Setting Up Your China Back Office: Cyber Security, Compliance Solutions
In this two-part series, we discuss solutions for back office automation in China. This includes ways to manage key considerations, such as accessing trustworthy support and reliable information resources on-the-ground, knowledge of IT software and service options unique to China, legal compliance, and cyber and data security concerns.
Part 1 focused on two major considerations and offers relevant solutions for the same: first, tackling information resource gaps to facilitate effective decision-making in a sensitive market like China, and second, ensuring the operational stability of your back office set up in China.
Here, in Part 2, we will discuss solutions to achieve cyber security and compliance for foreign firms setting up back office operations in China and ways to strengthen IT support on the ground.
Challenges in maintaining security and compliance
Beyond the technical obstacles, there is one more complex issue faced by foreign-invested enterprises in the process of back office automation – security and compliance, which is not purely an IT issue or a legal issue, but more a mixture of both. Here we spotlight some of the most common challenges as regards security and compliance.
Data leakage tends to happen when user devices are not controlled by the company. For instance, under the current COVID-19 situation, when many employees work remotely on personal laptops, there are higher risks of data leakage, considering home devices usually lack adequate protection compared to the company equipment in the work place. Things could get worse if the company does not have a UC platform, especially if business data and documents start to flow across various social media platforms adopted by employees in the absence of a secure corporate alternative.
As the expression goes, “ The easiest way to capture a fortress is from within”. Despite having a secure premise and setup and suitable security measures in place, one of the most vulnerable points is the protection of individual employee user accounts. Spoofing or malware are highly successful at taking advantage of the lack of sophisticated IT knowledge of general staff in an organization. Compromised accounts often result in the breach and bypassing of numerous security controls, such as network premise protection and access control on information assets.
China has in recent years continued to develop its cyber security regime by drafting, revising, and releasing relevant laws and regulations, resulting in a growing number of ever more complex and changing requirements in IT planning and compliance. Here we list some common compliance requirements that foreign companies must consider when planning to automate their back office in China:
ICP filing and ICP license
An Internet Content Provider (ICP) filing is a mandatory requirement for any website or system, which is to be publicly accessible through the internet in China, whether for internal or external use. Without proper ICP filing,
In addition to an ICP filing, which is supervised by the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS) may require a company to go through a filing process with the local Public Security Bureau. This must usually be done within 30 days after an ICP filing has been made. Without the prompt filing, the PSB could ask the ISP to shut down access to a system or a website, in addition to imposing a penalty on the company and / or technical staff who oversee the system.
As stipulated by the Cyber Security Law, the operator of a critical information infrastructure (CII) system shall store personal information and important data collected and generated during its operation that relates to company operations or personnel in China – within the territory of China. A prior approval is needed if the cross-border transfer of the abovementioned data is necessary. This poses a major challenge to companies that utilize the existing IT system of their HQ.
Multi-Level Protection Scheme (MLPS) is a set of national standards first introduced in 2007, then adopted into the Cyber Security Law (CSL) in 2017 and updated within what is now MLPS 2.0. MPLS 2.0 gives more pressure to companies to maintain compliance, with five levels of regulated security protections. Companies are expected to verify their own systems in order to understand which of those levels they fall into, and which corresponding security control measures they are expected to adhere to. For level 2 or above, for example, an on-site evaluation of in-place security control measures must be performed by a government-designated “security auditing” firm.
China has also paid increasing attention to personal information protection in recent years. Several campaigns were launched in 2019 to address the illegal collection of personal information in China, which spawned a range of standards that stipulate detailed requirements for privacy compliance. Unlike Europe’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA), however, China doesn’t yet have a single universal law on privacy so companies must refer to multiple regulations and instructions from different authorities. China’s Personal Information Protection Law has just been included in the National People’s Congress’s 2020 legislative plan. Until this evolves, it will remain a significant challenge for companies operating in China to keep compliance in this regard, because they must refer to multiple regulations and instructions from different authorities for now. while managing their compliance objectives.
To deal with the above challenges, it is important to combine the forces of, both, technical and legal expertise in IT within compliance processes. Pure legal advice often lacks practical input from genuine IT experience and can be very hard to apply to the real world.
On the other hand, pure IT advisory tends to focus on the information communication technology (ICT) aspects alone and may have a low awareness or sensitivity to legal compliance requirements. Working with both technical and legal professionals is the most suitable option.
With this priority in mind, the following approaches can help to mitigate the potential risk of cyber insecurity and non-compliance:
Under a traditional security strategy, a security perimeter can be defined with users inside the perimeter designated as being within a ‘trust’ zone. Any user in locations outside the perimeter are designated as being within the ‘distrust’ zone. The people or devices in the trust zone have looser security controls while any access from the distrust zone is controlled more strictly. However, in practice what tends to happen is that attacks from inside the trust zone have become more and more prevalent, with larger associated risks.
An alternative to this methodology is the zero-trust strategy, which means never trust anyone or any device by default. This approach is getting more and more popular to meet complex security challenges. Each point of access from any device and any person at any location needs to be evaluated with multiple factors – before the access control is granted or declined. This is usually achieved with an artificial intelligence (AI)-based security control system.
Centralized platform with DLP and information protection
To meet the challenge regarding cyber security and compliance, our first suggestion is to implement one centralized platform that covers all business needs, in which all business-related data can be stored and managed under the control of the company. Additionally, all data saved on devices (data at rest) should be encrypted, for example, by enabling BitLocker encryption on laptops, in case the devices are lost at some point. All data in transmission should be exchanged with secure protocols, such as HTTPS/TLS connection. Role-based access control (RBAC) and other access control methods should be applied for any data in use. In addition, the company should consider deploying data loss prevention (DLP) measures to prevent sensitive business data being transferred out of the organization accidently or intentionally. For very important data, further information protection measures, such as Azure information protection should be considered and applied on a document level to expand the security control outside of the organization, wherever the document is.
One example of such a platform is the Microsoft365 platform, which combines email, file, message, meeting, and productivity tools to meet all business requirements, while all data is saved within the same platform with centralized control.
Identification and Access Management (IAM) protection is suggested to be used to provide stronger protection to user accounts, considering that the most common and effective ways of user account attacks are through spoofing, trojans, and malwares. One simple way to achieve this is to implement Multiple Factor Authentication (MFA) for user accounts, which can prevent the illegitimate access to systems even if the users’ account and password are compromised. It will be even better if the IAM solution is AI-based, such as the Azure AD Security, which can provide additional control for conditional access.
Finally, companies are also suggested to provide regular training to their staff to increase the security awareness as users are the final important defense line for security threats. An internal spoofing penetration check can be very helpful to identify the most vulnerable users, to be followed up with relevant training to those users on security awareness topics.
Lack of on-ground IT resources for support
A challenge that exists and affects an entire back office system is that the China subsidiary offices of foreign-managed companies often lack on-ground IT resources to provide adequate, proficient, and timely technical support. With a lack of local support, the range of earlier mentioned performance-oriented issues will naturally affect front office operations and staff for longer durations and in more pronounced ways.
For startups and small- and medium-sized enterprises (SMEs), this naturally occurs because it is difficult for them to maintain qualified IT staff who are able to solve and supervise IT related issues due to budget constraints. Even larger companies lack on-the-ground IT resources in their China subsidiaries, especially at the beginning stage of the investment and due to challenges, such as those posed by COVID-19.
As a result, it is extremely common to see clients’ branch offices in China by heavily reliant upon remote management by the HQ IT team. This often covers all aspects of the branch’s IT – from the simplest of IT helpdesk support matters, to complex IT infrastructure, or migration projects, and more. For offices that rely this heavily upon the headquarters for IT support, a host of challenges tend to occur, and are often poorly mitigated, simply due to scale and issues that are unique to China. Yet even branch offices that do have some on-site IT personnel in China can expect to face difficulties with handling the range of IT issues that can arise in supporting back office operations and automation. Most companies simply do not have the budget to run a large and sophisticated local IT team.
This status quo has been tolerated by many companies for years in China. The lack of a robust local technical team can be particularly challenging if a company plans to build their own in-house tech-powered back office systems.
Support challenges stemming from inefficient communication
Communication between an HQ IT team and local offices often brings sizeable language barriers, time zone differences, and culture differences, which work together to impact the quality and efficiency of the communication between the HQ IT team and the local staff.
For example, most companies lack specialized technical support staff in China who are able to communicate bilingually, while speaking and acting with technical ability on a level with their peers at HQ. This can produce a lot of problems for company personnel to communicate at a technical level about its own network and system environment to troubleshoot issues, and to gain information about newer solutions under consideration.
It is common for companies to reach impasses, which force the HQ to trust and accept a local solution that they may not understand. Such gaps can lead to divergences in the very tools and technologies that are adopted locally (shadow IT), or to unvetted local third-parties gaining access to corporate systems in order to help troubleshoot and correct an issue, but which can lead to a set of substantial compliance and security issues in the medium- to long-term.
Another concern is maintaining continuity, compliance, and security in localized solutions. To achieve this goal, the IT supporting team needs to maintain a good and current understanding of the local system’s technical updates and changes in its policies. Without careful consideration and on-the-ground interface to maximize communication and transparency, this requirement is very hard to fulfill.
Difficulties in proactive management
Proactive management and maintenance work on existing IT systems is a well-known way to prevent potential IT problems or mitigate potential damage in advance. However, SMEs in China often have limited IT resources on the ground, or perhaps limited remote support from their HQ IT team, which makes it difficult to do proactive management work. This in turn tends to increase the amount and impact of problems for some firms, within China corporate IT environments.
Instead of spotting and preventing risks in advance, the IT team must ‘put out fires’ in response to issues that have already occurred and may already be disrupting front and back office operations. As a result, different but related IT problems may also subsequently pop-up from time to time, which act to further weaken the overall reliability and stability of the systems that the business depends on.
It is very common at this point for local staff and management in China to become less satisfied with the IT systems provided by the headquarters, and as mentioned earlier, they may even seek alternatives that are easier for them to support but may in turn introduce even more challenges. It is therefore important to avoid getting trapped in this cycle, if at all possible.
Firms with larger IT budgets can of course develop their own on-the-ground IT resources, although it takes time. Smaller firms are less likely to be able to justify dedicated, full-time support staff. They may utilize a reactive support provider, but this often overlooks a solid proactive support model. For such firms, there are other options that are very sound.
Scheduling support services: Scheduling support services, even part-time on fixed (one or two) days each week, can establish the organizational familiarity and maintenance routines that are necessary via weekly proactive tasks to bring stability to the system. This can be a very affordable option that many firms overlook and may even be available in a package as low as one or two scheduled days per month.
For mid-sized companies, this can also be a route for them to scale back on some of their current internal service provisions to reduce IT operating costs.
Cloud and SaaS-based solutions: A key strategy for smaller firms is to reduce the number of issues which can arise by simplifying it. In this case, that means using SaaS or other cloud-based solutions. SaaS or other cloud-based systems typically depend only on the Internet, network, and a personal computer or mobile device to perform well. The burden of proactive management falls mainly upon the software suppliers/service providers themselves, instead of your corporate IT teams. Companies will only need to provide proactive management for the remaining parts of the company’s system and network that are internally supported. Overall, such services are often much simpler and more cost effective to maintain.
Cooperation with a qualified local service provider: Smaller firms sometimes adopt a mixed solution, which is also a good practice – one or more local bilingual staff with basic IT literacy, combined with one or more competent external IT partner(s). Through this cooperation with the qualified local service provider, the company’s local team and their HQ team can communicate in both languages, and proper support becomes more possible should a need arise. Nevertheless, the company should be equipped with enough basic knowledge to tell whether a service vendor is qualified.
Key points when planning your back office automation
Tech-powered tools are helping to automate back office processes for China businesses in ways that allow them to operate more efficiently, to work remotely in a seamless manner, and to operate on ever smaller budgets. This trend can be leveraged by firms to their clear advantage but is best done if a company also ensures that their chosen solutions, network environment, and support model are ready and well in place.
Foreign-owned businesses tend to encounter numerous challenges or frustrations with developing, operating, and maintaining IT systems for their China subsidiaries. Such challenges include China’s unique Internet environment, where solutions in China that may seem similar are unique when compared with overseas offerings, and the China compliance context. More importantly, these issues are difficult to manage well without adequate on-the-ground China IT advice and support. Most companies need IT resources with solid on-the-ground knowledge and experience, whether it is a dedicated, internal team or by incorporating external vendors.
Companies can of course recruit and manage the team by themselves, but this comes at considerable cost, which is usually out of the budget for most SMEs. Under such circumstances, cooperation with a qualified local IT service provider might be the most time-and-cost efficient option to help ensure a healthy IT environment and to support more digital, automated, and enabling tools.
To select a local IT service provider to help facilitate the digitalizing and automating of your back office functions in China, the below vendor standards are considered important based on our experience:
- Able to cooperate seamlessly with both the HQ and the China subsidiaries of the company in an efficient and friendly way.
- Able to provide advice based on detailed on-the-ground knowledge to assist decision-making at the HQ.
- Maintains certifications and qualifications applicable to the IT aspects of back office automation in areas, such as:
» Data Protection Officer (DPO) Certification in the privacy compliance field;
» Certified Information Systems Security Professional (CISSP) in the information security field; and
» Vendor-specific certifications within China, such as Dynamics ERP, XERO, MSSP, Microsoft365 Security Administrator for IAM/DLP solutions, CCIE, etc.
- Rich experience within back office functional areas, from a services and advisory perspective, to address joint knowledge areas:
» Accounting and audit;
» Risk management and internal controls;
» Human capital management and HR and payroll administration; and
» IT legal and compliance.
Information technology plays the most critical role to enable successful adoption of tech-powered solutions within your business environment, as well as ensuring the ongoing stability, continuity, and efficiency of the systems. Where such resources are absent or lacking internally, external IT facilitation is your most efficient and affordable option.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article China Lowers Corporate Income Tax Liability for Small and Low-Profit Enterprises
- Next Article China Relaxes Entry Restrictions for Foreigners Inoculated with Chinese Vaccines