IT risks facing companies seeking global expansion
In today’s global economy, technology has removed barriers to international markets, opening avenues to lucrative expansion opportunities for many companies. However, several IT risks are prevalent when working in global markets, and companies must fully understand threats and regulations prior to initiating overseas operations. The following is not an exhaustive list of issues, but are prevalent concerns that companies must keep in mind to protect against threats and remain in compliance.
U.S. companies need to be aware of the laws that govern data sharing between countries. Regulations vary significantly from country to country and are very fluid in determining how data can be accessed and utilized. Even in the U.S., you should be aware of the rules for data leaving the country. Depending on the type of information transferred and what countries you are working with, stringent regulations exist for how to properly conduct business. For example, information such as health care data and other personal information is very sensitive and highly protected. Transferring such data improperly can carry significant sanctions.
Even if your company is not considering establishing operations outside the U.S., implications can also exist with outsourcing arrangements or third-party contracts. If an outside provider is hosting any information or data, it is important to know where that data resides, and that it is not hosted overseas or crossing international borders without your knowledge. Evaluate your service-level agreements and contracts to confirm allowed and prohibited data activity. Verify that you have an audit process to confirm that third parties are demonstrating compliance with all contract agreements.
In today’s environment, cloud services are a popular theme, which increases the susceptibility and focus of those who may try to exploit the environment. An important process is to check with your vendor to understand the location of your sensitive data and how they are managing the data.
If you are comfortable with where your information resides, you also must carefully manage who has access to your data. If you have partners in foreign countries, you may want to allow them to view your data, but render it as read only to discourage copying or transferring. Install a monitoring framework that includes the location of data and notifies designated employees when files are moved or transferred or when unusual activity occurs.
When operations are initiated overseas and systems are shared, they must be available in English and in applicable foreign languages. As you go global, you must develop a support system to account for technical difficulties in other countries. For example, if infrastructure resides in the U.S. and an issue occurs in Germany, is a system administrator available late at night to help alleviate the concern? Time zone differences can pose a problem, so carefully determine the level of support that is necessary and who is responsible for staffing.
For business applications being considered for use globally, such as enterprise resource planning (ERP) and customer relationship management (CRM), the systems should be evaluated carefully to determine whether they are sufficient for supporting international operations. Global systems should provide the following key functions:
- Multiple languages available within the same installation, depending on the user preference
- Unlimited currency support, with direct access to real-time currency exchange rates
- Country-specific localizations to address specific tax, accounting or financial reporting requirements for various countries
- Intercompany transactions to support sales across legal entities
- Global sales order management, sourcing and inventory to provide a single view across multiple locations around the world
- Consolidated financial reporting to roll up financial results across multiple legal entities, currencies and organizational structures
- Support availability across multiple time zones around the world
In some instances, companies may establish an international presence on a pilot basis, only for the cost and benefit of the expansion to result in a decision to stay in the U.S. With any expansion, the goal is for it to be successful. However, a back out plan should be developed from the outset, as it can be difficult to retract data from foreign countries. Companies typically know how to deal with information within U.S. borders, but factors or regulations specific to a country or other legal hurdles need to be understood before transitioning information outside the country.
While a company does not look forward to a data breach, the unfortunate reality is that they are occurring at an increased frequency and scale. The attacks are not haphazard; they are performed by individuals who are sophisticated and focused on gaining unauthorized access to an organization’s information or infrastructure. Millions of sensitive files are accessed annually through criminal activity in the U.S. alone.
To protect consumers, data breach notification and disclosure laws exist in some countries and continue to be established all over the world. If a breach occurs, your company must have a process in place to respond in a quick and decisive manner to stop illicit behavior and protect your reputation. Your business must be familiar with breach laws in the countries you plan to operate in, to avoid financial penalties and lawsuits that compound an already difficult situation.
These are only some of the data and technology risks that companies must consider and prepare for prior to planning for international expansion. You must fully understand U.S. and foreign regulatory requirements as well as the contracts that are established with third-party vendors. Perform due diligence on providers to collect information and evaluate applicable controls and evaluate internal personnel and the IT infrastructure so you are prepared to limit risks and remain compliant with U.S. and international guidelines.