We discuss the steps businesses can take to improve their corporate cybersecurity in China, including conducting a cyber risk assessment and implementing organization-wide best practices.
In March 2021, journalists reported that a group of China-based hackers known as Hafnium had compromised hundreds of thousands of Microsoft email servers. This hack affected personal users, small and medium-sized enterprises (SMEs), and other organizations, such as hospitals and government agencies, leaving their data exposed.
Two months later, in May, a group of Eastern Europe-based hackers called Darkside attacked Colonial Pipeline with ransomware, resulting in a major weeklong fuel disruption to the US. Colonial Pipeline, which supplies half of the US East Coast’s gasoline; they paid the hackers US$4.4 million worth of bitcoin to end the attack.
These two high profile hacking attacks reflect the increasing importance of corporate cybersecurity – an issue that has only become more important with the rise of remote work amid the COVID-19 pandemic.
Ransomware is a common form of cyber-attack, where hackers lock their targets out of their own servers, systems, and data until the victim pays a ransom to the hackers to regain control. These attacks are likely more frequent than what is reported in the media, as companies avoid publicizing these cases to limit reputational damages.
SMEs are vulnerable to ransomware attacks, since many do not have cybersecurity systems that are as sophisticated as larger companies. In this article, we look at steps SMEs can take to improve their cybersecurity practices and protect themselves against ransomware and other cyber threats.
Cyber risk assessment
Before adopting a particular cybersecurity strategy, companies should conduct a risk assessment to identify what data and related assets are the most important for the organization, their level of risk exposure, and how to manage any vulnerabilities. From here, companies can grasp their strengths and weaknesses in cybersecurity and develop strategies to address deficiencies.
A risk assessment will include mapping of sensitive and critical data. Depending on the nature of the business, a company might hold especially sensitive or critical data that a risk assessment deems to require a higher level of protection.
Such sensitive data may, for example, include the health records or financial information of customers and/or employees, while critical data could include assets that are essential for running the company’s core functions, such as operational processes and intellectual property.
Besides delineating sensitive information, a cyber risk assessment should map who has access to what data, and what procedures – if any – they must complete to access such data. Companies may, for example, limit access to certain data to managers of a certain seniority, or require individuals to fill a written log of the time and purpose when accessing the sensitive data.
A cyber risk map should also describe where data is being stored and the physical security of servers. From a macro perspective, this includes what data is stored in what city or country, and from a micro perspective, the security measures protecting physical access to the servers.
Multifactor authentication and password strength
Multifactor authentication offers an additional layer of protection that makes hacking more difficult. In addition to a standard email password, for example, multifactor authentication necessitates at least one additional input, such as a personalized code sent to a user’s phone or secondary email address.
Multifactor authentication is an important security tool because users often choose passwords that are simple, easy to remember, and used across a number of different accounts and services, which increases opportunities for hackers to compromise the account.
Companies can upgrade user passwords by requiring them to meet certain standards, such as having a minimum number of characters and combining numbers and symbols. Nevertheless, while this will increase corporate password quality, password strength alone does not replace the protection offered by multifactor authentication.
An account without multifactor authentication may have allowed Darkside hackers to compromise Colonial Pipeline. According to Bloomberg, Colonial Pipeline was breached when hackers gained access to an old account with access to the company’s servers through a virtual private network (VPN). Because the old account did not have multifactor identification, hackers could access it only using the account’s username and password.
Most email service providers now offer companies tools to set up multifactor authentication and password requirements within their servers, including the commonly used Microsoft 365 service.
Create regular backups
Creating offline and online backups on a regular basis is an effective method of minimizing the impacts of a ransomware attack or other cyber intrusion. Backups allow companies to restore enterprise data at a point in time before a cyber attack, thereby making them more resilient to the effects of an attack.
Backups should be stored separately from other data, so they are not compromised in the event of a data breach. Companies may enlist a service to store their backups in the cloud, use a separate private network, or a combination of both.
Companies can also undertake periodic trial runs where they practice recovering and resuming operations based off backups to determine the viability of such a strategy if it is eventually needed. If backups are successful, companies may avoid the need to pay hackers a ransom in a ransomware attack, or can at least reduce disruptions until they resolve the crisis.
Besides developing in-house backups, there are a range of tools and software that companies can purchase to back up their data. These differ in factors such as cost, storage method, ability to access a particular point in time, recovery speed, analytics, and others.
Developing an organization-wide cybersecurity strategy
Given the ubiquity of internet technology in the functioning of virtually all companies – and the increasing sophistication of cyber attacks – corporate cybersecurity strategies can no longer be limited to IT departments. Rather, cybersecurity principles must be integrated into the day-to-day functioning of all departments, whether it be human resources or research and development.
This includes building clear and objective operational policies for running the business on a day-to-day basis, as well as educating and training employees on an ongoing basis on how to identify potential cyber threats.
Compliance in China
In addition to developing internal cybersecurity policies to protect against ransomware, phishing, and other threats, companies operating in China must comply with the country’s cybersecurity regulations. This includes compliance with the Cybersecurity Law, which imposes minimum security standards and other requirements, such as relating to data storage.
Foreign companies with global operations and cybersecurity standards must therefore ensure that their processes comply with China’s specific cybersecurity requirements while also offering robust protection.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.