British businesses are at risk of having their innovation stolen. This warning was recently issued by MI5 to entrepreneurs and investors, many of whom would not consider themselves to be targets for espionage. Whereas the security services have historically focused on protecting state secrets, the warning was directed at the thousands of UK companies working at the cutting edge of technology in fields such as AI, life sciences and quantum computing. Those companies - often start-ups or university spin-outs - may not have previously prioritised security. But threat actors are increasingly seeking to gain access to the technology they have developed through attack vectors such as posing as recruiters on professional networking platforms (reportedly some 20,000 instances this year) to using obfuscated investment and imaginary companies.
Faced with this increasing threat, the government introduced the National Security and Investment Act allowing it to scrutinize and intervene in certain acquisitions in 17 sensitive areas of the economy. The UK's National Protective Security Authority (part of MI5) and National Cyber Security Centre have also since launched a joint campaign, with guidance both for innovative companies and their early-stage investors to help them to protect their competitive advantage and investments.
The importance of securing against the potential for insiders such as employees using their authorised access or understanding of an organisation to cause harm cannot be overstated. It is notable that many of the case studies in the joint guidance relate to the insider threat.
One example features a Tesla employee who criminals attempted to bribe to facilitate a cyberattack by introducing malware into its computer network. In another, an employee of a US semi-conductor company was recruited to steal secrets such as source code, causing the loss of $1 billion in shareholder equity and some 700 jobs. Apparently, the employee's lawyer said his client's actions stemmed from “frustration” about a failed marriage, which had been strained by his trips abroad for work, followed by a demotion to the customer service department, resulting in the employee feeling undervalued.
It is, however, not just about covert theft. Technology transfers are also an issue. Other case studies therefore focus on the risk of collaborations, for example, citing a UK precision engineering company that had agreed to share sensitive information with, and provide training to, an investor. The investor subsequently reneged on the deal, having compromised the UK company's competitive advantage and intellectual property, and left it facing administration. As the Chairman reportedly put it: “They’ve taken what they wanted and now they’ve got it, they didn’t need the shell."
Whether threat actors try to access your assets through insiders, cyber or investment, the guidance contains practical advice with cost-effective measures that companies of all sizes should consider implementing to bolster their protections against the threats from nation states, criminals and competitors.
To help bring the risk from insiders to life, and to test your response, ask your usual contact at Lewis Silkin about our Protecting Your Business training.
“The UK has one of the best environments for start-ups working in the field of emerging technology, but we know this can make companies a target for malicious actors. It is vital organisations take state and criminal threats seriously and ensure they are effectively managing the risks, including those emanating from cyberspace. That’s why, working jointly with the NPSA, we have strengthened our Secure Innovation guidance which will help organisations implement cost-effective measures to stay resilient online.”