Kay Ng, cybersecurity and data regulations expert and founder of Cyber Analytics, offers a guide to protecting digital data and assets for British companies operating in China
In an era of unprecedented economic volatility and geopolitical tensions, where data and cybersecurity have become the new battlegrounds, UK businesses operating in China face a unique challenge: driving business growth in a complex market while safeguarding their intellectual property and digital assets.
This guide aims to reaffirm cybersecurity and data protection strategies, with the aim of helping companies in China to preserve their competitive advantage during uncertain times.
Why prioritising cybersecurity in China is non-negotiable, even in a downturn
In a slower growth environment, intellectual property becomes even more valuable
Robust cybersecurity measures are critical to protect trade secrets and innovations that drive competitive advantage. It is important to know in what format your IP exists, who has access to it, and whether it can be shared with competitors without your knowledge.
The typical IP a company holds is already in the public domain. However, certain IP, like trade secrets, is reserved for only a subset of inner circle executives. A global Fortune 500 manufacturing company I consulted for defined the following as IP requiring the highest level of protection:
- Manufacturing processes and 3D-drawing: These might include source code, bills of materials, etc., from R&D flow to manufacturing.
- Customer lists: These might contain valuable information about target, existing and potential clients, their preferences and purchasing history.
- Pricing strategies: This could include confidential information about pricing models, discounts, and other commercially sensitive data.
The Fortune 500 company’s assessment was that the above were easily subject to insider exfiltration of data and should warrant a security programme that targeted insider risks.
On the other hand, digital assets such as Internet domain names are easy targets for external attackers. Domain names could be stolen by local companies and competitors to impersonate you, thereby stealing your business.
Securing the company’s online presence and brand identity in the digital space typically forms another strand of a global company’s cybersecurity programme.
During economic downturns, regulatory bodies may increase scrutiny to protect national interests
China’s cybersecurity laws are complex and frequently updated. The Cybersecurity Law, Data Security Law, and Personal Information Protection Law form a comprehensive framework that affects almost all aspects of business operations.
During economic downturns, regulatory bodies may increase scrutiny to protect national interests. More and more non-traditional areas such as climate and the environment could now come under the umbrella of China’s state security.
Restricting the outbound flow of data means all data storage and processing such as AI and machine learning needs to be done locally. This creates job opportunities and upskilling in the local market.
The main difference between the Chinese data laws and UK GDPR is the wide and vague scope of what “important data” is to China. The deliberate vagueness means it could be interpreted in any ways that suit its purpose.
The high stakes of data breaches: Financial and reputational risks you can’t afford
Europe tends to enforce GDPR consistently and regularly; China tends to make an example of large corporations as a deterrence mechanism.
For example, Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan (£860.3 million) by the Cyberspace Administration of China in 2022 after it decided that the company violated the nations’ Network Security Law, Data Security Law, and Personal Information Protection Law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities”.
The key point is, the more foreign ties a company has, the more the company is subject to geopolitical risks. To date (and my knowledge), no UK companies have been fined under the Chinese Data Laws.
Cost-effective strategies for safeguarding data interests in China
Companies can apply these cost-effective practices to safeguard their interests in challenging times:
a) Smart data management: Balancing localisation and global operations
- Targeted data classification: Implement targeted data classification to minimise unnecessary data localisation costs.
- Data minimisation: Don’t hoard data. It costs money to collect, store, and increases your organisation’s burden to protect. Explore data minimisation technologies or practices to reduce storage and compliance costs.
- Secure cloud solutions: Leverage secure cloud solutions that comply with Chinese regulations while maintaining global data access.
b) Maximising security ROI: Encryption and access control on a budget
- Prioritise encryption: Prioritise end-to-end encryption for your most critical data assets.
- Risk-based authentication: Implement risk-based authentication to balance security and user experience.
- Regular access audits: Conduct regular access audits, particularly during sensitive times, to prevent unauthorised data exposure and reduce overheads.
c) Navigating compliance efficiently
- Build relationships: Cultivate a good relationship with the relevant authorities.
- Shared compliance resources: Consider shared compliance resources or partnerships to distribute costs while maintaining regulatory alignment.
- Focus on fundamentals: Focus on the foundation of good data security practices and develop a streamlined compliance monitoring system to stay ahead of regulatory changes without overburdening resources.
- Leverage technology: Utilise technology for automated compliance checks and reporting.
Staying ahead of the curve: What to watch for in an evolving landscape
a) Emerging threats in a shifting economic climate
- Insider threats: Watch for a potential rise in insider threats as economic pressures mount.
- Opportunistic cybercrime: Stay vigilant against opportunistic cybercrime targeting businesses perceived as vulnerable during downturns.
- Cyber espionage: Be alert to increased cyber espionage as companies and state actors seek competitive advantages. I often see companies become the collateral damage of national rivalry rather than the targeted victim.
b) Regulatory evolution in response to economic conditions
- Data regulation fluctuations: Anticipate potential loosening or tightening of data regulations as China balances economic growth with security concerns.
- New incentives and requirements: Monitor for new incentives or requirements aimed at boosting specific sectors or technologies.
- Cross-border data flow: Stay informed about changes in cross-border data flow regulations that may impact global operations.
c) Adapting to shifting cultural and operational norms
- Evolving business practices: Be prepared for changes in business practices and cybersecurity attitudes as economic pressures evolve.
- Government intervention: Anticipate potential increases in government oversight or intervention in key industries.
- Risk tolerance: Understand how economic challenges might influence risk tolerance and security investment decisions among Chinese partners and competitors.
In times of economic uncertainty, businesses don’t want to spend more than needed on risk management. However, effective cybersecurity and data protection strategies become more critical in times like this. By prioritising these areas, companies can protect their most valuable assets, maintain regulatory compliance, and position themselves for resilience and future growth.
The key is to approach security as a strategic investment, balancing immediate cost considerations with long-term risk mitigation and competitive advantage. With careful planning and execution, UK businesses can navigate the complexities of the Chinese market, safeguarding their digital assets while remaining agile in the face of economic challenges.