ipopba - stock.adobe.com

UK launches cyber guidance package for tech startups

The NCSC and NPSA, alongside agencies from the Five Eyes alliance, have issued guidance for startups on how to secure themselves against common cyber threats and targeted industrial espionage

The UK has launched a shared security guidance package – dubbed Secure Innovation – to support emerging technology companies and startups when it comes to protecting themselves from cyber threats, including targeted intrusions from hostile nation states.

The campaign continues a joint initiative targeting the tech sector as a whole, which was set up by the National Cyber Security Centre (NCSC) and the National Protective Security Authority (NPSA) within MI5. It’s now also backed by the NCSC’s partner agencies from the informal Anglophone Five Eyes intelligence alliance, comprising Australia, Canada, New Zealand and the US, and has been regionalised for each participating country.

Secure Innovation is designed to support young, fast-growing tech companies and innovators in creating bespoke action plans that enable them to assess their projects’ security levels and identify cost-effective measures they can take to better protect their ideas, reputation and future viability. The NCSC said that over 500 organisations have already taken advantage of this.

“Sophisticated nation-state adversaries, like China, are working hard to steal the intellectual property held by some of our countries’ most innovative and exciting startups,” said MI5 director general Ken McCallum.

“The Five Eyes Secure Innovation advice we’re rolling out today forms part of our response,” he said. “By joining up with our allies and offering consistent advice, we are making it easier for companies working across the world to take steps to keep their ideas and products secure.”

Oz Alashe, CEO and founder of CybSafe, added: “While cyber security may not always seem a top priority for startups, it should be at the forefront of every founder’s mind ... SMEs [small and medium-sized enterprises] are highly vulnerable to cyber attacks, and are likely to fold if they become victims. Instead of viewing limited resources as a disadvantage, startups should see their size as an asset compared to larger, often slower moving competitors.

“Unlike enterprises that must invest heavily to improve security practices across diverse teams and regions, startups are agile and adaptable. This creates an opportunity to build a business with security embedded in its DNA, supported by a team that genuinely values a security-conscious culture. As cyber threats become increasingly sophisticated and frequent, fostering this mindset isn’t just a strategic advantage, but a necessity.”

Chinese threat

The guidance is pitched in particular at companies that may be the target of attempts by Chinese espionage agencies to steal their intellectual property (IP), and contains multiple cautionary tales of organisations that fell victim to state-backed industrial espionage.

Besides the importance of designating security leadership within the organisation and implementing basic technical measures, it goes in-depth on the importance of securing supply chains and paying close attention to thoroughly vetting overseas partners, particularly those originating from China.

It cites the example of Smiths (Harlow) Ltd, a UK-based precision engineering company specialising in aviation components that got into trouble after a Chinese partner, Future Aerospace, reneged on an £8m investment deal, but did so after taking advantage of clauses in the contract in which the victim handed over key technical data and trained the Chinese engineers. Its links to China subsequently cost Smiths work with multiple high-profile organisations, including Western militaries, and it fell into administration early in 2020.

In a similar vein, the package also includes guidance for investors in high-growth startups, urging them to consider security risks when conducting due diligence into potential investments.

For example, besides assessing a company’s own security culture and practice, investors should consider whether or not the company has other “high-risk” investors who might pose a risk, and whether the involvement of other investors might inhibit future fundraising rounds, or the sale of the company, over legal, ethical or compliance issues arising from foreign sanctions or export controls.

Read more about the NCSC’s work

  • The NCSC and counterpart agencies in the US have issued a warning over enhanced Iranian spear phishing activity targeting politicians, journalists, activists and others with an interest in Middle Eastern affairs.
  • Financially motivated cyber criminals are already conducting opportunistic attacks on organisations that leverage the CrowdStrike incident, and more targeted attacks are sure to follow.
  • The NCSC and its Five Eyes allies have published details of the activities of a China-based cyber security company that is operating a Mirai IoT botnet in the service of government-backed intrusions.

Read more on Data breach incident management and recovery