Core Security Measures for Early-Stage Technology Businesses
Introduction
Secure Innovation aims to give early-stage emerging technology companies the motivation and tools to deliver effective protective security, increasing their resilience to state threats and their competitive advantage when attracting funding or customers.
Certain states go far beyond legitimate international competition, descending into theft of intellectual property and trade secrets, for their technological, economic and military advantage. Given the UK’s strong record in research and development, and vibrant startup ecosystem, UK companies are likely to be particularly attractive targets to a wide range of threats. Early-stage tech companies, like all businesses, also face threats from cyber criminals, who look to exploit vulnerabilities to steal data, deploy ransomware or enable fraud.
The core security measures suggested below will help early-stage technology businesses protect their intellectual property, information, and data, increasing their competitive advantage and resilience to state threats. Actions 1.1 - 1.4 and 2.1 - 2.3 can be implemented very quickly at no cost. Actions 1.5 - 1.6, 2.4, and 3.1 – 3.2 are realistically achievable within six months.
Protective Security Measures
1 - Fundamental Actions
Requirement |
Supporting Resources |
1.1 Identify someone at Board level who is responsible for security | Secure Innovation Quick Start Guide |
1.2 Identify the assets which are critical to your business’ success | |
1.3 Add security risks to your corporate risk register |
Secure Innovation Quick Start Guide |
1.4 If your organisation has a public IP address or domain name, sign up to the NCSC’s Early Warning service | Early Warning | NCSC |
1.5 Complete the Secure Innovation Personalised Action Plan and follow the recommended actions | Secure Innovation Personalised Action Plan |
1.6 Attain Cyber Essentials | Cyber Essentials | NCSC |
2 - Strongly Advised Actions
Requirement |
Supporting Resources |
2.1 Conduct background checks on all prospective investors, suppliers and partners | Secure Innovation Background Checks Guidance |
2.2 Implement a travel security policy | Secure Innovation Travel Security Guidance |
2.3 Implement a pre-employment screening process for prospective employees | Pre-employment screening good practice guidance |
2.4 Use the NCSC’s ‘Check your cyber security’ service to identify any common vulnerabilities in your public-facing IT - and if any vulnerabilities are identified, follow the recommended steps to address these | Check your cyber security | NCSC |
3 - Security Incident Management and Response
Requirement |
Supporting Resources |
3.1 Have a clear incident management plan in place that is routinely exercised to test your response to common security threat scenarios |
Secure Innovation Scenarios Booklet |
3.2 Consider taking out a Cyber Incident Response (CIR) retainer with an NCSC assured provider | Cyber Incident Response Scheme | NCSC |
Implementation Support
Many of the security measures above are achievable quickly, with no security expertise required, at little to no cost. In addition to the supporting resources highlighted in the table, the below provide options for more hands-on support from assured or chartered security professionals.
Support from assured or chartered security professionals
The NPSA has guidance on Working with Security Professionals.
The NCSC’s Cyber Advisor scheme provides small and medium sized organisations with reliable and cost effective cyber security advice and practical support.
Funded Support
NCSC Funded Cyber Essentials Plus: For organisations under 50 staff working in certain sectors, the NCSC is offering funding for Cyber Essentials Plus – details and applications are online.
Change Log
- NPSA and NCSC may update these recommendations as new guidance and tools are created.
- V1.0 of the guidance was published on 2nd September 2024.