Managing Cybersecurity for Globally Operating Businesses

Centre for International Business at the University of Leeds

This blog post is part of an ongoing research project by Dr Stan Karanasios, Dr Hinrich Voss (Leeds University Business School) and Dr Nikolaos Papageorgiadis (University of Liverpool Management School) which is partially funded by the Professional Services Hub at Leeds University Business School and supported by the China-Britain Business Council and the EU SME Centre.

Circuit board design

In recent years businesses have become increasingly dependent on digital technologies and connectivity for everyday business functioning. This is a global phenomenon, but particularly true for businesses that manage international operations and value chains – that is, having offices overseas, offshoring back-office functions to suppliers and sourcing good and services internationally.

Alongside dependence on digital infrastructure, a threat to internationally operating businesses has emerged in the form of cyber-attacks which can significantly disrupt businesses, violating their trade secrets and intellectual property, and harming their reputation.

Threats may materialise from cyber-criminals, competitors (corporate/industrial espionage), foreign intelligence services (economic espionage), hackers and ‘hacktivists’. Cyber criminals may gain access to the whole supply chain of a company through small businesses and overseas business partners. A large number of studies have also revealed that internal employees are a source of threat to information assets.

Failure to protect against, and manage, the associated risks can prove costly. A report commissioned by the UK Department for Business Innovation and Skills (2014) showed that 81% of large businesses and 60% of small businesses experienced a security breach in 2013. More worryingly, the typical cost of a “worst case” security breach to large businesses is conservatively estimated to be £1.15 million, and £115,000 for small businesses in 2014. A subsequent survey in 2015 showed that cyber infringement costs have increased significantly for small and large businesses to about £311,000 and £3.14 million per annum, respectively (BIS, 2015).

Individual cases can be significantly more costly. TalkTalk, the British telecommunication company, announced that one-off costs from the cyber-attack in October 2015 could rise to £35 million. Similarly other recent cyber-attacks disabled the entire Ukrainian power grid, while cyber criminals externally controlled and manipulated a German steel mill and a Canadian cookie factory by adversely affecting their production. These examples showcase the considerable negative effects a lack of cybersecurity management can have on businesses of any size globally.

Safeguarding the business against cyber threats can be achieved in partnership with business partners and government agencies globally. While this is true for any business, it affects in particular businesses that operate across borders. The institutional, legal and technical environment with regards to cybersecurity is not the same in every country.

Work commissioned by the International Telecommunication Union (ITU, 2015) indicates the level of cybersecurity preparedness of a country, the so-called “Global Cybersecurity Index”. The UK achieves a high ranking at fifth place – the same global rank attributed to the important emerging markets India and Brazil. But many trade partners and countries British businesses are outsourcing to rank considerably lower and thus expose British companies to potential threats.

China, a common location for manufacturing offshoring and outsourcing, is ranked 14th while countries like Thailand (15), Viet Nam (18), and Bangladesh (19) rank even lower. Working in emerging markets and with businesses from these regions should therefore be approached with care, and the national cyber security readiness considered fully, including considering vulnerabilities during international business trips.

Part of such considerations should be countermeasures that can be implemented unilaterally as well as in partnership with suppliers. Staff play an important role in building the cyber security defence of businesses. Having an information security policy and relevant training, and briefing staff about the company’s policy should be a cornerstone of the countermeasures strategy. Raising awareness and alertness about cyber threats is a necessary step to safeguard the business. This includes keeping up-to-date with the latest attacks on other businesses as this can reveal vulnerabilities in one’s own business.

Unilateral countermeasures can also be considered within the internationalisation strategy. Entering a market through exports or wholly-owned operations would reduce the exposure to local partners while still allowing the business to pursue its strategic objectives in that market.

Both sets of countermeasures highlight that cybersecurity is not only a concern for an IT department but that it is cross-departmental and requires attention from the whole organisation.  

Contact us

If you would like to get in touch regarding any of these blog entries, or are interested in contributing to the blog, please contact:

Phone: +44 (0)113 343 8754

The views expressed in this article are those of the author and may not reflect the views of Leeds University Business School or the University of Leeds.