When an enterprise contemplates the decision to open an office abroad, or to hire or place employees in another country, the IT security staff should be involved from the start. By having security policies and procedures in place, an organisation can reduce the risk of hiring malicious individuals who could harm or exploit the enterprise’s information assets or damage its reputation. The security team must be able to answer the question: If we have offices outside of the UK, are the same security controls, policies and procedures applicable or relevant?
Opening an office in another country
Whether the decision to have offices abroad is driven by the need to lower costs or to be closer to potential clients, the benefits must outweigh any potential risks to information assets. The level of risk any offshore operation faces depends on the following factors:
- The value of its information, equipment and services;
- The impact of the loss, disclosure, or unavailability of these assets;
- The threat level within the country.
Even if a contractual clause specifies employees will be governed by UK law, local laws may still apply or take precedence.
In some countries, the threat from local terrorist groups or even the country’s intelligence services may be so great that having a base there is a non-starter. Before deciding where to locate, be sure to understand public opinion toward the UK and UK businesses in any country being considered. The Foreign Office is a good place to start.
Enterprises obviously want to extend their security ethos to their overseas operations, but some policies and procedures may need to be adjusted for cultural differences and international employment laws in order to make them acceptable and realisable.
Hiring employees in another country
Employment legislation will certainly be different in other countries. Customary pre-employment screening practices in the UK to confirm identity, nationality and employment status and history may not be seen as reasonable or even practical when setting up offices overseas. The culture and legal frameworks of the chosen country will be the basis of your organisation’s and your employees’ rights and relationships, so they need to be fully understood. They affect not only the pre-employment checks, but also the type of ongoing monitoring security measures that can be implemented in the other country. Even if a contractual clause specifies employees will be governed by UK law, local laws may still apply or take precedence.
Verify any potential employee’s identity and his or her right to work in that country, but be prepared to tackle bureaucratic government or confusing legal processes that can delay foreign background checks, including some basic checks, such as tax codes and criminal checks. When it comes to carrying out pre-employment checks, it’s advisable to allow additional time.
In China, for example, records are generally held on paper rather than electronically, which will certainly prolong turnaround times. Also, various sections of documentary evidence may need to be translated and checked for authenticity; the degree of accuracy and reliability of government data can vary widely from country to country. The prevalence of forged documents in some countries may mean only a certain degree of confidence can be given to those submitted by a potential employee. In such situations, look to mitigate the potential risks by increasing employee monitoring and supervision, and extending the probationary period for new recruits. (The Council of the European Union maintains a public register of authentic identity and travel documents and provides advice on how to check the various security features they use.)
It is worthwhile to check with a lawyer specialising in local employment law to confirm the legal requirements regarding pre-employment checks and how they are to be carried out. In some countries, such as China and the Czech Republic, health screening is a mandatory part of the employment process. This is unlike the UK, where such screening can only be carried out if it is directly relevant to the requirements of the job and where it requires explicit consent of the individual involved, particularly if tests for drug use are involved.
Also understand how overseas crime categories correspond to those in the UK. Consider employing an established offshore screening company to undertake these checks. There are companies that can help with financial checks, though again these are not common unless the position is a senior post or one with wide-ranging responsibility.
Integrating employees in another country
To help local employees engage with your organisation’s values, including security values, assign key offshore staff to a UK-based mentor. (This also helps open up direct contact between offices.) Exchanging staff between locations, both for training and work opportunities, is another way to strengthen links with offshore locations and improve staff loyalty. When staff is transferred or promoted within the offshore location or between the offshore base and the UK, however, the office risk assessment should be reviewed and amended.
All employees, no matter where they are based, should be required to sign a confidentiality agreement as part of their employment contract. This should specify that information must not be disclosed to anyone outside the organisation and clearly outline the consequences of any breach of this agreement. As always, access rights should be limited according to an employee’s role. Where a role requires a high level of access, consider additional safeguards, such as limiting the ability to copy or print certain documents or information. The right to sign contracts on behalf of the organisation should also be carefully controlled as part of a procurement policy, in order to avoid family members and friends being favoured to the detriment of the company.
Armed with local knowledge and legal expertise, you can help your company locate and hire trustworthy employees, and enforce the company’s security policies and controls effectively in each country.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in January 2012