Te Pā Whakamarumaru New Zealand Security Intelligence Service (NZSIS) has recently unveiled its "Security Advice for Emerging Technology Companies", a set of guidelines designed to enhance security education and awareness for technology start-ups about industry specific threats.
The guidance builds on last year's recommendations from the NZSIS about the "Five Principles of Secure Innovation". This ongoing “Secure Innovation” campaign is a collaborative effort by the Five Eyes intelligence alliance, which includes agencies from New Zealand, Australia, Canada, the United Kingdom, and the United States. You can read more about this in our previous article here.
This new report expands on the five innovation principles already published by the Five Eyes with a focus on tech start-ups. The intent, as described by Andrew Hampson, NZSIS Director-General of Security, is that:
“security becomes built into everyday business practices right from the start in a way that doesn't inhibit innovation, but rather supports a start-up to be more robust, resilient, and ultimately more attractive to investors and customers.”
So, what are the key security intelligence considerations for tech start-ups?
Know the threats
Malicious actors can gain unauthorised access to your business using a variety of methods. The key vulnerabilities highlighted by the NZSIS include (but are not limited to):
• insider access, for instance, employees clicking on phishing emails;
• cyber access through insecure or outdated IT systems;
• accepting investment can be a tool used by a bad actor to gain access to information within your business and to influence control; and
• overseas expansion, if your business is not aware of local law requirements or foreign business practices.
The NZSIS emphasises that it is important to continuously assess and monitor all areas of risk within your business. This includes regularly educating employees (both new and existing) about cyber threats, ensuring that laptops and IT systems are frequently updated, and that your business relationships with suppliers and investors are tested and trusted.
We unpack some of these recommendations in further detail below.
Secure your business environment
It’s recommended that security risk management policies relevant to your business are implemented right from the start-up phase, so that employees understand the expectations around security. A security leader should also be appointed at the board or senior level to ensure that security policies / security governance is constantly monitored.
Also ensure that the aspects of your business that are most critical to success are prioritised at the top of any security policy. This will likely include the specific IP or innovation that is key to your business’ value – but it can also include other aspects that support this innovation (equipment, key people, software, relationships or other know-how). Your critical assets can be protected by restricting access to only those who are trusted on a ‘need to use’ basis, regularly backing up your data, and (if possible) keeping innovation critical data separate from your main system (this will allow your business to continue operating in the event of a security breach). General security protections such as strong firewalls, multi-factor-authentication, consistent software updates and back-ups, and remote VPNs (if required) will help protect your most important assets.
Secure your products
While this can relate to the protection of products and assets already developed by a business (such as software, trade marks, patents, trade secrets and confidential information), the NZSIS reiterates that it is important to also consider and understand the security of third party suppliers.
Purchasing digital products or services is inevitable for technology start-ups. To protect your assets, make sure that anything introduced into your systems is verifiable, trustworthy and secure.
The NZSIS recommends that technology businesses create a Software Bill of Materials (SBOM), to keep a formal record of the details and supply chain relationships of various components used in building your software. A SBOM can support your business when buying software (including for pre-purchase certainty and negotiations), using software (for vulnerability monitoring and management), and developing software (a SBOM is required for some government procurement and helps support customers).
Secure your partnerships
With New Zealand being an open economy, building partnerships and new opportunities is essential when doing business. While New Zealand start-ups often rely on openness for investment, there are risks associated with this if caution is not taken from the outset.
When entering new partnerships, first ensure that:
• parameters are established, including outlining clear purposes and outcomes for the relationship;
• proper due diligence is conducted on the background of suppliers / investors and their motivations;
• sensitive information is contained, and only necessary information is shared / accessed; and
• before any information or access is given to external parties, make sure that you have contracts (including supplier agreements and NDAs) in place with provisions to protect your IP and other assets.
This way, you can be confident that you have trust in suppliers and investors, and that you have the appropriate protections in place should anything go wrong.
This can require a mindset shift for start-ups, who are used to viewing due diligence as something done on them by investors (not the other way around). Good legal advice is critical in these situations to ensure a balanced approach is taken and risk is managed appropriately.
Secure your growth
Security should be an evolving consideration that aligns with the growth of your business. In our previous Insight, we discussed how this involves being aware of local and international laws, travel security risks, and pre-employment checks for new hires. In its latest report, the NZSIS specifically cautions businesses to be aware of national security laws in foreign countries (which are constantly evolving), and in some instances allow a government to lawfully access data kept offshore by businesses.
While in many countries this access is granted only in strict circumstances by way of law enforcement, state surveillance and national security legislation, in other jurisdictions lawful access may be more broadly justified by reference to “national security” or “national interests” – and the threshold to meet this can be low. In most cases, a government is under no obligation to give prior notice to the data owner (and the legislation may gag a service provider from giving this too), so your organisation may not even be aware of such access.
If your business is storing data overseas, before committing to a cloud service provider be sure that you know the exact primary and backup geolocation of where your data is stored. Once that is confirmed, you can assess the legal risks of government data access associated with those jurisdictions to remain compliant with local and international privacy obligations.
Summary
In publishing ongoing guidance, the NZSIS hopes that businesses operating within the Five Eyes jurisdictions will benefit from a joined-up approach to security in the technology sector. The repeated message is that businesses need to consider security from every aspect of their technology and business operations – both through internal and external factors.
If your business is not sure where to start, or you need assistance from an IP protection, data privacy or regulatory perspective, feel free to reach out to our team of experts.
