Starting and growing a new business can be both exciting and stressful in equal measure. There is a lot to consider. For any business to grow, it must establish a brand, develop a team and secure investment, all of which introduce increasing complexities into a young company. Creating a robust set of HR or security policies and thinking about intellectual property protection often comes much later in a start-up's journey. They can seem less relevant and, therefore, lower priority than developing the new products or services that bring revenue to the business. Escaping this layer of "bureaucracy" is what attracts many people to work for a start-up in the first place.
However, if a start-up fails to get its security culture and policies right from the beginning, it can threaten the company's future growth or even its existence. On the other hand, security by design protects the business, its brand, assets, and any valuable intellectual property that it holds from unrecoverable losses. The National Cyber Security Centre (NCSC) recently published guidance for companies that highlights this.
But how can a new business with limited capital and resources develop the right security framework necessary to protect itself in a complex and rapidly changing security environment? It may seem daunting, but if a start-up follows a few fundamental and relatively simple principles and uses evidence-based tools to support the process, it can properly protect its business and its assets from day one.
The importance of intellectual property protection for start-ups
Early-stage companies are particularly vulnerable to a variety of security risks. Intellectual Property (IP) theft is one such risk, and it is often overlooked. For a start-up, the loss of IP to a more mature or fast-acting competitor can be fatal to the company's future. Large, established businesses may have the capital and technical resource to fight lengthy legal battles over stolen IP.
Real-world examples of intellectual property theft
In 2011, inventor James Dyson revealed that his business had spent nearly £2 million on legal fees alone while pursuing stolen IP, relating to 20 designs and patents globally, several of them in China. For a company of the scale of Dyson, this was manageable.
In early 2021, hackers sought to extort Apple for $50 million, having stolen product designs from one of Apple's key suppliers. Designs details for the new MacBook had been published online, with the threat of publishing other blueprints if the ransom was not paid. As well as highlighting the vulnerabilities associated with supply chains, this case clearly illustrates the stark differences in the vulnerabilities of start-ups and major tech companies. Such an attack would have been fatal for an early-stage business.
In 2011, Scottish energy technology firm Pelamis had a break-in at its offices, where laptops holding sensitive IP data were stolen. Sometime later, a product with striking similarities to Pelamis' was brought to market at a much lower price point in China. The impact on the business was catastrophic; Pelamis went into administration in 2014. When a company's IP is central to its success it must be protected.
Thinking beyond intellectual property theft
Intellectual property protection is just one aspect of security that is critical to a young company’s future. The impact of any security incident on a small business can be devastating, resulting in reputational damage and considerable financial costs.
A security breach, be that through a cyber-attack, physical break-in or the act of a malicious insider, can cause significant reputational damage to any company. Customers and partner companies will not look favourably on businesses that have been exposed as vulnerable to attack, particularly if their data is involved. The retention of talent within the company becomes harder if staff do not feel that their interests and they themselves as individuals are properly protected.
The financial losses associated with a security incident, such as a data breach, can be hugely damaging. Under UK law (DPA 2018), a maximum fine of £17.5 million or 4% of annual global turnover (whichever is greater) is possible for infringements of GDPR. Any reputational damage you incur as a result of an incident will have a significant impact on both existing and future sales. The downtime for a company as it seeks to recover from such an incident is also hugely damaging for productivity; its resources will become focused on recovery rather than developing and growing the business. There will be less money to spend on research and development, design, production, marketing and sales, distribution, customer service, and recruitment.
According to the US National Cyber Security Alliance, 60% of businesses close within six months of a cyber-attack.
When a company understands the potential impact of these threats early on, it can begin to mitigate them. The first step to achieving intellectual property protection and wider security is to recognise that threats exist and understanding your potential exposure to them. It is then up to you how you mitigate those threats, if at all. Attackers look for easy targets with readily exploitable vulnerabilities. Many new companies have less developed security controls and processes, making them attractive targets. A start-up can make its business a less attractive target for most attackers by putting proper preventative measures in place and having a robust incident response plan to support the business should the worst happen.
The solution: security by design
At Blacksmiths, we understand the challenge facing start-ups; it's a journey we have been going through ourselves over the past five years. We realise the need to protect your critical assets while making an investment in security that is proportionate to your company's scale. Early-stage companies often don’t have access to the same levels of funding or skilled resources as major corporates do to achieve mission-critical security.
That's why we have developed a security model that is intrinsically linked to a young company's development at all points in its growth journey. We have worked successfully with numerous start-up companies using this approach.
The Blacksmiths security model
STAGE 1: We assess your company's security maturity, highlighting your vulnerabilities and illustrating what threats and threat actors pose a credible risk. We present you with an understanding of your current exposure and the recommendations and implementation guidance necessary to fix immediate vulnerabilities.
STAGE 2: We provide detailed recommendations enabling you to achieve target levels of maturity at specified stages of your company's growth, from Series A funding to an End Goal stage. Our recommendations come with a thorough implementation plan, giving you insight into exactly what you need to do and, more importantly, how to do it.
STAGE 3: We mentor your team through this complex journey to achieve a robust security framework that will allow you to focus on what matters to you: your business. The framework will both protect your business and reassure investors that you understand security and that you will protect their investment.