Secure Innovation

Competition to succeed in emerging technology can be intense. This guidance outlines cost-effective measures that you can take from day one to better protect your ideas, reputation and future success.

Good security practices can protect your competitive advantage, making your company more attractive to investors and customers. Laying strong foundations from the start will help your security to be more effective and less costly as your business grows.

Emerging technology companies of all sizes are being targeted by certain states. Companies with weak security are most at risk. Those states may steal your technology to:

• Fast-track their technological capability, undermining your competitive edge
• Target, harm, and repress their own people to prevent dissent or political opposition, damaging your reputation
• Increase their military advantage over other countries, risking our national security

There are many ways a state-backed or hostile actor could try to get hold of your assets:

• Insider – Your people are your greatest asset but, in some cases, they can pose an insider risk
• Cyber – Insecure IT can provide an easy way for your business to be exploited
• Physical – Your assets could be stolen via physical access
• International Travel – State-backed actors can operate more easily overseas than in the UK
• Investment – Investment can be used to gain access to, and influence over, your company
• Overseas jurisdictions – International expansion exposes you to jurisdiction risk from local laws and business practices
• Supply chain – Vulnerable or malicious suppliers could compromise your business

It is not possible to protect everything against every threat, especially for small companies with limited resources. However, security protections can cost less than expected, and will pay long term dividends. Security decisions should be prioritised, and based on a thorough understanding of what is most important to your survival and success.

Security will be more robust where it is based on a combination of information, physical, people and cyber security measures.

When establishing your business, you need to identify clear security leadership. This means appointing a senior leader with the authority and responsibility to ensure that security is factored into business decisions.

One of their key initial tasks is to initiate conversations about security within your company as an important step towards developing a positive security culture in which any security incidents are openly discussed and learnt from. The startup phase is the perfect time to set the tone for your future security culture. An ongoing security dialogue will help develop a common understanding of your business’ most valuable assets, your risk tolerance, and individuals’ security responsibilities.

Your assets are wide-ranging. They will include tangible assets (those assets that are physical in nature, such as buildings and equipment), and intangible assets (those assets that are non-physical, inlcuding ideas, software, brands, expertise, relationships, and organisational know-how). Identifying those assets which are critical to your business’ successshould be the starting point in your security planning.

Strong security is central to allowing your business to thrive, so security risks should be assessed and managed alongside any other risks to your business. Your awareness and management of the risks you face will make you more attractive to customers and investors.

Completing a risk assessment will help you to identify vulnerabilities and the potential impact of exploitation. Put in place mitigations that can help you bring down the risk level to one you find acceptable and establish a process to review these risks.

We also recommend:

• Establishing a security strategy for your business based on an understanding of your key assets, the risks they face and the risks you are willing to tolerate.
• Regularly reviewing security policies and procedures, so that they evolve with the business' exposure to threats.
• Establishing responsibilities for security with any new employees, contractors, or suppliers.

Build in security measures to protect your critical assets from the start.

1. Place barriers around the assets you have prioritised for protection. These could be physical barriers, such as an access-controlled room, or virtual barriers such as a firewall.
2. Control access to the asset to only those employees who need it and are trusted to use it securely.
3. Implement measures to detect unauthorised activity. Early identification of unauthorised or unusual access to an asset will help avoid or limit a security incident.

Insecure IT can provide an easy way for your business to be exploited. Ransomware incidents are particularly prevalent and can cause significant financial impact, as well as longer-term reputational damage. The following steps are the minimum cyber security measures any organisation should consider to reduce the likelihood of your systems being compromised and to reduce the impact of a breach, should one occur.

1. Take regular backups of critical data

Take regular, ideally automated, backups of critical data and keep them physically and logically separate from the main system. This will allow your business to function following the impact of physical damage, theft or ransomware attacks.

2. Switch on your firewalls and antivirus

Most popular operating systems now include a firewall, so it may simply be a case of switching this on. Similarly, antivirus software is often included for free, and should be used on all computers and laptops. Most modern smartphones and tablets don't need antivirus software, provided you only install apps and software from official stores such as Google Play and Apple's App Store.

3. Use passwords to protect devices and accounts

Switch on password protection or choose another method to 'lock' your devices (such as a fingerprint, PIN, screen-pattern or face recognition). If your devices come with default passwords, change these before they are distributed to staff.

• Use multi-factor authentication (MFA) - also known as two-step verification (2SV) or two-factor authentication (2FA) - for ‘important’ accounts (e.g. email or banking). This uses two methods to ‘prove’ your identity, usually a password and something else, such as a code sent to your phone.
• Try to avoid using predictable passwords (such as dates, or family and pet names), and don't use the most common passwords that criminals can easily guess. To create a memorable password that's hard for someone else to guess, you can combine three random words.
• Help staff to remember passwords, for instance by only requiring them to be changed when you suspect that they have been compromised. Provide staff with secure storage (away from the device) where they can record important passwords. It is safe to let your browser save your passwords.

4. Keep devices and software up to date

Keep all IT equipment up to date by ensuring that the software and firmware is updated (‘patched’) with the latest updates from providers. These updates will not only add new features, but they will also patch any security holes that have been discovered. Make sure staff know when updates are ready, how to install them, and that it is important to do so straight away.

Wherever there is an option to do so, set systems to automatically update. Once a product reaches the end of its supported life and these updates are no longer available, consider replacing with a more recent alternative.

5. Think about how you connect to the internet

Consider the risks of connecting devices to unknown public Wi-Fi hotspots. Doing so could allow the provider (who may not be who you think it is) to see what you’re doing and to access your private login details. Instead, use your mobile network, which will have built-in security, preferably in conjunction with a virtual private network (VPN).

• If you need to routinely access the internet over untrusted infrastructure, you should consider using a VPN. VPN capability can be provided either as a service or managed by your organisation. Take care to understand what you are paying for and how your connection to the internet is made.
• If you are using an internet connection provided as part of shared office space, how confident are you in both the provider and any other parties using the connection? Identify the boundary of networks that you control and can trust. If necessary, seek advice to implement appropriate and proportionate security measures.

6. Enable tools to track, lock, or wipe lost or stolen mobile devices

Your employees are more likely to have their tablets or phones stolen (or lose them) when they are away from the office or home. Fortunately, most devices include free web-based tools that are invaluable should you lose a work device. You can use them to:

• track the location of a device
• remotely lock access to the device (to prevent anyone else using it)
• remotely erase the data stored on the device
• retrieve a backup of data stored on the device

Technology startups should use the NCSC’s Secure by Default principles when designing software and systems, to ensure that security problems are addressed at root cause, rather than treating the symptoms. Ensuring that your products are free from security vulnerabilities is a key concern. The NCSC also provides guidance on secure development and deployment that will be useful to those producing software and systems.

Intellectual Asset (IA) and Intellectual Property (IP) management strategies are essential for any business, and are integral with your business plans. Understanding what assets you have and what you want to do with them will help determine what actions are required.

It may be that formal registration of IP is best, however you may decide that it is preferable to go down a trade secrets route and manage IA and IP via contracts.

Whatever you decide to do, you will need to understand:

• What you need to protect
• How you need to protect it
• The in-country laws for the countries in which you are operating

You must then actively manage your IA and IP portfolio. Having the right legal protections for your IP in place does not mean it is no longer at risk. You should continuously track and review who has access to your most sensitive information and how you ensure it remains secret. Ensure your staff understand this process and are taking an active role in IA and IP management. Add IP clauses into employee contracts to help manage the risk to your IA and IP from current and former employees.

The best security decisions are taken holistically – considering people, information, physical and cyber risks together.

Partnerships are essential to the success of your business. However, partnerships increase the number of external routes into your organisation, or to any information or data you may share. To help your company grow safely, manage the additional risks that collaboration brings.

WHY are you collaborating?

The first thing to do is define the purpose of any collaboration.

• What are the outcomes you need from the collaboration?
• What are the benefits of collaborating on this project?
• What are the risks and red lines?

WHO are you working with?

Conducting due diligence on prospective partners is an essential step to assessing the risks of working with them.

• Independence and integrity
  • Are there organisational structures or relationships which could compromise their independence or integrity?
  • Do they have links to foreign militaries, police, or security services?
  • Are they a politically exposed person (PEP), or closely associated with one?
• Values and intentions
  • Do they operate under a legal regime which could compel them to share your data or cooperate with the state?
  • Is there any publicly available information which raises concerns about their intentions or values?
  • Do they appear on the UK sanctions list?
  • Are they on sanctions or entity lists for any other countries, particularly those where you may consider doing business in future?
  • Is there any information which suggests a lack of transparency from the partner?
  • Could partnering with them affect future investors, your global business and long-term intentions?
  • Does their approach to managing data or security breaches or incidents align with your own?
• Do you know the source of funds for any proposed transaction, whether direct or indirect?

WHAT are you sharing?

You can manage the risks associated with business collaborations by:

• Determining early what data is appropriate to share and implementing measures to limit access to just that data.
• Designing your setup so that your more sensitive systems are independent from those accessible to the wider organisation and any external parties.
• Taking steps to ensure that any third parties are handling any sensitive data appropriately and securely.
• Considering how you will get your data and IP back at the end of the collaboration.

When working with international partners, you will also have to consider the implications of different local laws and regulations. Some regimes could compel overseas partners to release data or cooperate with state organisations.

HOW are you protecting your innovation?

Include protections for your assets and data within contracts.

Non-disclosure agreements (NDAs) and confidentiality agreements allow you to put additional legal protections in place, usually for a defined length of time. A good NDA restricts the use of your ideas and information to a specific permitted purpose. You can widen the permitted purpose later, but you cannot restrict it, so specify the purpose in the NDA as precisely as you can. However, it is worth being realistic about how your partners need to use the information – for example, allowing confidential disclosures to employees and professional advisors where necessary.

As with legal IP protections, NDAs are another tool you can use, but they do not replace good protective security measures. They can be a useful deterrent and fall-back after an incident has occurred, but are unlikely to prevent intentionally hostile actors.

Include security requirements within contracts, legal investment documentation, or collaboration agreements. Check that these requirements are understood and being adhered to.

Investments into your company introduce both opportunities and risks. You may be able to benefit from your investors’ experience to improve your business and security practices. However, investment can also be used to gain access to, and influence over, your company.

An early risk assessment of any investments to determine whether there are any security concerns will allow you to be better informed about possible outcomes and have a stronger negotiating position.

Taking a security-minded approach from the start will enable you to make well-informed investment decisions.

• Conduct due diligence on prospective investors
• Be strategic when considering how much data or proprietary information you share with potential investors, both before and after any investment – what could you lose if an investor reneges on a deal?
• Agree and implement mitigations prior to any in-depth engagement:
  • Have you included provisions in your legal investment documentation to protect key operations, information, and data?
  • Have you considered how effective a legal or contractual agreement would be if you were relying on enforcement in an overseas jurisdiction?
  • Have you implemented a governance and reporting structure which ensures the risk management strategy remains effective over time?
• Consider sources of funding available from the UK public sector

Understand the risk

Your supply chain exposes you to potentially damaging security threats. Supply chain attacks can result in the compromise of entire organisations and pose a potentially terminal risk to businesses. Carefully consider your decision to outsource where it may provide another organisation with access to your critical assets. Consider how to reduce unnecessary or high-risk sharing of sensitive data or access to sensitive systems.

Assess the impact on your business if your supplier is compromised. Use this assessment to determine appropriate security measures to include within the contract.

Use secure suppliers

Conduct independent due diligence on suppliers as well as seeking security assurances from them. You can then make an assessment of how trustworthy and vulnerable to compromise a prospective supplier is.

Consider building diversity and resilience into your supply chain if you identify overreliance on any one supplier.

Where possible, use security clauses within your contracts to hold suppliers accountable for their security responsibilities. Including security at the initial stage of any contract will save you money later.

As your company grows, you can take more control of your supply chain security by demanding greater security assurances from your suppliers.

Demonstrate your commitment to security

As you collaborate more, you may benefit by demonstrating your commitment to security. By delivering security as part of your service, you could give your business a competitive edge.

Depending on your sector or customer, there may be a requirement to meet further standards. If this is the case, make sure you understand why a particular standard is needed, and how you can meet future requirements. Security is an ever-evolving field, and you may be required to update your technology and policies to maintain any certification. Maintaining security certifications may well require ongoing effort as security requirements evolve. Requests that companies do so should be considered and proportionate.

Travel safely

As you grow, there may be more need for you and your employees to travel internationally. We recommend considering whether planned travel is likely to introduce additional risks and, if so, taking appropriate steps to mitigate them.

Export controls

When expanding into new markets, you will need to be aware of UK export controls. Certain products, software, or technology (including the intangible transfer of critical, technical knowledge) are ‘controlled’ and therefore require an export licence. It is the exporter’s responsibility to check whether items require an export licence.

The UK maintains a single consolidated list of sensitive items that require export authorisation. These include both military and dual-use items. Dual-use items can be used for both civilian and military applications. The government has additional powers to require an export licence on items and technology, even if they are not on the consolidated control list.

Local laws

It is important to understand the local laws in the countries where you plan to operate. Different countries have different export control laws, as well as laws regarding the handling and storage of IP and data (possibly including requirements to install certain hardware or allow configuration to permit remote access to data by governments). National security laws in foreign countries can allow that country’s government to access data or information stored in, or transmitted via, that country.

Understanding local laws will ensure that you are legally compliant, and that you understand the additional security risks involved in expansion into new markets.

Export Control

Different countries have different export control laws. When entering new markets, or working with international partners, check whether your technology is subject to local export controls.

IP laws

Most IP rights are territorial – that is they only give protection in the countries in which they have been granted or registered. IP legal frameworks can also differ by country.

If you are thinking about trading internationally, you should take time to familiarise yourself with the IP framework and enforcement processes in overseas markets. Register your IP rights in advance of entering the market, and ensure you are resourced strategically such that you can defend those rights if required.

National Security laws

National security laws in foreign countries can allow that country’s government to access data or information stored in, or transmitted via, that country.

China’s National Intelligence Law, passed in June 2017, allows Chinese intelligence agencies to compel individuals and organisations to support and cooperate with state intelligence work. Intelligence work could capture any information to protect a national interest – be that military, political, economic, social, technological, cultural or others. The law does not allow individuals or organisations to refuse to provide access, information, or support if requested.

Russia has an extensive lawful intercept capability, known as the System of Operative Search Measures (SORM). SORM allows Russia’s Federal Security Service (FSB), to covertly monitor communications to, within, and out of Russia.​ The FSB can also compel individuals and organisations to share data stored in Russia with them and could prevent the data holder from disclosing this to the data owner. All communication service providers operating in Russia are obliged to install equipment to enable the FSB to monitor communications.

Data Protection laws

The General Data Protection Regulation (GDPR) is a Regulation in EU law. The Data Protection Act 2018 is the UK’s implementation of the GDPR. UK GDPR contains rules about transfers of personal data to receivers located outside the UK.

Alongside compliance with GDPR, you will also need to ensure compliance with data laws in the countries in which you are operating.

As your company grows, you may no longer be able to rely primarily on personal relationships to ensure trust. It is vital that you can trust your workforce to protect your valuable assets and information, and to report potential security incidents.

Pre-employment screening

As you recruit more employees it is essential that you screen potential candidates who wish to be part of your business and have access to your critical assets. All individuals who are provided access to your assets should be subject to a suitable level of screening, informed by a role-based risk assessment. This includes permanent, temporary and contract workers. It shouldn’t be limited to new starters, but also individuals who are moving internally between jobs, as different roles may require different levels of screening.

Maintain a positive security culture

Security culture refers to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security.

Consistency and communication are vital to creating an environment in which people are confident that they can speak openly about security concerns, that the organisation will improve as a result, and that any actions will be reviewed fairly. This means making it easy and routine to report any concerns, handling those concerns sensitively and without apportioning blame, and keeping those involved informed of both the progress and benefits of any resulting actions to reinforce confidence in reporting.

Security education

Providing security training for all employees (permanent, temporary, or contracted) will help to maintain your security culture. Effective education and training helps individuals understand what policies, standards and procedures are in place to maintain security. Individuals will need to appreciate:

• The threats faced by your business
• Their security responsibilities
• How to report security concerns

One of the times security education and training should be provided is during induction. Narratives provided at this point will help employees understand the security risks. The role of your leaders is to set an example and reinforce good practice. Bespoke education and training should be provided for job roles with specific security responsibilities such as:

• Security managers across business areas
• Security officers and guards
• Line managers
• IT professionals and developers

As your company grows to the extent that you can employ security experts, strong communication will be a key requirement to ensure that the Board continues to appreciate the wider implications of security and how it supports their overall organisational objectives.

Provide additional support to higher risk roles

Role-based security risk assessments help you to keep your security measures proportionate and effective. You have already assessed the risks to your business and critical assets. This should provide you with a foundation for assessing which roles have a higher risk exposure, and so require more comprehensive security training and support. For instance, you may ask staff to report any suspicious approaches, including offers of employment or contracting opportunities.

Staff access controls should also be role specific. For instance, those responsible for marketing may not need access to sensitive datasets or trade secrets.

Security incidents will happen, and you may be impacted even if you were not the direct target. The damage caused by a security breach can be reduced through a well-planned and executed response.

Incident management

A basic incident management plan should include:

• Contact details for anyone you would need to contact to help you identify an incident. These may include a web hosting provider, IT support services or insurance company.
• Clearly defined responsibilities and an escalation criteria and process for critical decisions. This should ideally include contact details and contingencies in case a key member of staff is unavailable.
• A coordination function to track and document findings and actions. Keeping a good record of the incident is useful both for post-incident reviews or where it is necessary to report the incident - e.g. to regulatory bodies or, in certain cases, to the Information Commissioner’s Office.
• Learning lessons from post-incident reviews and using them to update your response plan and wider practices. Particularly consider whether there was any information which would have significantly helped your response, but which was difficult or impossible to obtain.

We encourage all organisations to sign up to NCSC’s Early Warning service to receive incident notifications, network abuse events and vulnerability alerts.

Monitoring

Maintaining an understanding of your IT’s behaviour is central to your ability to spot anomalies, which may reveal security incidents. It is also worth monitoring user activity to identify any unauthorised or accidental misuse of systems or data by users. As elsewhere, understanding the risks you are most concerned about will enable you to focus your monitoring to collect information relevant to your needs.

The same is true of your staff. The change from a trustworthy employee into someone who feels disgruntled and motivated to damage the organisation can be triggered by a negative workplace experience. It may change an individual’s behaviours in terms of the information, systems and sites or assets they access and retrieve.

Collecting, aggregating and analysing behavioural data can help to identify and ideally address undesirable behaviours - it can therefore help to prevent as well as detect an increased insider risk. A supportive response can help to improve the employee’s relationship with the company, and thereby security. Any behavioural information should be selected and handled sensitively to respect privacy and the staff-company relationship.

Footnotes

¹Netherlands expel two Russians after uncovering 'espionage network' BBC News

²A Tesla Employee Thwarted an Alleged Ransomware Plot | WIRED

³Mysterious factory break-in raises suspicions about Chinese visit | China | The Guardian

⁴The Cyber Threat to UK Business, 2017-18

⁵https://www.thetimes.co.uk/article/chinas-future-aerospace-stole-trade-secrets-says-smiths-harlow-03pg2m90j

⁶https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/the-threat/solarwind

⁷https://www.justice.gov/opa/pr/jury-convicts-chinese-intelligence-officer-espionage-crimes-attempting-steal-trade-secrets

⁸Heading Off Track: The Impact of China’s Mercantilist Policies on Global High-Speed Rail Innovation | ITIF

⁹https://www.reuters.com/article/us-sinovel-wind-gro-usa-court-idUSKBN1FD2XL

¹⁰ https://www.reuters.com/article/usa-china-espionage-idINKBN1XW06J