down process if the now-former employees have certain ongoing legal rights under a country’s laws? Can a company exercise remote control over the devices it owns in a foreign country and flip a digital “kill switch,” removing a device’s authorized access to a network or causing the device to become completely inoperative? (Sometimes known as “bricking” a device, since it becomes as useless as a building brick after it is rendered inoperative.)

For employees who may be transferred or whose transfers are planned, what access should they have before arriving in their new locations? How should the presence of company material on end-user computers or servers be handled, given the potential for systems being searched at borders? To what extent might an unfriendly regime determined to nationalize a company’s assets seek to blame former employees for sabotaging systems, or moving data across a national border in violation of local laws with possible criminal penalties or other forms of punishment?

While the network-related acts associated with moving company systems from a pre-decision state to a post-decision state are technical and must be carried out by skilled cyber-technicians (including cybersecurity professionals), the consequences of those decisions will often extend beyond the technical and should be considered as part of the decision making and decision implementation processes.

To do this, companies should consider creating specific cyber-operations profiles for each country where they have a presence. This should define network connections, including those intermediated by the global Internet, and how offices and individuals in that company interact with the organization’s digital networks. The process should also be sensitive to a country’s cybersecurity, privacy and employment laws. As noted earlier, this should be comprehensive and include the consideration of not only full-time employees but part-time, contractors, vendors/business partners and customers as well.

For example, if a company sells medical imaging devices to entities in a country that is suddenly the subject of sanctions, what does that mean to cyber connections? Do the sanctions require that a hospital that has purchased a medical imaging device lose access to online maintenance and operations manuals (regardless of a prohibition on supplying parts)? Should the technology team differentiate operating instructions from maintenance instructions (which might involve using parts that the customer has paid for and has in their possession)?  Would the potential for negative publicity or reputational damage be something to be considered? (For example, “By refusing to provide access to operating instruction and maintenance documentation for medical imaging, the company is endangering the lives of patients–including sick children–whose lives may depend on the accurate and timely use of those devices.”)

These are not conceptual problems. They are very real and should not be left to the discretion of network or cybersecurity technicians.

Similar questions can arise around every company-provided digital device. Would shutting down a person’s company cellphone mean that they couldn’t contact family or those outside of their country? Would removing access from their computer suddenly isolate them from the global Internet?

Another aspect of the relationship between users and network devices in a given country is that of trust. Each network handles trust in its own way. An organization, for example, may trust new employees to access specific resources and capabilities within the company’s network. How will that level of trust change with the decision to disengage with that employee or and perhaps terminate their employment? Trust need not be all-or-none. It may be appropriate to disallow access to certain systems and applications as part of a disengagement process while allowing other forms of access to company networks. In some cases, where an employee was involved in deal-making with other countries, they may have knowledge that will be needed even though the company may have already shut down in that employee’s country.

Computer technicians are not typically trained to consider all of the issues involved nor are they authorized to make decisions regarding access, device use and related actions (despite the reality that technicians are likely the ones who implement those actions).

Don’t assume that a disengagement decision can be made easily regarding networks and digital technology by the systems staff. As we have seen, many decisions involve legal, contractual and human consequences, and each of those factors need to be considered during the decision making and decision implementation processes. Will remotely erasing a database subject a resident manager (who may have been terminated involuntarily) to criminal penalties for the data destruction? Will any actions taken regarding disengaging with a country be viewed by as illegal by that country?

The simple fact is that from a technology perspective, disengagement is a very complex process and each element of that process can have consequences that should be considered before serious actions are taken. Thinking through these issues can result in risk mitigation to the organization and reduce problems arising from the inevitable operation of the law of intended consequences.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.

Managed Security Services

World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.