The Five Eyes Intelligence Alliance has published security guidance for tech startups to protect themselves from various cyber threats, especially nation-state actors.
The United States, the United Kingdom, Canada, Australia, and New Zealand form the Five Eyes Intelligence Alliance (FVEY) which collects and shares information on various cyber threats impacting member countries.
In October 2023, the FVEY members met and discussed the Chinese IP theft cyber threat and what innovators “can do about it.”
They outlined various measures that tech startups should take to protect their innovation, reputation, and growth against cyber-related threats.
Five Eyes’ security guidance for tech startups
The Five Eyes’ security guidance contains a list of cost-effective measures that tech startups could easily implement to secure their innovations from the prying eyes of nation-state threat actors.
“The Five Eyes partners face unprecedented threats to our emerging tech ecosystems. So, today we’re arming tech firms across our nations with guidance on how to secure the innovation so critical to our future,” said Mike Casey, director of the National Counterintelligence and Security Center within the Office of the Director of National Intelligence. “Good security practices can protect your competitive advantage, making your company more attractive to investors and customers.”
The security guidance noted that tech startups with weak cybersecurity practices were attractive targets for nation-state hackers looking to steal technology for financial reasons or to give their home countries a competitive advantage in business and defense.
In 2020, Smiths (Harlow) Ltd, an Essex, UK-based precision manufacturing firm collapsed after its Chinese partner pulled out after gaining access to technical data, costing the company lucrative government contracts.
Tech startups are also perfect candidates for supply chain attacks. In August 2024, Lumen’s Black Lotus Labs discovered that Chinese state-linked threat actor Volt Typhoon breached four internet service companies via California-based startup Versa Networks.
“While cybersecurity may not always seem a top priority for startups, it should be at the forefront of every founder’s mind,” said Oz Alashe MBE, CEO and Founder of CybSafe. “The statistics are clear. SMEs are highly vulnerable to cyberattacks and are likely to fold if they become victims.”
The Five Eye Alliance advised tech startups to take the following steps to protect themselves from malicious actors:
Know your threats: The Five Eyes’ security guidance advised tech startups to assess the nature of the cyber threats they face by determining ways malicious actors could gain access to confidential information.
These include insider threats, cyber intrusion through insecure IT, physical access, international travel, investment to gain access to confidential information, foreign laws that demand access to companies’ assets, and supply chain attacks.
Secure your environment: The Five Eyes alliance advised tech startups to determine the most critical assets, conduct a risk assessment to identify vulnerabilities, and establish a process to monitor counterintelligence and other security threats and implement mitigations.
Understanding their market and applicable laws
Other recommendations include securing their products by building security from the start and securing their partnerships by understanding who they work with and the nature of the information shared.
Similarly, tech startups should secure their growth by safely expanding into new markets only after understanding how U.S. and local laws could affect their businesses.
According to the security guidance, some U.S. export laws restrict the sale of certain technology or knowledge transfer and may require an export license, which could be difficult to obtain.
The security guidance also warned of conflicting intellectual property laws and foreign national security laws that allow governments to access data and information that could contain trade secrets.
“Understand the local laws in the countries where you plan to operate. Different countries have different export control laws, as well as laws regarding the handling and storage of IP and data,” the Five Eyes’ security guidance stated. “National security laws in foreign countries may allow that country’s government to access data or information stored in, or transmitted via, that country.”