With increasing risks from state-sponsored actors, Five Eyes has released a joint security advice document for tech startups. Five Eyes is an intelligence alliance between Australia, Canada, New Zealand, the United Kingdom, and the United States.
The full document can be found on the NPSA website but these are the key points that tech startups need to know in order to keep their data and valuable assets protected.
Know Your Enemy
As a booming tech sector, the UK can be a key target for malicious actors with varying motivations.
Targeting tech startups and their intellectual property, these state actors can range from the theft of technology, competitors looking for a commercial advantage, or criminals looking to profit from companies with weak security.
In December 2020 in the Netherlands, alleged Russian intelligence officers were kicked out of the country, for their involvement in attempted espionage into the Dutch high-tech sector.
Undercover operatives had reportedly built up a network of individuals with experience in science and technology that had both civilian and military applications.
Dutch Interior Minister Karin Ollongren said the newly uncovered spy network had "likely caused damage to the organisations where the sources are or were active and thus possibly also to the Dutch economy and national security".
Key Methods to Guard Against—How Organised Hacking Groups May Attempt to Steal Your Intellectual Property
The Five Eyes guidance lists the main ways that a state-backed or hostile actor could try to get hold of your valuable assets and data.
-
The possibility of an insider attack is often overlooked, however, while your team may be your most valuable asset, they can also be targeted by malicious actors who can compromise your business.
-
A weakness in cyber security presents a clear back door into your network and valuable intellectual property. Hackers will seek to exploit any vulnerability they can find and steps should be taken to rigorously test all systems. This could include penetration testing where vulnerabilities can be highlighted by specialist “ethical hackers”.
-
Lack of physical security can also lead to valuable assets being stolen—this could be anything from a secure room, guard rail, locks on doors or security personnel themselves. When upgrading your cybersecurity it is important to also address any issues with physical security as this will often be the weakness that hackers target.
-
Assets can be particularly at risk when travelling overseas as state-sponsored actors can operate more easily outside of the UK. When not protected by UK laws and enforcement agencies your company may be at greater risk and adequate research into the new business environment should always be undertaken.
-
There is also a significant but less obvious risk of undue influence from investment, which can be used to gain access and change the direction of your business. You should always thoroughly research any partner you intend to do business with. Make sure you know where the funding is coming from in terms of investments and capital ventures.
-
There can be a further risk with international expansion as your business is exposed to the jurisdiction risk from local laws and business practices. It is always advisable to ensure you understand the risks when entering into a new market and if unsure seek expert advice.
Key Steps to Secure Your Environment
There are a number of key things to consider when creating a cybersecurity framework for your business. This extends to how you create a security policy your team will follow.
Let’s take the NPSA guidance, one by one.
Identify security leadership
-
Appoint a senior leader with the autonomy to ensure cyber security is factored into your business decisions. One of their first tasks should be to initiate conversations about security and move towards developing a positive security culture.
There are a number of valuable assets that are critical to the success of any business. Some of these will be tangible assets that are physical objects you can see, such as buildings, equipment, and manufactured goods. Intangible assets are those that are non-physical, such as ideas, software, brands, expertise, relationships, and even organisational know-how derived from experience.
Whilst none of these are solid objects you can physically get hold of, they could be a huge advantage to rivals if the details of any of these fall into the wrong hands.
Take extra precautions
Once the most valuable assets have been recognised and prioritised in terms of their risks and value to the business, you’ll need to build security measures to protect critical assets from being stolen or compromised by malicious actors.
Placing barriers around critical assets will reduce the risk of this data being compromised.
This could be a physical barrier such as an access control room or a virtual barrier such as a firewall.
Make sure to set user access privileges so that only certain employees can access data while being trusted to use it securely.
Implementing measures to detect any unauthorised activities such as intrusion detection systems and live infrastructure monitoring can also help with the early identification of any unusual access to an asset, helping to avoid or mitigate the risk of a security incident.
You should also make regular backups of any critical data and keep these physically separate from the main system, allowing your business to function in the event of physical damage, theft, or ransomware attacks.
Using multi-factor authentication (MFA) is also recommended by the Five Eyes guidance, along with keeping devices and software up to date and ensuring the firmware is patched regularly.
Businesses can protect their assets further with vulnerability management software which will automatically detect any out-of-date software or applications that may cause a risk to the business. From here, they can either take steps to rectify this through the system itself or advise the user on the appropriate action to take.
The Five Eyes document also recommends enabling tools to track, lock or wipe lost or stolen mobile devices, as employees are more likely to have tablets or phones stolen when they are away from the office.
These devices may provide an unauthorised user with easy access to the network and valuable assets an employee might ordinarily use.
Prepare for incidents such as data breaches
The secure innovation document from Five Eyes explains how tech startups should protect their business from potential data breaches, in particular via an incident management plan.
This would include contact details for any incidents, such as the web hosting provider, cyber security team or insurance company.
In your incident management plan, you should define responsibilities and escalation criteria, along with a process that should be followed for critical decisions.
Your plan should also include a section for the tracking and documentation of any findings or reported incidents.
This is useful for preventing future attacks while allowing your team to better understand how hackers gained access to your business.
Accurate logs of any data breach or malicious activity is also key when it comes to reporting the incident to regulatory bodies and auditors.
Secure Your Tech Business Today
At Lyon Tech, we provide a range of services for tech startups looking to develop the most robust defence possible for their business assets.
This includes
-
IT governance, which helps tech startups develop a corporate cybersecurity policy that sets out the framework for how the business operates.
-
Automated intrusion detection systems, which flag any unauthorised access, with reports sent directly to security engineers who can respond immediately to both contain the threat and investigate the incident. From here, engineers can provide recommendations on how to prevent a similar incident from occurring in the future.
-
Secure encrypted data transfer and storage, which ensures vital business assets are always protected.
-
Cloud environment technology with advanced security measures, capable of preventing attacks from even the most sophisticated state-sponsored hacking groups.
-
24/7 cyber security support and rapid response teams, able to react swiftly to data breaches or any unauthorised access.
Contact Lyon Tech
Looking to create the most robust defence possible for your tech startup?
All of our cyber security solutions are part of a fully modular and bespoke package that can be scaled up or down as the business needs change.
To find out which technology and services would most benefit your business, get in touch with our team today.
