Competition to succeed in emerging technology can be intense. This guidance outlines cost-effective measures that you can take from day one to better protect your ideas, reputation and future success.
Good security practices can protect your competitive advantage, making your company more attractive to investors and customers. Laying strong foundations from the start will help your security to be more effective and less costly as your business grows.
Know the Threats
The UK has a strong record in research and development and a vibrant startup ecosystem. This can make innovative UK companies attractive targets for:
- State actors looking to steal your technology
- Competitors seeking commercial advantage
- Criminals looking to profit from companies with weak security
In December 2020, the Netherlands expelled two alleged Russian intelligence officers for espionage against the Dutch high-tech sector. The officers had reportedly built a network of individuals with experience in the Dutch science and technology sector. The technologies in which these officers were reportedly most interested have military as well as civilian applications. The Dutch Interior Minister said that the actions taken by the alleged Russian intelligence officers had “likely caused damage to the organisations where the sources are or were active and thus possibly also to the Dutch economy and national security”.1
Emerging technology companies of all sizes are being targeted by certain states. Companies with weak security are most at risk. Those states may steal your technology to:
- Fast-track their technological capability, undermining your competitive edge
- Target, harm, and repress their own people to prevent dissent or political opposition, damaging your reputation
- Increase their military advantage over other countries, risking our national security
There are many ways a state-backed or hostile actor could try to get hold of your assets:
- Insider – Your people are your greatest asset but, in some cases, they can pose an insider risk
- Cyber – Insecure IT can provide an easy way for your business to be exploited
- Physical – Your assets could be stolen via physical access
- International Travel – State-backed actors can operate more easily overseas than in the UK
- Investment – Investment can be used to gain access to, and influence over, your company
- Overseas jurisdictions – International expansion exposes you to jurisdiction risk from local laws and business practices
- Supply chain – Vulnerable or malicious suppliers could compromise your business
It is not possible to protect everything against every threat, especially for small companies with limited resources. However, security protections can cost less than expected, and will pay long term dividends. Security decisions should be prioritised, and based on a thorough understanding of what is most important to your survival and success.
Security will be more robust where it is based on a combination of information, physical, people and cyber security measures.
In 2020, criminals tried to bribe a Tesla employee to install malware in one of the company’s factories. The malware was designed to exfiltrate data and extort ransom money. The FBI arrested a Russian national for attempting to “recruit an employee of a company to introduce malicious software into the company’s computer network”. The plan was thwarted when the employee reported the incident.
The threat of criminals recruiting an insider to exploit their physical access is not new but is now being used to facilitate cyber-attacks. This incident demonstrates how integrating personnel, physical, and cyber security is essential to protect your start-up.2
Secure Your Environment
In this section
- Identify a security lead at Board level who factors security into business decisions and starts a security dialogue
- Identify which assets, information and data matter most to your business
- Add security to your risk register
When establishing your business, you need to identify clear security leadership. This means appointing a senior leader with the authority and responsibility to ensure that security is factored into business decisions.
One of their key initial tasks is to initiate conversations about security within your company as an important step towards developing a positive security culture in which any security incidents are openly discussed and learnt from. The startup phase is the perfect time to set the tone for your future security culture. An ongoing security dialogue will help develop a common understanding of your business’ most valuable assets, your risk tolerance, and individuals’ security responsibilities.
Your assets are wide-ranging. They will include tangible assets (those assets that are physical in nature, such as buildings and equipment), and intangible assets (those assets that are non-physical, inlcuding ideas, software, brands, expertise, relationships, and organisational know-how). Identifying those assets which are critical to your business’ successshould be the starting point in your security planning.
Strong security is central to allowing your business to thrive, so security risks should be assessed and managed alongside any other risks to your business. Your awareness and management of the risks you face will make you more attractive to customers and investors.
Consider the following security risk scenarios:
- Theft or access to your assets, information, or data at your premises, by an employee, visitor or an external party
- Theft or access to your assets, information, or data during travel
- Theft or access to your IT systems, information, or data from a remote location
- IP loss from partnerships
Completing a risk assessment will help you to identify vulnerabilities and the potential impact of exploitation. Put in place mitigations that can help you bring down the risk level to one you find acceptable and establish a process to review these risks.
We also recommend:
- Establishing a security strategy for your business based on an understanding of your key assets, the risks they face and the risks you are willing to tolerate.
- Regularly reviewing security policies and procedures, so that they evolve with the business' exposure to threats.
- Establishing responsibilities for security with any new employees, contractors, or suppliers.
- NPSA’s Passport to Good Security for Senior Executives and NCSC’s Board Toolkit set out key themes for security governance best practice and provide prompts for actions you need to take
- NPSA’s Protective Security Risk Management model highlights the key steps in identifying and protecting your key assets
- NCSC’s Cyber Action Plan provides a free personalised action plan that lists what you or your organisation can do right now to protect against cyber attack, based on your responses to some simple questions
- NCSC’s 10 Steps to Cyber Security includes guidance on Cyber risk management
- NCSC’s Check your cyber security is a free service that performs a range of simple online checks to identify common vulnerabilities in your public-facing IT
In this section
- Centre security measures around your critical assets
- Build security into your IT setup
In 2011, several laptops were stolen from a Scottish renewable manufacturer. Two months previously, the company had been visited by a 60-strong delegation led by a senior Chinese official. A few years later, pictures began emerging which showed a Chinese firm making a product virtually identical to the UK company’s wave-power device.
The UK company is now defunct, whilst the Chinese product remains under development.3
Build in security measures to protect your critical assets from the start.
- Place barriers around the assets you have prioritised for protection. These could be physical barriers, such as an access-controlled room, or virtual barriers such as a firewall.
- Control access to the asset to only those employees who need it and are trusted to use it securely.
- Implement measures to detect unauthorised activity. Early identification of unauthorised or unusual access to an asset will help avoid or limit a security incident.
In 2017, the WannaCry ransomware attack affected 300,000 computers in 150 countries, encrypting machines and rendering them unusable. WannaCry was distributed by a self-replicating worm, so its spread was rapid, random and untargeted. It exploited vulnerabilities that had been fixed by Microsoft two months previously, meaning that only systems that had not been patched with that update were affected.4
Insecure IT can provide an easy way for your business to be exploited. Ransomware incidents are particularly prevalent and can cause significant financial impact, as well as longer-term reputational damage. The following steps are the minimum cyber security measures any organisation should consider to reduce the likelihood of your systems being compromised and to reduce the impact of a breach, should one occur.
- Take regular backups of critical data
Take regular, ideally automated, backups of critical data and keep them physically and logically separate from the main system. This will allow your business to function following the impact of physical damage, theft or ransomware attacks.
- Switch on your firewalls and antivirus
Most popular operating systems now include a firewall, so it may simply be a case of switching this on. Similarly, antivirus software is often included for free, and should be used on all computers and laptops. Most modern smartphones and tablets don't need antivirus software, provided you only install apps and software from official stores such as Google Play and Apple's App Store.
- Use passwords to protect devices and accounts
Switch on password protection or choose another method to 'lock' your devices (such as a fingerprint, PIN, screen-pattern or face recognition). If your devices come with default passwords, change these before they are distributed to staff.
- Use multi-factor authentication (MFA) - also known as two-step verification (2SV) or two-factor authentication (2FA) - for ‘important’ accounts (e.g. email or banking). This uses two methods to ‘prove’ your identity, usually a password and something else, such as a code sent to your phone.
- Try to avoid using predictable passwords (such as dates, or family and pet names), and don't use the most common passwords that criminals can easily guess. To create a memorable password that's hard for someone else to guess, you can combine three random words.
- Help staff to remember passwords, for instance by only requiring them to be changed when you suspect that they have been compromised. Provide staff with secure storage (away from the device) where they can record important passwords. It is safe to let your browser save your passwords.
- Keep devices and software up to date
Keep all IT equipment up to date by ensuring that the software and firmware is updated (‘patched’) with the latest updates from providers. These updates will not only add new features, but they will also patch any security holes that have been discovered. Make sure staff know when updates are ready, how to install them, and that it is important to do so straight away.
Wherever there is an option to do so, set systems to automatically update. Once a product reaches the end of its supported life and these updates are no longer available, consider replacing with a more recent alternative.
- Think about how you connect to the internet
Consider the risks of connecting devices to unknown public Wi-Fi hotspots. Doing so could allow the provider (who may not be who you think it is) to see what you’re doing and to access your private login details. Instead, use your mobile network, which will have built-in security, preferably in conjunction with a virtual private network (VPN).
- If you need to routinely access the internet over untrusted infrastructure, you should consider using a VPN. VPN capability can be provided either as a service or managed by your organisation. Take care to understand what you are paying for and how your connection to the internet is made.
- If you are using an internet connection provided as part of shared office space, how confident are you in both the provider and any other parties using the connection? Identify the boundary of networks that you control and can trust. If necessary, seek advice to implement appropriate and proportionate security measures.
- Enable tools to track, lock, or wipe lost or stolen mobile devices
Your employees are more likely to have their tablets or phones stolen (or lose them) when they are away from the office or home. Fortunately, most devices include free web-based tools that are invaluable should you lose a work device. You can use them to:
- track the location of a device
- remotely lock access to the device (to prevent anyone else using it)
- remotely erase the data stored on the device
- retrieve a backup of data stored on the device
Secure Your Products
In this section
- Build security into your products from the beginnig
- Identify and actively manage your IP
Technology startups should use the NCSC’s Secure by Default principles when designing software and systems, to ensure that security problems are addressed at root cause, rather than treating the symptoms. Ensuring that your products are free from security vulnerabilities is a key concern. The NCSC also provides guidance on secure development and deployment that will be useful to those producing software and systems.
Intellectual Asset (IA) and Intellectual Property (IP) management strategies are essential for any business, and are integral with your business plans. Understanding what assets you have and what you want to do with them will help determine what actions are required.
It may be that formal registration of IP is best, however you may decide that it is preferable to go down a trade secrets route and manage IA and IP via contracts.
Whatever you decide to do, you will need to understand:
- What you need to protect
- How you need to protect it
- The in-country laws for the countries in which you are operating
You must then actively manage your IA and IP portfolio. Having the right legal protections for your IP in place does not mean it is no longer at risk. You should continuously track and review who has access to your most sensitive information and how you ensure it remains secret. Ensure your staff understand this process and are taking an active role in IA and IP management. Add IP clauses into employee contracts to help manage the risk to your IA and IP from current and former employees.
The best security decisions are taken holistically – considering people, information, physical and cyber risks together.
Secure Your Partnerships
In this section:
- Manage collaboration risk
- Consider security in your investment strategy
- Build security into your supply chain
Partnerships are essential to the success of your business. However, partnerships increase the number of external routes into your organisation, or to any information or data you may share. To help your company grow safely, manage the additional risks that collaboration brings.
WHY are you collaborating?
The first thing to do is define the purpose of any collaboration.
- What are the outcomes you need from the collaboration?
- What are the benefits of collaborating on this project?
- What are the risks and red lines?
WHO are you working with?
Conducting due diligence on prospective partners is an essential step to assessing the risks of working with them.
- Independence and integrity
- Are there organisational structures or relationships which could compromise their independence or integrity?
- Do they have links to foreign militaries, police, or security services?
- Are they a politically exposed person (PEP), or closely associated with one?
- Values and intentions
- Do they operate under a legal regime which could compel them to share your data or cooperate with the state?
- Is there any publicly available information which raises concerns about their intentions or values?
- Do they appear on the UK sanctions list?
- Are they on sanctions or entity lists for any other countries, particularly those where you may consider doing business in future?
- Is there any information which suggests a lack of transparency from the partner?
- Could partnering with them affect future investors, your global business and long-term intentions?
- Does their approach to managing data or security breaches or incidents align with your own?
- Do you know the source of funds for any proposed transaction, whether direct or indirect?
WHAT are you sharing?
You can manage the risks associated with business collaborations by:
- Determining early what data is appropriate to share and implementing measures to limit access to just that data.
- Designing your setup so that your more sensitive systems are independent from those accessible to the wider organisation and any external parties.
- Taking steps to ensure that any third parties are handling any sensitive data appropriately and securely.
- Considering how you will get your data and IP back at the end of the collaboration.
When working with international partners, you will also have to consider the implications of different local laws and regulations. Some regimes could compel overseas partners to release data or cooperate with state organisations.
HOW are you protecting your innovation?
Include protections for your assets and data within contracts.
Non-disclosure agreements (NDAs) and confidentiality agreements allow you to put additional legal protections in place, usually for a defined length of time. A good NDA restricts the use of your ideas and information to a specific permitted purpose. You can widen the permitted purpose later, but you cannot restrict it, so specify the purpose in the NDA as precisely as you can. However, it is worth being realistic about how your partners need to use the information – for example, allowing confidential disclosures to employees and professional advisors where necessary.
As with legal IP protections, NDAs are another tool you can use, but they do not replace good protective security measures. They can be a useful deterrent and fall-back after an incident has occurred, but are unlikely to prevent intentionally hostile actors.
Include security requirements within contracts, legal investment documentation, or collaboration agreements. Check that these requirements are understood and being adhered to.
Smiths (Harlow) Limited, a UK precision engineering company, agreed an £8m deal with China’s Future Aerospace in October 2017. On receipt of the first £3m, the company shared sensitive details and committed to train Future Aerospace’s engineers.
According to press reports in January 2020, Future Aerospace subsequently cited difficulties in approval processes within China and withdrew from the deal without paying the rest of the agreed amount.
Smiths (Harlow) Limited’s competitive advantage and intellectual property may have already been compromised. Their links to China also reportedly cost them their licence to make military equipment for western powers. The company was left facing administration in February 2020, citing Future Aerospace’s alleged theft of their IP and reneging on the deal as the cause.5
Investments into your company introduce both opportunities and risks. You may be able to benefit from your investors’ experience to improve your business and security practices. However, investment can also be used to gain access to, and influence over, your company.
An early risk assessment of any investments to determine whether there are any security concerns will allow you to be better informed about possible outcomes and have a stronger negotiating position.
The National Security and Investment Act 2021 (NSI Act)
The NSI Act gives businesses and investors the certainty and transparency they need to do business in the UK while protecting the UK's national security. It provides the Government with powers to screen investments to assess and address any national security risks.
Investors and businesses must notify and receive clearance from the UK Government before making qualifying acquisitions relating to 17 defined areas of the economy. The UK Government can request to review any qualifying acquisition that may pose a national security risk.
Further information on the NSI Act is available at GOV.UK.
Taking a security-minded approach from the start will enable you to make well-informed investment decisions.
- Conduct due diligence on prospective investors
- Be strategic when considering how much data or proprietary information you share with potential investors, both before and after any investment – what could you lose if an investor reneges on a deal?
- Agree and implement mitigations prior to any in-depth engagement:
- Have you included provisions in your legal investment documentation to protect key operations, information, and data?
- Have you considered how effective a legal or contractual agreement would be if you were relying on enforcement in an overseas jurisdiction?
- Have you implemented a governance and reporting structure which ensures the risk management strategy remains effective over time?
- Consider sources of funding available from the UK public sector
Supply Chain Security
In 2021 the NCSC and US allies revealed that Russia's Foreign Intelligence Service was responsible for a series of cyber intrusions, including the compromise of global software supplier SolarWinds.
A US cyber security firm, FireEye, found that an attacker had been able to add a malicious modification to SolarWinds Orion products which allowed them to send administrator-level commands to any affected installation.6
Understand the risk
Your supply chain exposes you to potentially damaging security threats. Supply chain attacks can result in the compromise of entire organisations and pose a potentially terminal risk to businesses. Carefully consider your decision to outsource where it may provide another organisation with access to your critical assets. Consider how to reduce unnecessary or high-risk sharing of sensitive data or access to sensitive systems.
Assess the impact on your business if your supplier is compromised. Use this assessment to determine appropriate security measures to include within the contract.
- NPSA's Protected Procurement provides guidance on embedding security across every stage of your supply chain
- The Protected Procurement Scenarios Booklet gives examples of supply chain risks and how they can be mitigated
- NCSC’s Supply chain security guidance gives 12 principles to help establish effective control and oversight of your supply chain
- NCSC’s guidance on How to assess and gain confidence in your supply chain cyber security describes practical steps to help organisations better assess cyber security in their supply chains
- NCSC’s guidance on Mapping your supply chain helps organisations map their supply chain dependencies
Use secure suppliers
Conduct independent due diligence on suppliers as well as seeking security assurances from them. You can then make an assessment of how trustworthy and vulnerable to compromise a prospective supplier is.
Consider building diversity and resilience into your supply chain if you identify overreliance on any one supplier.
Where possible, use security clauses within your contracts to hold suppliers accountable for their security responsibilities. Including security at the initial stage of any contract will save you money later.
As your company grows, you can take more control of your supply chain security by demanding greater security assurances from your suppliers.
- The Protected Procurement Due Diligence checklist provides example due diligence questions for suppliers
- The Protected Procurement Supplier Assurance Questions provides a template for the level of security you should expect from suppliers
- The Protected Procurement Contracts checklist provides guidance on developing security clauses within your contracts
- Safeguarding Supply provides considerations on how to embed greater resilience into supply chains
Demonstrate your commitment to security
As you collaborate more, you may benefit by demonstrating your commitment to security. By delivering security as part of your service, you could give your business a competitive edge.
Depending on your sector or customer, there may be a requirement to meet further standards. If this is the case, make sure you understand why a particular standard is needed, and how you can meet future requirements. Security is an ever-evolving field, and you may be required to update your technology and policies to maintain any certification. Maintaining security certifications may well require ongoing effort as security requirements evolve. Requests that companies do so should be considered and proportionate.
- NPSA's Protected Procurement Guidance for Suppliers provides guidance on delivering security as part of your service
- NCSC’s Cyber Essentials scheme provides certification – either self-assessed or, in the case of Cyber Essentials Plus, independently verified – that you have the technology and policies in place to guard against common cyber threats. Some contracts will require Cyber Essentials certification as a minimum. The Cyber Essentials readiness toolkit create a personal action plan to help you move towards meeting the Cyber Essentials requirements
Security considerations when using cloud services
Cloud service providers can supply highly scalable and rapidly deployed services without you having to invest in the requisite hardware. By handing over parts of your IT to a service provider, you will benefit from specialist expertise (including in security) that a small organisation may struggle to justify in terms of cost. When doing so, it is essential to ensure that the service provides advanced security to all customers.
Cloud services differ in how they prioritise the various attributes of cloud security, so understanding which is important to you will help you to select an appropriate provider. For instance, are you more concerned about protecting the confidentiality of your data, or having a service with high resilience and availability?
It is also important to be clear on where your data is being held and under which legal jurisdiction it falls. The General Data Protection Regulation (GDPR) requires that personal data should only be transferred outside the UK to a territory that ensures an adequate level of protection. These include the European Economic Area and a list of countries covered by UK ‘adequacy regulations’.
- NCSC's whitepaper on the Security benefits of a good cloud service explains how to maximise security and business benefits from your cloud provider
- NCSC’s Cloud security principles help you choose a cloud provider that meets your security needs
- NCSC’s New cloud security guidance: it's all about the config explains why ensuring a robust cloud configuration is a critical investment
- The Information Commissioner’s Office provides advice on International transfers and details of the countries covered by ‘adequacy regulations’
Secure Your Growth
Expand safely to new markets
In this section
- Implement security procedures for international travel
- Comply with export controls
- Understand how local laws could increase the risk to your business
In March 2017, a GE Aviation employee was solicited to give a report and travel to China to present their report at a university. Whilst in China, they were introduced to a Ministry of State Security (MSS) officer, who paid the employee’s travel expenses and a stipend. The following year, the officer arranged a meeting with the employee during a business trip to Europe and asked them to send a copy of the file directory from their company-issued computer. The MSS officer was arrested in Belgium at the arranged meet, and extradited to the US where they were charged with conspiring and attempting to commit economic espionage and theft of trade secrets.7
As you grow, there may be more need for you and your employees to travel internationally. We recommend considering whether planned travel is likely to introduce additional risks and, if so, taking appropriate steps to mitigate them.
When expanding into new markets, you will need to be aware of UK export controls. Certain products, software, or technology (including the intangible transfer of critical, technical knowledge) are ‘controlled’ and therefore require an export licence. It is the exporter’s responsibility to check whether items require an export licence.
The UK maintains a single consolidated list of sensitive items that require export authorisation. These include both military and dual-use items. Dual-use items can be used for both civilian and military applications. The government has additional powers to require an export licence on items and technology, even if they are not on the consolidated control list.
It is the exporter’s responsibility to check whether items require an export licence.
- Check whether the item you want to export appears on the consolidated list of strategic military and dual-use items that require export authorisation
- Use the OGEL and Goods Checker Tools
- The Goods Checker to check whether the items you want to export are regulated by export controls
- The Open General Exports Licences (OGEL) Checker to determine if an Open Licence is available for your scenario
- Where an OGEL is not available, and your goods, technology, or knowledge is controlled, you will need to apply for a Standard Licence in SPIRE – Export Licensing System
- Do background checks on the end users to check whether you need an export licence
- Is their home country listed as an embargoed destination on the list of end-use controls applying to military related items?
- Do they have links to military or defence organisations?
- Does their home country have active policies on using advanced and emerging technology to support the development of their military?
- Have they been involved in civil or criminal proceedings?
- Is their home country subject to any sanctions?
- UK strategic export controls guidance provides details on the UK’s regulatory framework for export controls and the circumstances where you might need an export licence
- GOV.UK list of countries subject to arms embargo, trade sanctions, and other trade restrictions
- You should also carefully consider whether you use anything supplied from the US, in which case you may also be subject to United States export control laws, specifically:
In 2004, China launched several tenders to make 200 high-speed trains. Each tender stipulated that foreign companies had to collaborate with a domestic partner and transfer key technologies to China; and the final products had to be marketed under a Chinese state-owned enterprise’s brand. Bombardier, Kawasaki, Siemens, and Alstrom each formed joint ventures (JVs) with one of two Chinese state-owned enterprises.
Within three years, Chinese firms allegedly started producing high-speed trains based on the foreign technology. The Chinese firms allegedly violated licensing agreements in which they committed to only use the technology domestically. Chinese firms are now selling their technologies back into foreign markets in competition with the companies from which they allegedly stole the technology.8
It is important to understand the local laws in the countries where you plan to operate. Different countries have different export control laws, as well as laws regarding the handling and storage of IP and data (possibly including requirements to install certain hardware or allow configuration to permit remote access to data by governments). National security laws in foreign countries can allow that country’s government to access data or information stored in, or transmitted via, that country.
Understanding local laws will ensure that you are legally compliant, and that you understand the additional security risks involved in expansion into new markets.
- The GOV.UK collection on Overseas Business Risk provides information for UK businesses on political, economic, and security risks when trading overseas
- The Department for Business and Trade has offices worldwide that can provide UK businesses with information on trade issues specific to that region or country
- The UK government has also produced guidance for the tech sector on opportunities with China, the UK’s third-largest export market and the world’s second largest and fastest-growing major economy
Different countries have different export control laws. When entering new markets, or working with international partners, check whether your technology is subject to local export controls.
- United States export control lists:
- China-Britain Business Council’s (CBBC) article What does China's new Export Control Law mean for your business?
Most IP rights are territorial – that is they only give protection in the countries in which they have been granted or registered. IP legal frameworks can also differ by country.
If you are thinking about trading internationally, you should take time to familiarise yourself with the IP framework and enforcement processes in overseas markets. Register your IP rights in advance of entering the market, and ensure you are resourced strategically such that you can defend those rights if required.
National Security laws
National security laws in foreign countries can allow that country’s government to access data or information stored in, or transmitted via, that country.
China’s National Intelligence Law, passed in June 2017, allows Chinese intelligence agencies to compel individuals and organisations to support and cooperate with state intelligence work. Intelligence work could capture any information to protect a national interest – be that military, political, economic, social, technological, cultural or others. The law does not allow individuals or organisations to refuse to provide access, information, or support if requested.
Russia has an extensive lawful intercept capability, known as the System of Operative Search Measures (SORM). SORM allows Russia’s Federal Security Service (FSB), to covertly monitor communications to, within, and out of Russia. The FSB can also compel individuals and organisations to share data stored in Russia with them and could prevent the data holder from disclosing this to the data owner. All communication service providers operating in Russia are obliged to install equipment to enable the FSB to monitor communications.
Data Protection laws
The General Data Protection Regulation (GDPR) is a Regulation in EU law. The Data Protection Act 2018 is the UK’s implementation of the GDPR. UK GDPR contains rules about transfers of personal data to receivers located outside the UK.
Alongside compliance with GDPR, you will also need to ensure compliance with data laws in the countries in which you are operating.
- The Information Commissions Office’s guide to international transfers
- CBBC’s article How will China's new data protection laws affect your business?
Security for a growing team
In this section
- Implement a pre-employment screening process
- Maintain a positive security culture
- Deliver effective security education for your employees
- Provide additional support to staff in higher risk roles
In 2011, a Chinese wind turbine maker was convicted of stealing trade secrets from a US semiconductor company, causing the company to lose more than $1 billion in shareholder equity and almost 700 jobs. The Chinese company recruited an employee of the US company to secretly copy information, including the source code for its wind turbine control system. In court, the employee's lawyer said his client's actions stemmed from "frustration" about a failed marriage, which had been strained by his trips abroad for work, followed by a demotion to the customer service department, resulting in the employee feeling undervalued.9
As your company grows, you may no longer be able to rely primarily on personal relationships to ensure trust. It is vital that you can trust your workforce to protect your valuable assets and information, and to report potential security incidents.
As you recruit more employees it is essential that you screen potential candidates who wish to be part of your business and have access to your critical assets. All individuals who are provided access to your assets should be subject to a suitable level of screening, informed by a role-based risk assessment. This includes permanent, temporary and contract workers. It shouldn’t be limited to new starters, but also individuals who are moving internally between jobs, as different roles may require different levels of screening.
Security checks which are part of your employment screening could include:
- Confirmation of identity
- Nationality and immigration status
- Right to work
- Employment and education history
- Criminal records check
- Financial records check
- Personal references
- Open sources and social media assessment
- National security vetting (for access to government classified material)
Maintain a positive security culture
Security culture refers to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security.
Consistency and communication are vital to creating an environment in which people are confident that they can speak openly about security concerns, that the organisation will improve as a result, and that any actions will be reviewed fairly. This means making it easy and routine to report any concerns, handling those concerns sensitively and without apportioning blame, and keeping those involved informed of both the progress and benefits of any resulting actions to reinforce confidence in reporting.
Providing security training for all employees (permanent, temporary, or contracted) will help to maintain your security culture. Effective education and training helps individuals understand what policies, standards and procedures are in place to maintain security. Individuals will need to appreciate:
- The threats faced by your business
- Their security responsibilities
- How to report security concerns
One of the times security education and training should be provided is during induction. Narratives provided at this point will help employees understand the security risks. The role of your leaders is to set an example and reinforce good practice. Bespoke education and training should be provided for job roles with specific security responsibilities such as:
- Security managers across business areas
- Security officers and guards
- Line managers
- IT professionals and developers
As your company grows to the extent that you can employ security experts, strong communication will be a key requirement to ensure that the Board continues to appreciate the wider implications of security and how it supports their overall organisational objectives.
Prepare your staff to detect and report suspected phishing. Phishing refers to an attempt to persuade individuals to reveal sensitive information or click on a link that will install malware on their device.
Educate staff on common attributes of phishing and on your business’ normal practices, so that they can spot anomalies.
Understand what you reveal about your company on its website, as this is often used to make phishing messages more convincing.
Encourage staff to report unusual requests or suspected phishing internally and to the Suspicious Email Reporting Service. Reward people for reporting anything suspicious through prompt positive feedback about the value of their report. This encourages further reporting.
Phishing simulations should be used with caution (if they are used at all). Punishing or shaming staff for ‘falling for’ a phish can be counterproductive - and people can feel ashamed even when that is not the intent. Training should instead build staff's confidence to report anything they're not sure about. The NCSC recommends a multi-layered approach to defending your organisation from phishing.
If you think you may have been a victim of fraud or cyber crime, and live in England, Wales or Northern Ireland, you should report this to Action Fraud at www.actionfraud.police.uk/ or by calling 0300 123 2040. If you live in Scotland, you should report to Police Scotland by calling 101.
Provide additional support to higher risk roles
Role-based security risk assessments help you to keep your security measures proportionate and effective. You have already assessed the risks to your business and critical assets. This should provide you with a foundation for assessing which roles have a higher risk exposure, and so require more comprehensive security training and support. For instance, you may ask staff to report any suspicious approaches, including offers of employment or contracting opportunities.
Staff access controls should also be role specific. For instance, those responsible for marketing may not need access to sensitive datasets or trade secrets.
Prepare for security incidents
In this section
- Establish and test an Incident Management plan
- Monitor your IT and staff to detect and explore unexpected behaviour
Security incidents will happen, and you may be impacted even if you were not the direct target. The damage caused by a security breach can be reduced through a well-planned and executed response.
A basic incident management plan should include:
- Contact details for anyone you would need to contact to help you identify an incident. These may include a web hosting provider, IT support services or insurance company.
- Clearly defined responsibilities and an escalation criteria and process for critical decisions. This should ideally include contact details and contingencies in case a key member of staff is unavailable.
- A coordination function to track and document findings and actions. Keeping a good record of the incident is useful both for post-incident reviews or where it is necessary to report the incident - e.g. to regulatory bodies or, in certain cases, to the Information Commissioner’s Office.
- Learning lessons from post-incident reviews and using them to update your response plan and wider practices. Particularly consider whether there was any information which would have significantly helped your response, but which was difficult or impossible to obtain.
We encourage all organisations to sign up to NCSC’s Early Warning service to receive incident notifications, network abuse events and vulnerability alerts.
- NCSC's Small Business Guide: Response & Recovery provides guidance on how to prepare your response to and recovery from a cyber incident
- NCSC’s incident management collection provides guidance on how to effectively detect, respond to and resolve cyber incidents
- Exercise in a Box is a free online tool provided by the NCSC. It will walk you through running tabletop exercises to test your response to common cyber attack scenarios. This will help you both to test your response plan and to develop a ‘playbook’, or detailed response plan, for the first few hours of some common scenarios
Maintaining an understanding of your IT’s behaviour is central to your ability to spot anomalies, which may reveal security incidents. It is also worth monitoring user activity to identify any unauthorised or accidental misuse of systems or data by users. As elsewhere, understanding the risks you are most concerned about will enable you to focus your monitoring to collect information relevant to your needs.
The same is true of your staff. The change from a trustworthy employee into someone who feels disgruntled and motivated to damage the organisation can be triggered by a negative workplace experience. It may change an individual’s behaviours in terms of the information, systems and sites or assets they access and retrieve.
Collecting, aggregating and analysing behavioural data can help to identify and ideally address undesirable behaviours - it can therefore help to prevent as well as detect an increased insider risk. A supportive response can help to improve the employee’s relationship with the company, and thereby security. Any behavioural information should be selected and handled sensitively to respect privacy and the staff-company relationship.
The common indicators to look out for include:
- Change of working pattern
- Conflicts at work
- Decline in performance
- Drug or alcohol abuse
- Aggressive behaviour
- Mood swings
- Missed promotions
- Unexplained wealth
An employee of a US agrochemical and biotechnology company maintained contact with officials within the Chinese Communist Party about potential jobs for two years. The employee travelled to China for job interviews and to discuss his knowledge and skills. In doing so, he implied that he could duplicate his employer's intellectual property.
After resigning from his job, the employee copied and downloaded the company's IP to a memory card and bought a one-way plane ticket to China. Before he could board his flight, the employee was intercepted by law enforcement officials who seized copies of the stolen IP.
Strong security monitoring could have flagged this employee's actions. This includes being aware of employee travel, IT behaviours, and physical accesses and actions such as use of memory cards or excessive printing. This example also highlights the mutually reinforcing nature of the various components of protective security.10
Secure Innovation Principles
1. Know the Threats
Innovative UK companies, particularly those with weak security, are targets for state actors, competitors, and criminals looking to steal your technology for their benefit. Protect your innovation, your people, and your reputation.
2. Secure your Environment
Effective protective security requires management of the security risks a business faces. Appoint a board-level security lead who factors security into business decisions and initiates a security dialogue within the business. Identify what matters most to your business. Assess security risks alongside other risks to your business. Centre security measures around your critical assets.
3. Secure your Products
Build security into your products from the start. Ensure you are actively protecting and managing your intellectual property and assets.
4. Secure your Partnerships
Build secure partnerships with investors, suppliers, and collaborators. Think about who you are working with, what you are sharing, and how you protect your innovation.
5. Secure your Growth
Expand safely into new markets by considering the UK and local laws and regulations which you need to comply with, and how they could affect your business. As your team grows, foster a positive security culture and use pre-employment screening, security training, and role-specific security support to build a trusted workforce. The damage caused by a security breach can be reduced through a well-planned and executed response.