In this briefing, we explain why security is important for tech startups. We outline the threats that all companies face and then the specific threats to innovative technology and research. 

Startups face a wide range of threats but in this brief we will highlight two broad areas: ransomware and targeted theft. 

The evolution of the ransomware ecosystem has meant that any organisation is now potentially a target for online criminality. It doesn’t matter what kind of organisation you are – if your data and systems are important for your work, then you are at risk from ransomware groups. 

This is a huge change from the days when criminals had to identify and steal assets that were of value to other people. By holding an organisation’s data and systems to ransom, criminals have found a way to make money out of virtually any organisation. Universities, public institutions, and health care providers are all examples of organisations that criminal groups now target that in the past would not have been at such risk. 

This is a broad threat facing companies and other organisations. However, if you are a startup working on innovative or emerging technologies, then you also face threats from actors that are specifically targeting these areas for theft. 

In an earlier briefing, we looked at the fundamental changes in the geopolitical environment that are driving this risk. 

It means that organisations such as startups, research institutions, universities, and specialist investors are now facing highly motivated threat actors. Some of these actors are state intelligence agencies or their proxies, and they have the resources, capabilities, and patience to be extremely dangerous. 

Crucially, these threats are not restricted to the cyber domain. It might be easiest to hack into your systems to steal intellectual property, but motivated actors will also engage in other forms of espionage, including physical intrusions and insider threats. 

There are other threat vectors to consider, for example around influence campaigns and online activism, but the two outlined above capture the broad range of threats facing startups. The key point to recognise is that any company is going to be at risk from online criminality, and startups working with innovative or emerging technologies should anticipate targeted threats related to their work.

The outline above is a very high level overview. There is a world of difference between understanding the broad threat landscape and developing an informed picture of the specific threat actors that are likely to be targeting your organisation. An intelligence-led approach to security involves developing a granular and timely understanding of those threat actors at the strategic, operational, and tactical levels. 

In the next briefing, we will explore how startups should think about security.