International expansion appeared in the top three strategic priorities of C-suite executives around the world for the first time. To ensure a successful expansion plan, growing organisations have more cyber security measures than others to consider and risks to manage.
A confident route to security in new markets
Confidence in data protection has slipped further in 2024. Only 62% of C-suite executives felt completely protected in 2023/24, and two in five expected a significant breach this year.
Countries including China and the U.S. are expected to fare better than others in attracting new businesses to enter their markets. Yet, we can expect organisations and individuals in these territories to be among the most vulnerable given the volume of cyber-attacks experienced here. It is important for leaders to fully understand the markets in which they operate and be more aware of the latest changes or challenges in those they are entering.
As more governing authorities introduce cyber security legislation to tackle these risks to businesses and local economies, risk and compliance requirements vary significantly across borders.
When it comes to expansion, what does “high risk” actually mean?
Some data and processes within a business are more “high risk” than others, either because they are essential to business continuity or because they require exposure to more third parties to operate efficiently. Importantly, when discussing high cyber risk within global expansion plans, this typically focuses around one of three possible measures:
- Lack of regulation – some regions or countries are less stringent on security than others. These regions seem easier to enter and comply with regulatory standards, but riskier overall with less policing of threats, which attracts cyber criminals that digitally execute attacks from anywhere in the world.
- Lots of regulation – on the opposite end of the scale, high levels of regulation mean increased business responsibility and risk, in terms of the investment and resource needed to comply and maintain regulatory requirements. These risks are just as severe as the possible consequences of noncompliance. Additionally, some regulation may dictate requirements for suppliers, processes, etc., which can result in a loss of full authority over your information systems.
- State-sponsored activity – in line with geopolitical activity, some countries are at more risk than others for state-sponsored threats and organised crime. However, it’s important to remember that these threats are possible anywhere.
To manage the cyber risks associated with global expansion, there are two key challenges to address, and two recommended approaches to consider.
Challenge 1: localising global compliance requirements
Cyber regulation is evolving and emerging in new territories at a faster pace than ever before, attempting to address increased risk to individual businesses and ecosystems. Many of these regulations can rely on interpretation, and the cost of missteps can be high.
For instance, regulations like the Digital Operational Resilience Act (DORA) require businesses to scrutinise all of their operations and their practices – this includes those of their suppliers. This increased demand for oversight can strain security teams that already face resource constraints and challenge them to familiarise themselves with the requirements of the unknown territory they are investing in.
The underlying challenge here is that many businesses are still taking a compliance-based approach to cyber security. Regulations are often treated like tick-box exercises, which add little value to the business besides reducing, not necessarily avoiding, the risk of non-compliance.
Challenge 2: balancing digital transformation with cyber security
Increased interconnectivity across operations needed for effective expansion naturally creates greater risk. The target or perceived weakest link may come from anywhere and the brand and wider international business will be impacted by a ripple effect.
Approach 1: maintain a global view and exceed expectations
It’s easy to become overwhelmed when viewing cyber security concerns with a global lens. The risk to a global organisation can be greater than the sum of its local parts, especially as growing businesses continue to become more attractive targets for cyber-crime.
The best approach to avoid piecemeal and incomplete cyber solutions is to take a global view, sometimes setting a higher standard cyber security requirements in certain regions.
It’s important to define baseline cyber security requirements specific to your business, and then enforce it throughout the business, regardless of local compliance factors. This means starting not with regulations or local challenges, but with the business itself. Leaders and security teams should work together to map and define the core business infrastructure and what is required to protect it at every level in a supplier and geography-agnostic manner.
Once these requirements are defined, only then can they be expanded to include local challenges, including geo-specific threats and requirements, or country-specific regulations. Many businesses taking a risk-based approach are surprised to find that most regulatory requirements are already reflected within their strategies. They can then focus resources on the areas of overlap between disparate regulations.
One of the requirements that may result from this risk-based global view is segmentation. While integration and efficiency are often prioritised, it may be that expansions or acquisitions in high-risk regions need to be segmented from the rest of the business in order to maintain security for the global organisation. Similarly, too much supplier overlap across the business could create too much dependency, and introducing some segmentation can therefore improve resilience.
Approach 2: plan for cyber risk like any other geo-specific challenge
Some of the activity that makes certain regions “high risk” may seem difficult to account for, such as state-sponsored activity linked to geopolitical developments. However, this activity is not inherently different to other fluctuations businesses already account for.
Business continuity has always been at risk from variables such as political and civil unrest, epidemiological concerns, and natural disasters to name a few. If a business can create continuity plans for earthquakes and hurricanes, it can certainly do the same for cyber security incidents if there’s more likelihood of this threat occurring. It simply requires quantifying the potential impact of an incident. Given the vast amount of operational, financial and security data available to businesses, these figures can and should be calculated, monitored and regularly adjusted. Compensating controls can then be implemented in “high-risk” areas to bring exposure levels to an acceptable threshold.
To effectively manage cyber risks, businesses should approach them like other geo-specific challenges, such as political unrest or workforce issues. By quantifying cyber risk and creating business metrics tailored to specific regions, businesses can adapt their strategies accordingly. Compensating controls should be implemented in high-risk areas to bring exposure levels to an acceptable threshold.
Cyber security should not be a blocker to growth
As businesses navigate expansion strategies, the ever-changing cyber landscape is merely one part of that strategy. Organisations should take a risk-based approach to defining the appropriate levels of cyber security requirements and investments in this area. This will ensure they can adapt more easily to support new expansion plans and the requirements in those countries to achieve successful entry and long-term operations.
Learn more in our latest report about the cyber security challenges growing businesses need to consider in 2025 and beyond: Securing digital supply chains: How cyber security drives resilience in business transformation.