- Part 1: Security from the start
- What is the risk?
- Lead by example
- Protect your organisation's most valuable assets
- Build security into your environment
- Secure your supply chains
- Security considerations when using cloud services
- Part 2: Security as you grow
- Collaborate with security in mind
- Expand safely to new markets
- Trust your talent
- Prepare for security incidents
- Footnotes
Competition to succeed in emerging technology can be intense. This guidance is for founders or CEOs of innovative startups, and will help you to protect:
- your technology so it remains within your control
- your competitive advantage, including your intellectual assets and sensitive business data
- your reputation
Part one of this guidance contains cost-effective measures to take from the start, including advice on ways to:
- ensure security is factored into all business decisions
- identify the assets most critical to your success and consider the risks they face
- protect those key assets with proportionate cyber, physical and people security measures
The measures outlined in part two are for when your company begins to grow, and build upon those covered earlier. They include advice on how to:
- support and protect a growing team
- take a security-minded approach to increased collaboration, investment and expansion
Part 1: Security from the start
For startups with limited resources, spending time and money on security may seem like an unnecessary and costly distraction. However, good security can protect your competitive advantage, and make your company more attractive to investors and customers.
Security is an investment. It will evolve as your company grows into a thriving business. Laying strong foundations from the start will help your current and future security measures to be more effective and, ultimately, less resource intensive.
The Security decisions your company makes today will determine which side of the innovation divide you land on. Security investment protects overall innovation investment and the resultant return on investment.
Research report: Innovating at speed and scale with implicit security (PDF), Accenture.com1
What is the risk?
Startup companies face the same threats that many organisations do, from both cyber-crime and competitors seeking commercial advantage.
The UK has a strong record in research and development and a vibrant startup ecosystem. Consequently, UK companies working in emerging technologies are likely to be a particularly attractive target to a wider range of threats. This includes those backed by a foreign state.
A government study of UK businesses in late 2019 found that almost half (46%) reported experiencing a cyber security breach or attack in the previous 12 months. Although larger businesses were more likely to have identified a breach or attack than smaller ones, the survey found that a greater than average number of businesses with a scientific, technical or professional focus (59%) had experienced a breach or attack.
Cyber Security Breaches Survey 2020, Department for Digital, Culture, Media & Sport2
Although international collaboration can be enormously beneficial when developing cutting-edge technology, it also heightens the security risks for companies working on them. Some foreign states may seek technological advancement for reasons that are at odds with UK interests and values, such as:
- to develop a research and innovation base to increase military and technological advantage over other countries
- to deploy their technological and military advantages against their own population to prevent internal dissent or political opposition
In December 2020 the Netherlands expelled two alleged Russian intelligence officers for espionage against the Dutch high-tech sector. The officers had reportedly built a network of individuals with experience in the Dutch science and technology sector. The technologies in which these officers were reportedly most interested have military as well as civilian applications. The Dutch Interior Minister said that the actions taken by the alleged Russian intelligence officers had likely caused damage to the organisations where the sources are or were active and thus possibly also to the Dutch economy and national security.3
This guidance will help you consider what is most valuable to you, and to put in place measures that will prepare you to protect that value, both now and in the future. Doing so should protect your innovative ideas and make you more attractive to customers and investors. It will also help you to comply with local data protection laws, such as the General Data Protection Regulation (GDPR).
Lead by example
In this section
- Develop a positive security culture through ongoing dialogue.
- Lead from the top by identifying a security lead at Board level.
The startup phase is the perfect time to set the tone for your future security culture.
People are at the heart of good security, so having ongoing conversations on security with your team however small is vital to developing a positive security culture in which your team will help to protect your company. These conversations will increase the efficacy of any security policies you develop by ensuring they are based on an understanding of how people work. This, and championing security from the top, should help to shape a culture in which any security incidents are openly discussed.
This is also a great time to establish enduring security roles and responsibilities. When establishing your business, you need clear security leadership. This means identifying someone at Board level with the authority and responsibility to ensure that security is factored into business decisions.
We also recommend:
- establishing a security strategy for your business based on an understanding of your key assets, the risks they face and the risks you are willing to tolerate (protect your value)
- regularly reviewing security policies and procedures, so that they evolve with the business' exposure to threats
- establishing responsibilities for security with any new employees, contractors, or suppliers
Protect your organisation's most valuable assets
In this section
- Identify your most valuable assets, which are critical to the existence and success of your business.
- Assess security risks and mitigations in conjunction with other risks to your business.
- Apply for the appropriate IP protections for the jurisdictions in which you wish to operate.
Your assets are wide-ranging. They will include easily identifiable assets (such as your staff, premises, products and services), but also intangible assets such as the information, intellectual property, and knowledge you hold. Identifying those assets which are critical to your startup's success should be the starting point in your security planning.
Good security will enable your business to thrive and make you more attractive to customers and investors. Security risks should therefore be assessed and managed alongside any other risks to your business. Understanding the following will help you to determine which risks to prioritise:
- your organisations goals and priorities
- your most critical assets
- the threats to those critical assets
- the likelihood and consequence of a threat affecting you
Completing a risk assessment will help you to identify vulnerabilities and the potential impact of exploitation. Put in place mitigations that can help you bring down the risk level to one you find acceptable and establish a process to review these risks.
Intellectual property
How you plan, manage and protect your ideas should be a crucial feature in your business planning. One of the first things you should do is understand whether and how you should protect your intellectual property (IP) and apply for the appropriate IP protections for the jurisdictions in which you wish to operate. You don't want to invest time and money in your business, only to later find the IP already belongs to someone else.
The Intellectual Property Offices IP Health Check is a free and quick tool that will help to identify your IP assets, and provide advice on how to protect them. The British Library Business and IP Centre also supports entrepreneurs, inventors and small businesses. However, having the right legal protections for your IP in place does not mean it's no longer at risk. You should continuously review who has access to your most sensitive information and how you ensure it remains secret.
Build security into your environment
In this section
- Build in essential security measures when setting up your IT.
- Control access to your information and most valuable assets, with measures to detect unauthorised access.
Any security decisions you make will be strengthened by considering people, information, physical and cyber risks together. Securely configured IT may be at risk if left in an unlocked room. Equally, physical barriers such as safes and locks are pointless if you are not checking the credibility and trustworthiness of the people who can access it.
In 2020, criminals tried to bribe a Tesla employee to install malware in one of the company's factories. The malware was designed to exfiltrate data and extort ransom money. The FBI arrested a Russian national for attempting to recruit an employee of a company to introduce malicious software into the company's computer network. The plan was thwarted when the employee reported the incident.
The threat of criminals recruiting an insider to exploit their physical access is not new but is now being used to facilitate cyber-attacks. This incident demonstrates how integrating personnel, physical, and cyber security is essential to protect your startup.4
Technology startups should use the NCSCs Secure by Default principles when designing software and systems, to ensure that security problems are addressed at root cause, rather than treating the symptoms. Ensuring that your products are free from security vulnerabilities is a key concern. The NCSC also provides guidance on secure development and deployment that will be useful to those producing software and systems.
Securing your critical assets
The previous section covered identifying your most critical assets. You should design your security measures around protecting them.
- Place barriers around each asset that you have prioritised for protection. These could be physical barriers such as a cabinet, or virtual barriers such as a firewall.
- Control access to the asset to only those employees who need it and are trusted to use it securely. This may be as simple as putting a lock on the cabinet, enabling swipe card access to certain areas, restricting administrator rights and access to physical ports, or having strong passwords on your IT devices.
- Take regular, ideally automated, backups of critical data and keep them physically and logically separate from the main system. This will allow your business to function following the impact of physical damage, theft or ransomware attacks.
Cyber security measures
Insecure IT can provide an easy way for your business to be exploited. The following steps are designed both to reduce the likelihood of your systems being compromised and to reduce the impact of a breach, should one occur.
Switch on your firewall and antivirus
Most popular operating systems now include a firewall, so it may simply be a case of switching this on. Similarly, antivirus software is often included for free, and should be used on all computers and laptops. Most modern smartphones and tablets don't need antivirus software, provided you only install apps and software from official stores such as Google Play and Apple's App Store.
Use passwords to protect devices and accounts
Switch on password protection or choose another method to 'lock' your devices (such as a fingerprint, PIN, screen-pattern or face recognition). If your devices come with default passwords, change these before they are distributed to staff.
- Use two-factor authentication for important accounts (e.g. email or banking). This uses two methods to 'prove' your identity, usually a password and something else, such as a code sent to your phone.
- Try to avoid using predictable passwords (such as dates, or family and pet names), and don't use the most common passwords that criminals can easily guess. To create a memorable password that's hard for someone else to guess, you can combine three random words.
- Help staff to remember passwords, for instance by only requiring them to be changed when you suspect that they have been compromised. Provide staff with secure storage (away from the device) where they can record important passwords. It is safe to let your browser save your passwords.
Keep devices and software up to date
Keep all IT equipment up to date by ensuring that the software and firmware is updated ('patched') with the latest updates from providers. These updates will not only add new features, but they will also patch any security holes that have been discovered. Make sure staff know when updates are ready, how to install them, and that it's important to do so straight away.
Wherever there is an option to do so, set systems to automatically update. Once a product reaches the end of its supported life and these updates are no longer available, consider replacing with a more recent alternative.
In 2017, the WannaCry ransomware attack affected 300,000 computers in 150 countries, encrypting machines and rendering them unusable. WannaCry was distributed by a self-replicating worm, so its spread was rapid, random and untargeted. It exploited vulnerabilities that had been fixed by Microsoft two months previously, meaning that only systems that had not been patched with that update were affected.5
Think about how you connect to the internet
Avoid connecting devices to unknown public Wi-Fi hotspots. Doing so could allow the provider (who may not be who you think it is) to see what you're doing and to access your private login details. Instead, use your mobile network, which will have built-in security, preferably in conjunction with a virtual private network (VPN).
- If you are using an internet connection provided as part of shared office space, how confident are you in both the provider and any other parties using the connection? Identify the boundary of networks that you control and can trust. If necessary, seek advice to implement appropriate and proportionate measures.
- If you need to routinely access the internet over untrusted infrastructure, we recommended using a VPN. VPN capability can be provided either as a service or managed by your organisation. Take care to understand what you are paying for and how your connection to the internet is made.
Enable tools to track, lock or wipe lost or stolen mobile devices
Staff are more likely to have their tablets or phones stolen (or lose them) when they are away from the office or home. Fortunately, the majority of devices include free web-based tools that are invaluable should you lose your device. You can use them to:
- track the location of a device
- remotely lock access to the device (to prevent anyone else using it)
- remotely erase the data stored on the device
- retrieve a backup of data stored on the device
Secure your supply chains
In this section:
- Assess the risks associated with any product or service you buy.
- Seek suppliers who provide security assurances suitable for your requirements.
- Meet your own security requirements as a supplier and consumer.
Supply chains present a complex security risk for startups. A series of high profile, very damaging attacks on companies has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and growing.
In 2018, the UK and its allies announced that a group known as APT10 acted on behalf of the Chinese Ministry of State Security to carry out a malicious cyber campaign targeting intellectual property and sensitive commercial data in Europe, Asia and the US.
The NCSC assessed that APT10 was almost certainly responsible for a global campaign against Managed Service Providers (MSPs). We assessed that the ultimate targets of this campaign were the customers of those MSPs.6
Putting in place effective supply chain security from the start can save you a lot of time when your supply chains increase in length and complexity. We recommend that you:
Understand the risks. This means being aware of:
- What needs to be protected and why. You need to understand the sensitivity of your contracts and your most critical assets.
- Who your suppliers are and what their security looks like.
- The risks you may be exposed to by being a part of the supply chain that you have identified.
Take informed decisions. This may include:
- Seeking suppliers whose security offer best matches your requirements.
- Checking that the level of assurance offered by your provider (which may be informal, contractual or independently verified) is appropriate to your risk appetite.
- Considering building diversity and resilience into your supply chain if you identified any over-reliance on one supplier.
As your company grows, you may be able to take greater control of your supply chain security by setting and communicating clear minimum-security requirements for your suppliers.
Remember, you are likely to be a supplier too. Ensure that you enforce and meet your security responsibilities.
Security considerations when using cloud services
Cloud service providers can supply highly scalable and rapidly deployed services without you having to invest in the requisite hardware. By handing over parts of your IT to a service provider, you will benefit from specialist expertise (including in security) that a small organisation may struggle to justify in terms of cost. When doing so, it is essential to ensure that the service provides advanced security to all customers.
Cloud services differ in how they prioritise the various attributes of cloud security, so understanding which is important to you will help you to select an appropriate provider. For instance, are you more concerned about protecting the confidentiality of your data, or having a service with high resilience and availability?
It is also important to be clear on where your data is being held and under which legal jurisdiction it falls. The General Data Protection Regulation (GDPR) requires that personal data should only be transferred outside the UK to a territory that ensures an adequate level of protection. These include the European Economic Area and a list of countries considered by the European Commission to be adequate. The Information Commissioner's Office provides advice.
Part 2: Security as you grow
As your company continues to grow and evolve, so too should your security measures. The risks you face may well have changed, for example because your team has grown, you have moved to more or larger premises, you are collaborating with more partners, or you are looking for investment.
It is worth regularly reviewing your security measures to consider whether you need additional precautions as your business grows:
- Collaborate with security in mind
- Expand safely to new markets
- Trust your talent
- Prepare for security incidents
Collaborate with security in mind
In this section
- Limit the data you share with your partners and ensure they can handle sensitive data securely.
- Where possible, keep sensitive systems independent of those accessible by external parties.
- Where proportionate, put in place confidentiality and non-disclosure agreements (NDAs) with those who have access to your innovation.
To help your company grow safely through increased collaboration, it is worth managing the additional risks collaboration brings. Collaboration increases the number of external routes into your organisation, or to any information or data you may share. You may also have access to other, possibly larger, organisations through your supply chain that an attacker might want to target.
You can help to manage these risks, for instance by:
- Determining early what data is appropriate to share and implementing measures to limit access to just that data.
- You may also be able to design your setup so that your more sensitive systems are independent from those accessible to the wider organisation and any external parties.
- Taking steps to ensure that any third parties are handling any sensitive data appropriately and securely.
When working with international partners, you will also have to consider the implications of different local laws and regulations. Some regimes could compel overseas partners to release data or cooperate with their state.
For example, China's National Intelligence Law allows Chinese intelligence agencies to compel Chinese organisations and individuals to carry out work on their behalf and provide support, assistance and cooperation on request. This may affect the level of control you have over your information and assets as you engage with Chinese individuals and organisations, especially if you work in an area that may be of interest to the Chinese state, like emerging and sensitive technologies.7
It is also worth considering that your early choice of third parties - whether investors, customers or suppliers - may impact who is willing to do business with you later. For instance, most potential investors will want to see your capitalisation table: one of the things they are likely to check is that your other investors share similar values and objectives to their own.
Non-disclosure agreements (NDAs)
NDAs and confidentiality agreements allow you to put additional legal protections in place, usually for a defined length of time. As with legal IP protections, NDAs are another tool you can use, but they do not replace good protective security measures.
A good NDA restricts the use of your ideas and information to a specific permitted purpose. You can widen the permitted purpose later, but you cannot restrict it, so specify the purpose in the NDA as precisely as you can. However, it is worth being realistic about how your partners need to use the information for example, allowing confidential disclosures to employees and professional advisors where necessary.
Demonstrating your commitment to security
As you collaborate more, you may find it useful to be able to demonstrate your commitment to cyber security (some government contracts will require Cyber Essentials certification as a minimum). The Cyber Essentials scheme is a first step in doing this. It provides certification - either self-assessed or, in the case of Cyber Essentials Plus, independently verified. Achieving either level shows that you have the technology and policies in place to guard against common cyber threats.
Depending on your sector or customer, there may be a requirement to meet further standards. If this is the case, make sure you understand why a particular standard is needed, and how you can meet future requirements. Security is an ever-evolving field, and you may be required to update your technology and policies to maintain any certification.
Expand safely to new markets
In this section
- Understand whether any new investment is likely to raise security concerns and consider security mitigation measures as part of your investment strategy.
- Check whether any products, software, or technology (including critical knowledge) that you wish to export are on the UK Strategic Exports Control List and apply for the appropriate licenses.
- Put in place proportionate and effective security procedures for any international travel.
Investment security
Investments into your company introduce both opportunities and risks. You may be able to benefit from your investors' experience to improve your business and security practices. However, investment can also be used to gain access to, and influence over, your company.
The UK has introduced new legislation, the National Security and Investment (NSI) Bill. It will provide the government with powers to scrutinise and intervene in acquisitions of control to protect national security, and give businesses and investors the certainty and transparency they need to do business in the UK. This is because, in a minority of cases, investment can be used to harm the interests of your company or the national security of the UK.8
An early risk assessment of any investments to determine whether there are any security concerns will allow you to be better informed about possible outcomes and have a stronger negotiating position. Conducting due diligence on any proposed investor (including entities of any consortia) is an essential first step. Considerations are likely to include:
- the investors reputation and trustworthiness
- the source of their funds
- whether they have unexpected commercial, political or military ties
- especially for an overseas investor, any implications of the legal regime they are subject to
- whether they are on the entity listing of other countries, particularly those you are, or may consider, doing business with
After agreeing a takeover offer from an overseas investor, a UK engineering company signed several technology-transfer agreements with their would-be acquirer. These entailed providing training and revealing technology in return for a proportion of the company's agreed sale price. Two years later, the investor had failed to complete the deal, citing difficulty obtaining approval from their home government. Meanwhile, the UK company lost its licence to make military equipment for western powers due to its links with the foreign investor. Consequently, the UK company was left facing administration.9
You may be able to implement mitigation measures or modify the terms of the deal to address risks identified. If so, any mitigations must be maintained for the duration of the commercial relationship and be regularly reviewed to ensure they are, and remain, effective.
You may also wish to consider sources of funding available from the UK public sector. The British Business Bank has information on a range of finance options through its Finance Hub.
Export control
When exporting into new markets, you will need to be aware of the UK Strategic Export Control Lists. These form the basis of determining whether any products, software, or technology (including intangible transfers of critical, technical knowledge) that you intend to export is 'controlled' and therefore requires an export license.
The Control List comprises a wide range of items. Some of these will be fairly obvious, such as guns and ammunition, but others are less so, such as a wide variety of emerging technology dual use items. Dual use items are goods, software or technology which can have both civil and military applications. They can range from raw materials to components to complete systems, e.g. aluminium alloys, bearings, or lasers. They could also be items used in the production or development of military goods or chemical, biological or nuclear weapons, e.g. machine tools, chemical/manufacturing equipment and computers.
The following resources can help you find out more:
- UK Consolidated List of Strategic Military and Dual-Use Items that Require Export Authorisation.
- Checker Tools database
- The Export Control Joint Unit (ECJU) also provide support and advice on whether a particular end user is likely to be of concern or not. You can contact the ECJU on 020 7215 4594 or by email on [email protected].
You should be aware that, at the time of publication, there are arms embargoes in operation against both China and Russia. You should also carefully consider whether you use anything supplied from the US, in which case you may also be subject to United States export control laws, specifically:
Travel safely
As you grow, there may be more need for you and your employees to travel internationally. We recommend considering whether planned travel is likely to introduce additional risks and, if so, taking appropriate steps to mitigate them. This could include:
- Ensuring any work travel itineraries are shared through line management chains.
- Protecting any electronic devices taken overseas with encryption, password protection and by using only trusted data networks.
- Removing all non-essential data from devices, including any apps, accounts, contacts, emails and files and clearing web browsing history and using private browsing mode during any trips.
- Knowing what to share, trade, and protect. This means establishing and sharing the business stance on what information is sensitive and what can be shared.
- Giving out business contact details rather than personal details.
- Encouraging the reporting of any security incidents to security leads or line managers.
Additional resources
- The Department for International Trade has offices worldwide that can provide UK businesses with information on trade issues specific to that region or country.
- The UK overseas intellectual property attach network can provide advice on IP matters to those thinking of doing business in South East Asia, China, Brazil and India.
- The UK government has also produced guidance for the tech sector on opportunities with China, the UK's third-largest export market and the world's second largest and fastest-growing major economy.
Trust your talent
In this section
- Maintain your positive security culture through strong communication.
- Identify any roles that are exposed to higher risks and provide those individuals with additional support.
- Put in place a pre-employment screening process for all recruits into your business.
- Establish a security training package for staff, including at point of induction.
As your company grows you may begin to employ and give access to people who are less familiar to you. It is vital that you can trust your workforce, both to protect your valuable assets and information and to report potential security incidents. However, you may no longer be able to rely on personal relationships alone to achieve that trust.
Consistency and communication are vital to creating an environment in which people are confident that they can speak openly, that the organisation will improve as a result and that any actions will be reviewed fairly. This means making it easy and routine to report any concerns, handling those concerns sensitively and without apportioning blame, and keeping those involved informed of both the progress and benefits of any resulting actions to reinforce confidence in reporting.
A role-based security risk assessment will help you to keep your security measures proportionate and effective. As a startup, you have already assessed the risks to your business based on the likelihood and consequence of threats to your critical assets. This should provide you with a foundation for assessing which roles have a higher risk exposure, and so require more comprehensive employment checks. For instance, you may introduce travel restrictions and ask staff to report any suspicious approaches, including offers of employment or contracting opportunities.
As above, staff access controls should also be role specific. For instance, those responsible for marketing may not need access to your IP.
The following resources can help you with the ongoing management of employees.
HoMER - Holistic Management of Employee Risk
Employment screening
As you recruit more employees it is essential that you screen potential candidates who wish to be part of your business and have access to your critical assets.
Employment screening is the process through which you check whether a potential candidate is suitable for your business. All individuals who are provided access to your assets should be subject to a suitable level of screening, informed by a role-based risk assessment. This includes permanent, temporary and contract workers. It shouldn't be limited to new starters, but also individuals who are moving internally between jobs, as different roles may require different levels of screening.
Security checks which are a part of your employment screening could include:
- confirmation of identity
- nationality and immigration status
- right to work
- employment and education history
- criminal records check
- financial records check
- personal references
- open sources and social media assessment
- national security vetting (for access to government classified material)
NPSAs guidance on Employment screening can help with this.
Security education
Providing ongoing security training for all employees (permanent, temporary, or contracted) will also help to maintain your security culture. Effective education and training help individuals understand what policies, standards and procedures are in place to maintain security. Individuals will need to appreciate:
- the threats faced by your business
- their security responsibilities
- how to report security concerns
One of the times security education and training should be provided is during induction. The role of your leaders is to set an example and reinforce good practice. Bespoke education and training should be provided for job roles with specific security responsibilities such as:
- security managers across business areas
- security officers and guards
- line managers
As your company grows to the extent that you can employ security experts, strong communication will be a key requirement to ensure that the Board continues to appreciate the wider implications of security and how it supports their overall organisational objectives.
Prepare your staff to detect and report suspected phishing. Phishing refers to an attempt to persuade individuals to reveal sensitive information or click on a link that will install malware on their device.
- Educate staff on common attributes of phishing and on your business' normal practices, so that they can spot anomalies.
- Understand what you reveal about your company on its webpage, as this is often used to make phishing messages more convincing.
- Encourage staff to report unusual requests or suspected phishing internally and to the Suspicious Email Reporting Service. Reward people for reporting anything suspicious through prompt positive feedback about the value of their report. This encourages further reporting.
- Report all attacks to the Action Fraud website or, in Scotland, Police Scotland on 101.
In 2011, a Chinese wind turbine maker was convicted of stealing trade secrets from a US semiconductor company, causing the company to lose more than $1 billion in shareholder equity and almost 700 jobs. The Chinese company recruited an employee of the US company to secretly copy information, including the source code for its wind turbine control system. In court, the employee's lawyer said his client's actions stemmed from "frustration" about a failed marriage, which had been strained by his trips abroad for work followed by a demotion to the customer service department, resulting in the employee feeling undervalued.
The integrity of your people is a major contributor to your success. Employment screening will provide you with a snapshot risk assessment of an individual your personnel security practices need to be maintained with ongoing conversations, security training and monitoring.10
The following resources can help you with security training for staff:
- Security Messages for New Joiners.
- The NCSCs free half hour introduction to basic cyber security for staff.
- The NCSCs Board Toolkit and NPSAs Passport to Good Security for Senior Executives set out key themes for security governance best practice and provide prompts for actions you need to take.
Prepare for security incidents
In this section
- Establish and test an Incident Management plan.
- Monitor your IT and staff to detect and explore unexpected behaviour.
A data breach occurs when information held by an organisation is stolen or accessed without authorisation. The damage caused by a breach can be reduced through a well-planned and executed response. The following steps should help:
Incident management
A basic incident management plan should include:
- Contact details for anyone you would need to contact to help you identify an incident. These may include a web hosting provider, IT support services or insurance company.
- Clearly defined responsibilities and an escalation criteria and process for critical decisions. This should ideally include contact details and contingencies in case a key member of staff is unavailable.
- A coordination function to track and document findings and actions. Keeping a good record of the incident is useful both for post-incident reviews or where it is necessary to report the incident - e.g. to regulatory bodies or, in certain cases, to the Information Commissioner's Office.
- Learning lessons from post-incident reviews and using them to update your response plan and wider practices. Particularly consider whether there was any information which would have significantly helped your response, but which was difficult or impossible to obtain.
Exercising
Exercise in a Box is a free online tool provided by the NCSC. It will walk you through running tabletop exercises to test your response to common cyber-attack scenarios. This will help you both to test your response plan and to develop a 'playbook', or detailed response plan, for the first few hours of some common scenarios.
Monitoring
Maintaining an understanding of your IT's behaviour is central to your ability to spot anomalies, which may reveal security incidents. It is also worth monitoring user activity to identify any unauthorised or accidental misuse of systems or data by users. As elsewhere, understanding the risks you are most concerned about will enable you to focus your monitoring to collect information relevant to your needs.
The NCSCs Logging Made Easy is a self-install tutorial to help organisations develop a basic level of IT logging capability using free and open-source software.
The same is true of your staff. The change from a trustworthy employee into someone who feels disgruntled and motivated to damage the organisation can be triggered by a negative workplace experience. It may change an individual's behaviours in terms of the information, systems and sites or assets they access and retrieve.
Collecting, aggregating and analysing behavioural data can help to identify and ideally address undesirable behaviours - it can therefore help to prevent as well as detect an increased insider risk. A supportive response can help to improve your team's relationship with the company, and thereby security. Any behavioural information should be selected and handled sensitively to respect privacy and the staff-company relationship.
The common indicators to look out for include:
- change of working pattern conflicts at work
- decline in performance
- drug or alcohol abuse
- aggressive behaviour
- mood swings
- missed promotions
- debt
- unexplained wealth
An employee of a US agrochemical and biotechnology company maintained contact with officials within the Chinese Communist Party about potential jobs for two years. The employee travelled to China for job interviews and to discuss his knowledge and skills. In doing so, he implied that he could duplicate his employer's intellectual property.
After resigning from his job, the employee copied and downloaded the company's IP to a memory card and bought a one-way plane ticket to China. Before he could board his flight, the employee was intercepted by law enforcement officials who seized copies of the stolen IP.
Strong security monitoring could have flagged this employee's actions. This includes being aware of employee travel, IT behaviours, and physical accesses and actions such as use of memory cards or excessive printing. This example also highlights the mutually reinforcing nature of the various components of protective security.11
Footnotes
- https://www.accenture.com/_
acnmedia/PDF-127/Accenture- Security-Technology-Vision.pdf - Cyber Security Breaches Survey 2020 - GOV.UK (www.gov.uk)
- Netherlands expels two Russians after uncovering 'espionage network'
- When the virtual and physical collide: the need for a joint approach to cyber and physical security
- The Cyber Threat to UK Business, 2017-18
- UK and allies reveal global of Chinese cyber campaign, gov.uk, https://www.ncsc.gov.uk/
information/global-targeting- enterprises-managed-service- providers#_ftn1 - Secure Business
- National Security and Investment (NSI) Bill
- China's Future Aerospace stole trade secrets, says Smiths (Harlow), the Times, 2 Feb 2020
- https://www.reuters.com/
article/us-sinovel-wind-gro- usa-court-idUSKBN1FD2XL - https://www.reuters.com/
article/usa-china-espionage- idINKBN1XW06J