How secure innovation can protect emerging technology companies – with security from the start

Embedding good security practice from the start will pay dividends in the long term.  The Secure Innovation campaign, from the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC), provides advice for tech start-ups to protect their business from the very beginning.

A terminal risk to UK Business

The USP and competitive edge of the UK’s emerging technology start-ups is under threat.

Reuters reported that in 2011, a Chinese wind turbine maker was convicted of stealing trade secrets from a US semiconductor company, causing the company to lose more than $1 billion in shareholder equity and almost 700 jobs.

In 2017, a National Crime Agency report highlighted the WannaCry ransomware attack which affected 300,000 computers in 150 countries, encrypting machines and rendering them unusable. In 2018, the UK and its allies announced that a group known as APT10 acted on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US.  In 2020, the BBC reported on the expulsion of two alleged Russian intelligence officers from the Netherlands for espionage against the Dutch high-tech sector.

Critical and emerging technology companies are at risk of being compromised by certain states for their technological, economic, political, and military gain. Even if the technology does not appear to have military applications or to be sensitive, it could be stolen by state actors to fast-track their capability in a given field or be misused to repress local populations. State actors’ targets are wide reaching – from ‘traditional’ defence and aerospace to new and emerging technologies, including advanced manufacturing and data science.

States will target companies of all sizes, deploying their cyber, human, and technical capabilities to steal ideas, information, and techniques, such as trade secrets, financial information and information on your customers or suppliers. State-backed actors will also subvert legitimate business collaborations and transactions, or indirect routes via supply chain attacks, to achieve their state’s aims. These activities pose a terminal risk to UK businesses. It is therefore essential that companies know and trust who they are doing business with.

The hidden hand of a state

The hand of a state might not be obvious. Some state actors can compel their citizens and organisations by law to work with intelligence agencies, willingly or not, to seek commercially sensitive information. Other states may also target critical and emerging technology companies through intermediaries if this meets their aims.

Security threats don’t just come from state actors.  In 2020, wired.com reported that criminals tried to bribe a Tesla employee to install malware in one of the company’s factories. The malware was designed to exfiltrate data and extort ransom money.  The good news is that through embedding good security practices from the beginning, businesses can be safeguarded from a whole range of threats.

Secure Innovation can help

There are some simple steps UK start-ups can take to secure their business from day one.  These actions will reduce the likelihood of your start-up falling victim to some of the more common attacks and will lay the foundations for strong security as your company grows.

To begin with, a new business can develop a positive security culture through ongoing dialogue with all employees, led by a security lead at Board level.  Those discussions can help identify the most valuable assets that are critical to the existence and success of your business.

Once a business has determined what needs to be protected, the next step is to assess security risks to those assets and put in place appropriate mitigations.  For example, ensuring the business identifies and applies for the appropriate intellectual property protections for the jurisdictions in which they wish to operate and making sure suppliers provide security assurances suitable for your requirements.

Companies can build security into their systems and processes too, by controlling access to information and valuable assets.  Actively monitoring IT usage to ensure information is accessed only by those who need to know, can be highly effective, alongside installing passive physical barriers such as safes and locks, and virtual barriers such as anti-virus software, strong passwords and encryption.

When setting up IT systems, technology start-ups should use the NCSC’s Secure by Default principles when designing software and systems, to ensure that security problems are addressed at root cause, rather than treating the symptoms. This helps ensure products are free from security vulnerabilities. The NCSC also provides guidance on secure development and deployment that will be useful to those producing software and systems.

Finally, companies should prepare for the worst – ensuring critical data is regularly backed up and enabling tools to track, lock or wipe lost or stolen mobile devices.

The UK’s emerging tech sector is under threat from state actors, but Secure Innovation is here to help UK businesses to defend themselves.  More information about any of these measures is available on the National Protective Security Authority (NPSA) website: https://www.npsa.gov.uk/secure-innovation.