Published on the 31/10/2024 | Written by Heather Wright

For tech startups…

Local intelligence agencies have issued new security guidance urging Australian and New Zealand tech startups to prioritise security in the face of increasing espionage.

Agencies in each of the Five Eyes nations – Australia, New Zealand, Canada, the UK and the US – have released their own guidance, which comes a year after the intelligence alliance issued five basic ‘principles’ following a summit in the United States on emerging threats, innovation and security.

“Simple steps can make a difference. We cannot think we are defenceless or that resistance is futile.”

That summit pushed the global threat of state actors looking to steal ideas and intellectual property, with agencies in New Zealand and Australia warning that foreign interference and espionage are a ‘significant’ threat in both countries.

One year on, the five have backed up the early ‘principles’ – know the threats, secure your business environment, your products, your partnerships and your growth – with more detailed guidance.

In New Zealand, the Security Intelligence Service and the Government Communications Security Bureau’s National Cyber Security Centre have released the 33-page Secure Innovation Security Advice for Emerging Technology Companies while the Australian Security Intelligence Organisation offered up a two-page Secure Innovation ‘placemat’.

The release comes as Canada’s signals intelligence agency warns again about the threat from China and Russia. This week it said an aggressive Chinese hacking campaign was the most active state cyber threat to the country.

Andrew Hampton, NZSIS director-general of security, says a ‘small number’ of foreign states are conducting espionage against New Zealand and New Zealanders, actively looking to gain advantage by stealing emerging technology or intellectual property that would advance their own industries or national capabilities, including technologies that have dual-use military applications.

GCSB director-general Andrew Clark says New Zealand startups can be an attractive target for espionage and malicious cyber activity from state actors, but also competitors seeking commercial advantage and criminal gangs looking to profit from weak security in order to exploit data relating to assets, customers and people.”

It’s a similar story in Australia, where director-general of security Mike Burgess says businesses must understand the threats so they can improve and strengthen their collective defences.

“Simple steps can make a difference. We cannot think we are defenceless or that resistance is futile.”

The Kiwi offering sets out what the GCSB calls ‘consistent and consolidated advice reflecting the global nature of the security threats startups face’, and provides ‘straightforward advice’ and a set of ‘cost effective’ measures across the five ‘principles’ announced last year.

“The idea is that security becomes built into everyday business practices right from the start in a way that doesn’t inhibit innovation, but rather supports a startup to be more robust, resilient and ultimately more attractive to investors and customers,” Hampton says.

Australia’s offering also pushes the simplicity of the advice, saying the ‘simple protective security advice’ can be implemented quickly to make meaningful improvements to security.

“Laying strong foundations now will help your security to be more effective and less costly as your business grows in the future,” the Kiwi guide says. “Following the five secure innovation principles set out in this guide is a great first step for any innovator looking to protect their hard work from those who wish to steal it.”

The five key security principles are:

– Know the threats – Understand potential threats to your business and innovation including from state actors, competitors and criminals.

– Secure your business environment – Clearly identify a security lead and a senior level and identify critical assets that need protecting. Assess security risks, including insider risks and IP loss from partnerships and theft or unauthorised access remotely or during travel, alongside other risks to your business and put mitigations in place to reduce risks to acceptable levels, with regular reviews of risks. Build security into your environment with physical or virtual barriers around critical assets and implement good IT security, including firewalls and antivirus, strong passwords and multifactor authentication and patching of devices and software.

– Secure your products – Build security into your products from the beginning using Secure by Design and Secure by Default principles to ensure security problems are addressed at their root cause. Manage your supply chain and protect information through understanding third-party vendor supplier security.

– Secure your partnerships – Manage the risks collaboration can bring with due diligence on potential investors, suppliers and collaborators, be strategic about what you share and when you share, and include protections for your assets and data within contracts.

– Secure you growth – Ensure security measures evolve as your company evolves, being aware the risks you face may change as you enter new markets, seek more investment, employ more staff or move into bigger premises. Manage device security and personnel security when staff travel, understand how local laws could increase the threat to your business overseas, provide regular security training for staff and implement pre-employment screening particularly for staff in higher risk roles.