Kiwi tech startups urged to get serious about cyber threats
The New Zealand government has released a comprehensive guide urging technology startups and emerging companies to prioritize security measures amid a growing wave of espionage-related hacking attacks globally.
The new report Secure Innovation: Security Advice for Emerging Technology Companies was created by the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau’s (GCSB) National Cyber Security Centre (NCSC).
It outlines critical steps businesses should take to protect their intellectual property, data, and competitive advantage in an increasingly hostile cyber environment. As New Zealand's technology sector has grown to become the country's third-largest exporter, contributing $10.7 billion in exports and $23 billion to the GDP in 2023, the government is increasingly concerned about hacking attacks designed to steal sensitive company data and industrial secrets.
The report follows claims from Five Eyes nations that cyber-attacks linked to Chinese intelligence agencies are increasing in capability and frequency. Canada’s spy agency this week revealed that threat actors sponsored by China had Canadian government networks over the past five years and collected valuable information.
The US National Counterintelligence and Security Center has warned technology start-ups that foreign adversaries, including China, are using investments to acquire sensitive data and threaten national security,” according to the FT.
“The warning comes as Silicon Valley companies have stepped up their screening of staff and potential recruits in recent months due to the threat of Chinese espionage, and in some cases have been ordered by their American investors to turn away capital linked to China,” the FT reported in July.
The US Government has also detailed how it uncovered that China-linked hacking group Volt Typhoon had installed malware allowing backdoors in the networks of critical infrastructure providers.
A shadowy cyber war is also underway aimed at stealing intellectual property that could give countries an edge in emerging technologies.
“Our innovative breakthroughs can make us a target, and increasingly we are seeing a range of state and criminal actors seeking to gain commercial, technological, or dual-use military advantage off the back of our hard work,” said Judith Collins, the minister responsible not only for our intelligence and security agencies, but for the technology, science and innovation portfolio too.
The guide introduces five key "secure innovation principles" that form the foundation of a robust security strategy:
Know the threats: Companies are advised to understand potential vulnerabilities that could put their products or innovations at risk. This includes threats from state actors, competitors, and criminals.
Secure the business environment: Businesses should implement comprehensive risk management measures to protect their people, information, and assets.
Secure products: The report stresses the importance of building security into products from the beginning, using "Secure by Design" and "Secure by Default" principles.
Secure partnerships: As collaboration often introduces new risks, companies are urged to carefully manage relationships with investors, suppliers, and other partners.
Secure growth: As businesses expand, they need to account for additional security risks, including those associated with entering new markets and growing their teams.
The guide emphasises the importance of identifying critical assets, assessing security risks, and implementing appropriate mitigations. It recommends establishing a security lead at the leadership level and fostering a positive security culture within the organisation.
In terms of IT security, the report advises businesses to implement basic measures such as using firewalls and antivirus software, protecting devices with strong passwords and multi-factor authentication, keeping software up-to-date, and enabling tools to track or wipe lost devices.
The guide also highlights the need for careful management of intellectual property, suggesting that businesses develop strategies integrated with their overall business plans. It recommends creating a Software Bill of Materials (SBOM) to keep track of third-party code and open-source software used in products.
As companies grow and expand internationally, the report stresses the importance of understanding export control regulations and local laws in new markets. It warns that some countries, such as China, have strict national security laws that could compel companies to cooperate with government directives.
New Zealand’s security agencies have published this guidance as part of a joint effort with Five Eyes partners to protect their respective technology sectors from current and emerging threats.