Secure Innovation

Competition to succeed in emerging technology can be intense. This guidance is for founders or CEOs of innovative startups, and will help you to protect:

• your technology so it remains within your control
• your competitive advantage, including your intellectual assets and sensitive business data
• your reputation

Part one of this guidance contains cost-effective measures to take from the start, including advice on ways to:

• ensure security is factored into all business decisions
• identify the assets most critical to your success and consider the risks they face
• protect those key assets with proportionate cyber, physical and people security measures

The measures outlined in part two are for when your company begins to grow, and build upon those covered earlier. They include advice on how to:

• support and protect a growing team
• take a security-minded approach to increased collaboration, investment and expansion

For startups with limited resources, spending time and money on security may seem like an unnecessary and costly distraction. However, good security can protect your competitive advantage, and make your company more attractive to investors and customers.

Security is an investment. It will evolve as your company grows into a thriving business. Laying strong foundations from the start will help your current and future security measures to be more effective and, ultimately, less resource intensive.

Although international collaboration can be enormously beneficial when developing cutting-edge technology, it also heightens the security risks for companies working on them. Some foreign states may seek technological advancement for reasons that are at odds with UK interests and values, such as:

• to develop a research and innovation base to increase military and technological advantage over other countries
• to deploy their technological and military advantages against their own population to prevent internal dissent or political opposition

This guidance will help you consider what is most valuable to you, and to put in place measures that will prepare you to protect that value, both now and in the future. Doing so should protect your innovative ideas and make you more attractive to customers and investors. It will also help you to comply with local data protection laws, such as the General Data Protection Regulation (GDPR).

The startup phase is the perfect time to set the tone for your future security culture.

People are at the heart of good security, so having ongoing conversations on security with your team however small is vital to developing a positive security culture in which your team will help to protect your company. These conversations will increase the efficacy of any security policies you develop by ensuring they are based on an understanding of how people work. This, and championing security from the top, should help to shape a culture in which any security incidents are openly discussed.

This is also a great time to establish enduring security roles and responsibilities. When establishing your business, you need clear security leadership. This means identifying someone at Board level with the authority and responsibility to ensure that security is factored into business decisions.

We also recommend:

• establishing a security strategy for your business based on an understanding of your key assets, the risks they face and the risks you are willing to tolerate (protect your value)
• regularly reviewing security policies and procedures, so that they evolve with the business' exposure to threats
• establishing responsibilities for security with any new employees, contractors, or suppliers

Your assets are wide-ranging. They will include easily identifiable assets (such as your staff, premises, products and services), but also intangible assets such as the information, intellectual property, and knowledge you hold. Identifying those assets which are critical to your startup's success should be the starting point in your security planning.

Good security will enable your business to thrive and make you more attractive to customers and investors. Security risks should therefore be assessed and managed alongside any other risks to your business. Understanding the following will help you to determine which risks to prioritise:

• your organisations goals and priorities
• your most critical assets
• the threats to those critical assets
• the likelihood and consequence of a threat affecting you

Completing a risk assessment will help you to identify vulnerabilities and the potential impact of exploitation. Put in place mitigations that can help you bring down the risk level to one you find acceptable and establish a process to review these risks.

Intellectual property

How you plan, manage and protect your ideas should be a crucial feature in your business planning. One of the first things you should do is understand whether and how you should protect your intellectual property (IP) and apply for the appropriate IP protections for the jurisdictions in which you wish to operate. You don't want to invest time and money in your business, only to later find the IP already belongs to someone else.

The Intellectual Property Offices IP Health Check is a free and quick tool that will help to identify your IP assets, and provide advice on how to protect them. The British Library Business and IP Centre also supports entrepreneurs, inventors and small businesses. However, having the right legal protections for your IP in place does not mean it's no longer at risk. You should continuously review who has access to your most sensitive information and how you ensure it remains secret.

Any security decisions you make will be strengthened by considering people, information, physical and cyber risks together. Securely configured IT may be at risk if left in an unlocked room. Equally, physical barriers such as safes and locks are pointless if you are not checking the credibility and trustworthiness of the people who can access it.

Technology startups should use the NCSCs Secure by Default principles when designing software and systems, to ensure that security problems are addressed at root cause, rather than treating the symptoms. Ensuring that your products are free from security vulnerabilities is a key concern. The NCSC also provides guidance on secure development and deployment that will be useful to those producing software and systems.

Securing your critical assets

The previous section covered identifying your most critical assets. You should design your security measures around protecting them.

1. Place barriers around each asset that you have prioritised for protection. These could be physical barriers such as a cabinet, or virtual barriers such as a firewall.
2. Control access to the asset to only those employees who need it and are trusted to use it securely. This may be as simple as putting a lock on the cabinet, enabling swipe card access to certain areas, restricting administrator rights and access to physical ports, or having strong passwords on your IT devices.
3. Take regular, ideally automated, backups of critical data and keep them physically and logically separate from the main system. This will allow your business to function following the impact of physical damage, theft or ransomware attacks.

Cyber security measures

Insecure IT can provide an easy way for your business to be exploited. The following steps are designed both to reduce the likelihood of your systems being compromised and to reduce the impact of a breach, should one occur.

Switch on your firewall and antivirus

Most popular operating systems now include a firewall, so it may simply be a case of switching this on. Similarly, antivirus software is often included for free, and should be used on all computers and laptops. Most modern smartphones and tablets don't need antivirus software, provided you only install apps and software from official stores such as Google Play and Apple's App Store.

Use passwords to protect devices and accounts

Switch on password protection or choose another method to 'lock' your devices (such as a fingerprint, PIN, screen-pattern or face recognition). If your devices come with default passwords, change these before they are distributed to staff.

• Use two-factor authentication for important accounts (e.g. email or banking). This uses two methods to 'prove' your identity, usually a password and something else, such as a code sent to your phone.
• Try to avoid using predictable passwords (such as dates, or family and pet names), and don't use the most common passwords that criminals can easily guess. To create a memorable password that's hard for someone else to guess, you can combine three random words.
• Help staff to remember passwords, for instance by only requiring them to be changed when you suspect that they have been compromised. Provide staff with secure storage (away from the device) where they can record important passwords. It is safe to let your browser save your passwords.

Keep devices and software up to date

Keep all IT equipment up to date by ensuring that the software and firmware is updated ('patched') with the latest updates from providers. These updates will not only add new features, but they will also patch any security holes that have been discovered. Make sure staff know when updates are ready, how to install them, and that it's important to do so straight away.

Wherever there is an option to do so, set systems to automatically update. Once a product reaches the end of its supported life and these updates are no longer available, consider replacing with a more recent alternative.

Think about how you connect to the internet

Avoid connecting devices to unknown public Wi-Fi hotspots. Doing so could allow the provider (who may not be who you think it is) to see what you're doing and to access your private login details. Instead, use your mobile network, which will have built-in security, preferably in conjunction with a virtual private network (VPN).

• If you are using an internet connection provided as part of shared office space, how confident are you in both the provider and any other parties using the connection? Identify the boundary of networks that you control and can trust. If necessary, seek advice to implement appropriate and proportionate measures.
• If you need to routinely access the internet over untrusted infrastructure, we recommended using a VPN. VPN capability can be provided either as a service or managed by your organisation. Take care to understand what you are paying for and how your connection to the internet is made.

Enable tools to track, lock or wipe lost or stolen mobile devices

Staff are more likely to have their tablets or phones stolen (or lose them) when they are away from the office or home. Fortunately, the majority of devices include free web-based tools that are invaluable should you lose your device. You can use them to: 

• track the location of a device
• remotely lock access to the device (to prevent anyone else using it)
• remotely erase the data stored on the device
• retrieve a backup of data stored on the device

Supply chains present a complex security risk for startups. A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing.

Putting in place effective supply chain security from the start can save you a lot of time when your supply chains increase in length and complexity. We recommend that you:

Understand the risks. This means being aware of:

• What needs to be protected and why. You need to understand the sensitivity of your contracts and your most critical assets.
• Who your suppliers are and what their security looks like.
• The risks you may be exposed to by being a part of the supply chain that you have identified.

Take informed decisions. This may include: 

• Seeking suppliers whose security offer best matches your requirements.
• Checking that the level of assurance offered by your provider (which may be informal, contractual or independently verified) is appropriate to your risk appetite.
• Considering building diversity and resilience into your supply chain if you identified any over-reliance on one supplier.

As your company grows, you may be able to take greater control of your supply chain security by setting and communicating clear minimum-security requirements for your suppliers.

Remember, you are likely to be a supplier too. Ensure that you enforce and meet your security responsibilities.

To help your company grow safely through increased collaboration, it is worth managing the additional risks collaboration brings. Collaboration increases the number of external routes into your organisation, or to any information or data you may share. You may also have access to other, possibly larger, organisations through your supply chain that an attacker might want to target.

You can help to manage these risks, for instance by:

• Determining early what data is appropriate to share and implementing measures to limit access to just that data.
• You may also be able to design your setup so that your more sensitive systems are independent from those accessible to the wider organisation and any external parties.
• Taking steps to ensure that any third parties are handling any sensitive data appropriately and securely.

When working with international partners, you will also have to consider the implications of different local laws and regulations. Some regimes could compel overseas partners to release data or cooperate with their state.

It is also worth considering that your early choice of third parties - whether investors, customers or suppliers - may impact who is willing to do business with you later. For instance, most potential investors will want to see your capitalisation table: one of the things they are likely to check is that your other investors share similar values and objectives to their own.

Non-disclosure agreements (NDAs)

NDAs and confidentiality agreements allow you to put additional legal protections in place, usually for a defined length of time. As with legal IP protections, NDAs are another tool you can use, but they do not replace good protective security measures.

A good NDA restricts the use of your ideas and information to a specific permitted purpose. You can widen the permitted purpose later, but you cannot restrict it, so specify the purpose in the NDA as precisely as you can. However, it is worth being realistic about how your partners need to use the information for example, allowing confidential disclosures to employees and professional advisors where necessary.

Demonstrating your commitment to security

As you collaborate more, you may find it useful to be able to demonstrate your commitment to cyber security (some government contracts will require Cyber Essentials certification as a minimum). The Cyber Essentials scheme is a first step in doing this. It provides certification - either self-assessed or, in the case of Cyber Essentials Plus, independently verified. Achieving either level shows that you have the technology and policies in place to guard against common cyber threats.

Depending on your sector or customer, there may be a requirement to meet further standards. If this is the case, make sure you understand why a particular standard is needed, and how you can meet future requirements. Security is an ever-evolving field, and you may be required to update your technology and policies to maintain any certification.

Investment security

Investments into your company introduce both opportunities and risks. You may be able to benefit from your investors' experience to improve your business and security practices. However, investment can also be used to gain access to, and influence over, your company.

An early risk assessment of any investments to determine whether there are any security concerns will allow you to be better informed about possible outcomes and have a stronger negotiating position. Conducting due diligence on any proposed investor (including entities of any consortia) is an essential first step. Considerations are likely to include:

• the investors reputation and trustworthiness
• the source of their funds
• whether they have unexpected commercial, political or military ties
• especially for an overseas investor, any implications of the legal regime they are subject to
• whether they are on the entity listing of other countries, particularly those you are, or may consider, doing business with

You may be able to implement mitigation measures or modify the terms of the deal to address risks identified. If so, any mitigations must be maintained for the duration of the commercial relationship and be regularly reviewed to ensure they are, and remain, effective.

You may also wish to consider sources of funding available from the UK public sector. The British Business Bank has information on a range of finance options through its Finance Hub.

Export control

When exporting into new markets, you will need to be aware of the UK Strategic Export Control Lists. These form the basis of determining whether any products, software, or technology (including intangible transfers of critical, technical knowledge) that you intend to export is 'controlled' and therefore requires an export license.

The Control List comprises a wide range of items. Some of these will be fairly obvious, such as guns and ammunition, but others are less so, such as a wide variety of emerging technology dual use items. Dual use items are goods, software or technology which can have both civil and military applications. They can range from raw materials to components to complete systems, e.g. aluminium alloys, bearings, or lasers. They could also be items used in the production or development of military goods or chemical, biological or nuclear weapons, e.g. machine tools, chemical/manufacturing equipment and computers.

The following resources can help you find out more:

• UK Consolidated List of Strategic Military and Dual-Use Items that Require Export Authorisation.
• Checker Tools database
• The Export Control Joint Unit (ECJU) also provide support and advice on whether a particular end user is likely to be of concern or not. You can contact the ECJU on 020 7215 4594 or by email on [email protected].

You should be aware that, at the time of publication, there are arms embargoes in operation against both China and Russia. You should also carefully consider whether you use anything supplied from the US, in which case you may also be subject to United States export control laws, specifically:

• ITAR (US International Traffic in Arms Regulations)
• EAR (Export Administration Regulations)

Travel safely

As you grow, there may be more need for you and your employees to travel internationally. We recommend considering whether planned travel is likely to introduce additional risks and, if so, taking appropriate steps to mitigate them. This could include:

• Ensuring any work travel itineraries are shared through line management chains.
• Protecting any electronic devices taken overseas with encryption, password protection and by using only trusted data networks.
• Removing all non-essential data from devices, including any apps, accounts, contacts, emails and files and clearing web browsing history and using private browsing mode during any trips.
• Knowing what to share, trade, and protect. This means establishing and sharing the business stance on what information is sensitive and what can be shared.
• Giving out business contact details rather than personal details.
• Encouraging the reporting of any security incidents to security leads or line managers.

Additional resources

• The Department for International Trade has offices worldwide that can provide UK businesses with information on trade issues specific to that region or country.
• The UK overseas intellectual property attach network can provide advice on IP matters to those thinking of doing business in South East Asia, China, Brazil and India.
• The UK government has also produced guidance for the tech sector on opportunities with China, the UK's third-largest export market and the world's second largest and fastest-growing major economy.

As your company grows you may begin to employ and give access to people who are less familiar to you. It is vital that you can trust your workforce, both to protect your valuable assets and information and to report potential security incidents. However, you may no longer be able to rely on personal relationships alone to achieve that trust.

Consistency and communication are vital to creating an environment in which people are confident that they can speak openly, that the organisation will improve as a result and that any actions will be reviewed fairly. This means making it easy and routine to report any concerns, handling those concerns sensitively and without apportioning blame, and keeping those involved informed of both the progress and benefits of any resulting actions to reinforce confidence in reporting.

A role-based security risk assessment will help you to keep your security measures proportionate and effective. As a startup, you have already assessed the risks to your business based on the likelihood and consequence of threats to your critical assets. This should provide you with a foundation for assessing which roles have a higher risk exposure, and so require more comprehensive employment checks. For instance, you may introduce travel restrictions and ask staff to report any suspicious approaches, including offers of employment or contracting opportunities.

As above, staff access controls should also be role specific. For instance, those responsible for marketing may not need access to your IP.

The following resources can help you with the ongoing management of employees.

HoMER - Holistic Management of Employee Risk

Insider Risk Assessment guidance (NPSA)

Security Messages for New Joiners

Employment screening

As you recruit more employees it is essential that you screen potential candidates who wish to be part of your business and have access to your critical assets.

Employment screening is the process through which you check whether a potential candidate is suitable for your business. All individuals who are provided access to your assets should be subject to a suitable level of screening, informed by a role-based risk assessment. This includes permanent, temporary and contract workers. It shouldn't be limited to new starters, but also individuals who are moving internally between jobs, as different roles may require different levels of screening.

Security checks which are a part of your employment screening could include:

• confirmation of identity
• nationality and immigration status
• right to work
• employment and education history
• criminal records check
• financial records check
• personal references
• open sources and social media assessment
• national security vetting (for access to government classified material)

NPSAs guidance on Employment screening can help with this.

Security education

Providing ongoing security training for all employees (permanent, temporary, or contracted) will also help to maintain your security culture. Effective education and training help individuals understand what policies, standards and procedures are in place to maintain security. Individuals will need to appreciate:

• the threats faced by your business
• their security responsibilities
• how to report security concerns

One of the times security education and training should be provided is during induction. The role of your leaders is to set an example and reinforce good practice. Bespoke education and training should be provided for job roles with specific security responsibilities such as:

• security managers across business areas
• security officers and guards
• line managers

As your company grows to the extent that you can employ security experts, strong communication will be a key requirement to ensure that the Board continues to appreciate the wider implications of security and how it supports their overall organisational objectives.

Prepare your staff to detect and report suspected phishing. Phishing refers to an attempt to persuade individuals to reveal sensitive information or click on a link that will install malware on their device.

• Educate staff on common attributes of phishing and on your business' normal practices, so that they can spot anomalies.
• Understand what you reveal about your company on its webpage, as this is often used to make phishing messages more convincing.
• Encourage staff to report unusual requests or suspected phishing internally and to the Suspicious Email Reporting Service. Reward people for reporting anything suspicious through prompt positive feedback about the value of their report. This encourages further reporting.
• Report all attacks to the Action Fraud website or, in Scotland, Police Scotland on 101.

The following resources can help you with security training for staff:

• Security Messages for New Joiners.
• The NCSCs free half hour introduction to basic cyber security for staff.
• The NCSCs Board Toolkit and NPSAs Passport to Good Security for Senior Executives set out key themes for security governance best practice and provide prompts for actions you need to take.

A data breach occurs when information held by an organisation is stolen or accessed without authorisation. The damage caused by a breach can be reduced through a well-planned and executed response. The following steps should help:

Incident management

A basic incident management plan should include:

• Contact details for anyone you would need to contact to help you identify an incident. These may include a web hosting provider, IT support services or insurance company.
• Clearly defined responsibilities and an escalation criteria and process for critical decisions. This should ideally include contact details and contingencies in case a key member of staff is unavailable.
• A coordination function to track and document findings and actions. Keeping a good record of the incident is useful both for post-incident reviews or where it is necessary to report the incident - e.g. to regulatory bodies or, in certain cases, to the Information Commissioner's Office.
• Learning lessons from post-incident reviews and using them to update your response plan and wider practices. Particularly consider whether there was any information which would have significantly helped your response, but which was difficult or impossible to obtain.

Exercising

Exercise in a Box is a free online tool provided by the NCSC. It will walk you through running tabletop exercises to test your response to common cyber-attack scenarios. This will help you both to test your response plan and to develop a 'playbook', or detailed response plan, for the first few hours of some common scenarios.

Monitoring

Maintaining an understanding of your IT's behaviour is central to your ability to spot anomalies, which may reveal security incidents. It is also worth monitoring user activity to identify any unauthorised or accidental misuse of systems or data by users. As elsewhere, understanding the risks you are most concerned about will enable you to focus your monitoring to collect information relevant to your needs.

The NCSCs Logging Made Easy is a self-install tutorial to help organisations develop a basic level of IT logging capability using free and open-source software.

The same is true of your staff. The change from a trustworthy employee into someone who feels disgruntled and motivated to damage the organisation can be triggered by a negative workplace experience. It may change an individual's behaviours in terms of the information, systems and sites or assets they access and retrieve.

Collecting, aggregating and analysing behavioural data can help to identify and ideally address undesirable behaviours - it can therefore help to prevent as well as detect an increased insider risk. A supportive response can help to improve your team's relationship with the company, and thereby security. Any behavioural information should be selected and handled sensitively to respect privacy and the staff-company relationship.

The common indicators to look out for include:

• change of working pattern conflicts at work
• decline in performance
• drug or alcohol abuse
• aggressive behaviour
• mood swings
• missed promotions
• debt
• unexplained wealth