Managing safety, corruption and business integrity risk:Protecting your data abroad

What are the risks?

As an exporter you need to be aware of your online vulnerabilities abroad and take steps to protect yourself. If you don’t, the effects can include:

• loss of intellectual property and sensitive data
• service and employment disruptions
• damage to your brand and reputation
• penalties and compensation payments to customers
• costs for countermeasures, insurance and cyber attack recovery
• loss of trade and competitiveness

Employ a cyber security expert

If you don’t understand how to protect your data and your customers get professional help, so you know what to do. Experts help with:

1. checking for weaknesses in your systems
2. rules and regulations
3. disaster recovery policy
4. General Data Protection Regulation [GDPR] compliance
5. policies you should adopt

Own your IT processes

Have someone at the company who knows your cyber security processes, and make sure their knowledge is up to date.  

Sign up to the National Cyber Security Centre’s Cyber Essentials scheme, which helps you guard against cyber attacks. 

Aim to get the ISO/IEC 270001 certification standard, which helps you manage information security. 

Take a cyber security awareness course, for which you may get a government grant.

Train your staff

The weakest part of any network is the user, and it’s the company’s responsibility to protect its staff.

Create a user policy so staff know what they can and can’t do online; it makes their work a lot easier. Staff working overseas can drastically reduce their risk of being hacked if they:

1. encrypt their data – the most effective thing they can do
2. don’t have Bluetooth on
3. don’t auto-connect to networks
4. don’t work in internet cafes
5. use a virtual private network (VPN) to connect to the company’s network 
6. use 2-factor authentication (2FA)
7. don’t store information on their laptop – use an encrypted USB stick 

Reduce data exposure

Connect as little as possible, and when you do connect, do it securely. A VPN or 2FA will reduce your risk, but they’re not impenetrable.  

Don’t leave computers on if you’re not using them – remember to shut them down before going to bed.

Scan laptops and phones for malware.

If you’re working from a satellite office overseas, have a secure connection to the main office’s server. Don’t neglect physical (office and home) security: you have your own servers in the UK, but your gateway will still be in the country you’re in.

Try not to take technical information with you. If your usual laptop has valuable data on it, take a different one. 

Be prepared when you travel

Make sure everything is up to date. Have a patch management system, so when you connect to the company network, it updates your laptop.

Know what the regulations are in the country you visit, and the level of threat you’re likely to face. 

Consider that you might need a licence just for the items on your laptop that could be classed as dual use – for example, technical drawings.

Log and report data breaches

You must keep an internal log of every breach – it doesn't matter how minor. You may be asked for your Data Breach Log if you ever have a major breach.

Under GDPR, if you have a server containing customers’ personal details and it’s compromised, you must report it. If you’re found not to have taken proper steps to secure data in the first place, you can be fined a percentage of your turnover.