Cart

Managing espionage risk 

type
Article
author
By Andrew Hampton, Director-General of Security, New Zealand Security Intelligence Service
date
21 Mar 2024
read time
3 min to read
security cameras on grey wall

Economic espionage is not a subject we New Zealanders tend to talk a lot about but it’s an issue that should probably be discussed more in boardrooms around the country. 

As portrayed in spy novels, the world of espionage is a murky topic but it is one directors will need to learn to navigate if they are to better help their organisations manage risk. 

  Historically espionage was about targeting government networks and classified information but today information or individuals on the margins of government work could be targeted. This could include corporate New Zealand, academics, research institutions and others. 

In the context of increasing global inter-state competition, we are seeing a blurring of lines between the goals of certain nations and the private companies affiliated with them. Increasingly, this has seen the tools of the nation state being used in the business world to access information around sensitive technologies, supply chains, intellectual property and critical infrastructure.  

The methodologies for gaining access are broad: they range from cyber intrusion, the exploitation of trusted insiders, theft or technical surveillance of personal electronic devices, exploitation of supply chains, through to aggressive targeted investment.   

We have seen many examples of this activity on the global stage, and I can assure you that New Zealand is not immune. It certainly makes good business sense to prepare yourselves to operate in a less benign world. 

Considering security earlier 

Business can still be done safely in a world where geostrategic competition is more prominent.

Continue to seize the best opportunities, form new partnerships and produce the kind of innovation New Zealanders are famous for the world over. I just ask that you do so with your eyes wide open to the risks and know that there are mitigations that can be put in place that can protect your company and make you a harder target from those that may wish to cause you harm. 

The New Zealand Security Intelligence Service is mandated to provide best practice security advice for government agencies but the information we provide is equally applicable and available for the private sector to access.

I would encourage any enterprise to take a holistic approach to security. One that is built from the ground up and stretches across all aspects of an organisation, including supply chains.

Much of the protective security advice that the NZSIS and the Government Communications Security Bureau develop is in collaboration with our Five Eyes intelligence and security partners. This is just one of a whole list of benefits we derive from our membership in this long-standing partnership.  

Five Eyes security principles

I recently stood on stage with my Five Eyes colleagues in Palo Alto, California where we endorsed and launched five secure innovation principles.

Adopting these five principles is a valuable first step for any innovator looking to protect their hard work from those that wish to steal it.

The first principle is Know the threats – understand the potential vulnerabilities that might put your product or innovation at risk.

Second principle is Secure your business environment. This is about creating clear lines of ownership around the management of security risks in a business.

Third is Secure your products which is about building security into the front end of your products by design. This will help protect your intellectual property, make your products more marketable and ensure your products don’t become a supply chain vulnerability.

Securing your partnerships is about making sure the people you work with are who they say they are and can be trusted with your companies IP.

And finally Secure your growth. As you grow and expand, more security risks will emerge that you will need to manage such as on-boarding new people into positions of trust and managing risk around entering new markets.

Those are the Five Eyes secure innovation principles, which hopefully will help inform some of the questions you may want to ask at a governance level.

Security is a shared responsibility 

Together with our Five Eyes partners, we have identified the threat to innovators and competitive advantage in our respective countries through acts of economic espionage.   

As part of a joint response, we have drawn upon a broad base of collective knowledge, classified intelligence and experience to develop frameworks and principles that can help organisations manage risk.  

The NZSIS is committed and geared towards detecting foreign interference and espionage activities and providing advice to New Zealanders and New Zealand organisations about how to be harder targets for such activity.   

Key to managing these threats is intelligence and security agencies, such as my own, working with the private sector and academia. The idea is that security doesn’t stifle business innovation, but enables it.   

An important role we can play is by raising awareness and sharing best practice advice on how to mitigate threats and manage risks. 

A key role for the private sector is develop and embed a robust security culture. A good starting point is that anyone working with sensitive information needs to be security aware. 

The nature of the threats New Zealand faces is increasingly sophisticated. That means an equally sophisticated response is required from all of us. Business as usual security measures, while good, will probably not be enough in the current environment. 

 

Directors, boards and senior leaders may find the following resources, produced by the NZSIS, useful:

NZSIS Security Threat Assessment 2023

Due diligence guidance

Related content