Dangerous Regions: Isolating Branch Offices in High-Risk Countries – Source: www.darkreading.com

The term globalization — the increasing interconnection and interdependence among the world’s countries, cultures, and economies — is shaded in optimistic hues for the humanitarian bridges it builds and advantages it promises in trade and unity. While today’s businesses certainly achieve growth and scale from expanding their markets to a boundless list of potential buyers, we need to splash just a bit of cold water of realism into the equation. From a security viewpoint, interconnecting networks, data, and systems with some regions is just more dangerous to us than it is with others.

Wars are fought among countries, and threat actors are concentrated in and target specific regions. To illustrate, threat actors that target US companies are commonly within Russia. Russian threat actors also have geopolitical reasons for targeting Ukrainian enterprises. In other regions, company property is considered state property and can be seized, invaded, or inspected at a moment’s notice and at times, digitally inspected without detection. Other countries, including China, have long histories of capturing the intellectual property of private companies. Considering these obvious truths, it’s important that companies with offices in foreign lands — no matter how small and at times forgotten — understand the risk exposure that tiny satellite office in Saudi Arabia or Shanghai could pose to the home office in Chicago (for example), should they openly share the same networks, applications, and data without restriction.

It’s More of a Problem Than You Think

Many global organizations have offices in international locations that pose at least some risk to them. While IT teams work to employ stringent security practices to their organization as a whole, they must consider specific controls when it comes to regions that have:

• An established history of hacking/ransomware
• Laws against personal and commercial privacy
• Advocate/practice nation-state spying
• Require nation-state filters (Internet inspection and proxies)
• A history of raiding commercial offices
• A largely oppressed population or economy
• A significant history of stealing intellectual property

Below are some risk group breakouts and recommended levels of security protections and controls. Each group is itself prioritized numerically by risk (highest to lowest).

Risk Group 1 (high risk):

• Countries with which your region is in active or potential military/ideological conflict or engaged in significant economic or technological competition.
• Regions that generate the most hacking activities, aside from your own country or its allies. This list will change dynamically, as will your allies. For example, the United States and its allies are often found on these publicly available lists; however, US companies wouldn’t segment out their own corporate offices and consider their allies low risk.
• Countries that do not respect corporate privacy laws. Such countries represent a risk of spying or stealing intellectual property under government-sponsored raids or digital infiltration.

Risk Group 2 (moderate risk):

• Politically neutral countries (no current military conflict or heightened tension) that are economically depressed and show higher rates of digital crime.

For all other countries, we always must assume there is some risk—so we will consider them “Risk Group 3.”

Securing Offices Within the Risk Groups

In an ideal world, we would segment and isolate each office that resides in a separate country. But we can’t dismiss usability, cost, and timely response. Below are some general security guidelines per country group.

Risk Group 1: These represent the highest level of risk, and offices here should be completely isolated from the corporate network. Such offices should maintain separate systems, databases, backups, applications, and share no software-as-a-service (SaaS) solutions with the corporate primary operations. While this represents cost and inconvenience, the risk from these countries is too great to ignore. Offices should adhere to security best practices including zero-trust principles, layered security across people, process, and technology, and stringent lateral movement defenses.

Risk Group 2: These countries represent modest hacking and corporate privacy risks. Offices here should adhere to security best practices, and users in these locations should not be given blanket access to global systems. Leverage strictly enforced role-based access control and enable this access via a US-based virtual desktop infrastructure (VDI) machine (never over the WAN). User access granted to individuals should be logged in the risk register.

Risk Group 3: While we don’t recommend special protections for this group, the global organization should be employing security best practices and both fully understand and implement identity, endpoint, and lateral movement defenses.

An Intentional Strategy in an Uncertain Landscape

There is no such thing as “zero risk,” and in these decisions, there are serious usability and cost tradeoffs. Ultimately, leadership must establish their risk tolerance and intentionally decide the controls they wish to make within those tolerance levels to demonstrate that they have taken reasonable care to protect the business. We have aided in the recovery of many organizations in which a breach has occurred due to security issues with the organization’s offices or third parties in riskier nation states.

We are one world, but we must still be realistic about how we interact with our various counterparties within that world to operate safely in an at-times adversarial landscape.