Craig McCulloch, Deputy Political Editor
The Five Eyes intelligence alliance has issued new security guidance for tech start-ups - including those in New Zealand - to help protect them from economic espionage.
The advice comes a year after the heads of the spy agencies - from NZ, Australia, Canada, the UK and the US - held an unprecedented summit with the tech industry in Silicon Valley.
The 'Secure Innovation' report sets out "consistent and consolidated advice" on security threats and outlines "cost-effective measures" businesses can take to protect their ideas and reputation.
SIS Director-General Andrew Hampton said "a small number of foreign states" were actively trying to steal emerging technologies, including those with military uses, by spying both in person or remotely.
"The idea is that security becomes built into everyday business practices right from the start in a way that doesn't inhibit innovation, but rather supports a start-up to be more robust, resilient, and ultimately more attractive to investors and customers."
GCSB Director-General Andrew Clark said New Zealand start-ups also faced the threat of rogue competitors or criminal gangs "looking to profit from weak security".
The report begins with a foreword from the minister responsible for the spy agencies Judith Collins: "We are no longer operating in a benign environment. Your innovative breakthroughs can make you a target."
"A range of state and criminal actors are likely seeking to gain commercial, technological, or military advantage off the back of your hard work," Collins said.
Collins said security need not be seen as a constraint on tech innovation: "If you are operating in a secure way, you may be more attractive to investors, leading to greater potential for growth."
The report's five key security principles:
- Know the threats - understand the potential vulnerabilities that might put your product or innovation at risk.
- Secure your business environment - create clear lines of ownership around the management of security risks in a business. Appoint a security lead at board level who factors in security considerations into decisions and initiatives.
- Secure your products - build security into the front end of your products by design. This will help protect your IP, make your products more marketable and ensure your products don't become a supply chain vulnerability.
- Secure your partnerships - make sure the people you collaborate with are who they say they are and can be trusted with your company's IP.
- Secure your growth - be aware of security risks as you expand, such as hiring new people into positions of trust and managing risk around entering new markets.