Secure Innovation

Security from the start

The following guidance is largely designed for investors of small-to-medium-sized companies in the emerging technology sector, but is relevant to researchers across Canada’s research ecosystem and to decision makers at Canadian universities, in addition to public and private research organizations.

Implementing security measures will lay a strong foundation for future success. Security measures should be based on a thorough understanding of assets that are deemed to be most critical to the success of your investment and the company. Assets can include the people, premises, products, services, information, IP, and knowledge necessary for the ultimate success of the company.

Know the threats

Canada is a global research leader due to our world-class universities, public and private research organizations, and human talent. This innovative reputation, however, attracts threat actors including:

Hostile state actors (HSAs)

HSAs seek to steal your technology to:

• Fast-track their technological capability, thereby undermining your competitive edge.
• Target, harm and repress individuals to prevent dissent or political opposition, ultimately damaging your reputation.
• Increase their military advantage over other countries, to the detriment of our national security.

Competitors

Competitors want to obtain commercial advantage.

Criminals

Criminals look to profit, at the expense of others.

Preinvestment

It is imperative to understand whether the company has any overseas investors associated with a country that may be perceived as hostile to Canada. The involvement of other investors could inhibit future fundraising or sale of the company because of legal, ethical or compliance issues.

Protecting the company’s competitive advantage

Your assets include people, premises, products and services, as well as your information, IP

and knowledge. Identifying the value of each of these assets—and any necessary security measures—is an ideal starting point, since protection of these assets will determine the ultimate success of your company.

Understanding the following will help you to determine which risks to prioritize:

• Your company’s goals and priorities.
• Your most critical assets.
• The threats to those critical assets.
• The likelihood and consequence of a threat affecting you.

Although small companies with limited resources may not be able to protect against every threat, security decisions should be prioritized, proportionate to the threat and based on a thorough understanding of those assets that are deemed to be most critical to the ultimate success of the company. Security measures should be based on a combination of information, physical, human and cyber security measures.

Managing risks from additional collaboration

Companies should conduct due diligence when considering a new collaboration, including with investors, suppliers or other researchers. Due diligence may include financial, ethical, legal and national security considerations. This will ensure that companies have all the information required to make an informed and balanced decision about whether they want to work with them.

Companies should seek to ensure that any risks to which they are exposed are managed in line with their risk appetite. As the company expands, it will likely need to manage additional risks associated with increased collaboration. Your choice of partners may affect future business partners.

Securing the supply chain

Supply chains present a complex security risk and should form part of your due diligence process.

The company can seek to manage its supply chain risks as follows:

• Assessing whether the relationship with that provider presents any additional risks.
• Seeking suppliers whose offers comply best with your security requirements.
• Considering the impact of relevant regulations— in your country, but also internationally.

International expansion and investment

If the company is seeking international expansion and investment, the following questions may help determine possible additional risks:

• Is the company compliant with Canadian and allied legislation?
• Are you and the company aware of local laws in countries into which you are expanding and how these laws could ultimately affect your company?
• Has the company implemented necessary security procedures for any international travel?
• Has the company previously assessed the security implications of proposed investments and considered mitigation for any risks identified?

Secure your growth

As your company evolves, you may need to increase or adapt your security measures. The risks you face may well have changed—your team has grown, you have moved to more or larger premises, you are collaborating with more partners, or you are looking for further investment.

It is essential to continuously review your security measures and consider whether you need to take additional precautions.

CSIS investigates threats to Canada’s national security.
If you have information related to a potential or ongoing threat to Canada’s national security, please contact:

CSIS: 613-993-9620 (24/7)
Reporting National Security Information