Starting a new business is a crazy time. Your ‘to do’ list grows longer, not shorter, and you have so many important priorities to focus on that you simply don’t know which one to pick first. But you are getting there, and you can see a bright rosy future ahead of you. And that would make now exactly the right time to focus on something you may not have thought of yet, your cybersecurity posture.
We’ve pulled together this introduction to the essentials of cybersecurity for startups to help you begin your journey.
Data protection and information security
The protection and security of user, partner, or customer data and information is your responsibility. If there is a breach of the security around that data, you, the individual, the managers, the employees, the entire company are held responsible, with potentially damaging implications for your business. You never know when a breach will hit you, and it will always seem to happen at the worst possible time, but a good plan will help you manage it with minimal disruption to your business.
Customer perception and growth
Taking a smart approach to your cybersecurity planning is an investment in your company’s future. By having a plan in place, you show your investors, partners, and customers that you have taken steps to ensure that your entire business is as secure as can be and can be trusted with their business.
Regulation and compliance
The GDPR introduced a regulatory revolution, placing real importance on data protection best practices, and introducing heavy fines to transgressors. In just over two years since it was passed, the EU has shown that GDPR is here to stay, and compliance with these best practices is a must.
These regulations also provide a framework for companies who are looking for new service providers. Many companies will look at your company’s security and data protection policies when they are looking for a new service provider. You need to demonstrate your compliance in order to even be considered by them.
It’s never too early to invest in improving your cybersecurity posture, and it may even save you time, money, and energy down the line. As a startup you are familiar with the need to prioritise, and stretching your limited resources between quick wins and must haves.
Investing resources in cybersecurity for startups is the same as investing in any other part of your business: it’s not how much you invest in cybersecurity that yields the best results, it’s when and how you invest. The later you leave it to invest in comprehensive cybersecurity for your startup, the more it will cost, and the more complex it will be to get it right.
The starting point for any startup implementing a cybersecurity for startups strategy is the policies you set for the company, and the practices you put in place to create a cybersecurity culture.
Policies set out your intentions for cybersecurity across the entire organisation. The policies you create set the foundations for your information security programme. They set out the Dos and Don’ts for employees, managers, and clients alike to understand your company’s commitment towards information security and data protection. They allow you to address threats, engage and educate employees, and set controls.
Your cybersecurity policy will typically be made up of several different policies as many regulations and standards, such as the GDPR, ISO 27001 or SOC2 require you to have certain policies in place, and there may be other policies that you require for your own business. Just some of the many policies you need to have include: Information Security Policy, Acceptable Use Policy, Data Retention Policy, External Party Management Policy, Incident Response Policy, and more.
Offence is the best form of defence, and that is definitely true when it comes to your cybersecurity programme. By taking a proactive approach, your cybersecurity posture will immediately be in a much better place. The practices you put in place are how you will achieve your policies and obtain a cyber secure culture. They are the programmes, software, training that you implement in order to protect data and apply information security. Even before you have defined your most important assets, the ‘crown jewels’ of your company, you can apply quick wins for general cybersecurity.
Proactive cybersecurity for startups measures include:
Assess your systems for security vulnerabilities (Penetration test)
Bring in an independent testing partner to assess your networks and applications for vulnerabilities. In many cases the testing partner can also support you to create plans to remediate these vulnerabilities, and some companies can even help you implement those plans. A professional security review carried out by an independent third party will help you reassure your clients that your applications, systems, and infrastructure are secure.
Vulnerability management and patching
Proactively checking for, identifying, and mitigating IT vulnerabilities across your network, and preventing them from being breached. Remember – some of the worst recorded security breaches were caused by poorly configured systems or when administrators kept the default system permissions!
Endpoint security
Employee laptops and production servers can both be weak links in your networks. By adding the appropriate security software to each and every machine, you can compensate for human error, and significantly reduce security risks, such as ransomware entering your networks and harming your data or users, even in the event of human error.
It is worth your while to take steps to create a secure configuration that supports your security objectives. Support your infrastructure security by applying best practices in your devops, such as patch management and secure architecture practices to ensure that everything is working as intended, and you are made aware as soon as it is not; using logging and monitoring technologies and processes to track and store data and be alerted when something goes wrong; and applying effective security by design principles to configuration management, passwords and secrets.
Security awareness training
Carry out regular training sessions to support your employees to adopt security working practices. Human error is often the cause of cybersecurity breaches, and it is important that you arm every single member of your team with basic information security and data protection knowledge so that they can support your efforts to meet customers’ security requirements, and achieve compliance with security standards, data protection regulations and acts.
Sadly, it is usually not a question of ‘if’, but of ‘when’ will a cybersecurity breach happen. Proactive security is there to ensure that the ‘when’ happens less often, and is less severe when it does happen, but attackers are always looking for the smallest opportunity to attack.
Failing to plan for an incident is planning to fail, and it is therefore vital that you have a good incident response plan in place for such an eventuality. Incident response plans help you address incidents including malicious attacks, data breaches, data loss incidents, and more. They contain the instructions to help your team identify the problem, contain it, eradicate the threat, recover any lost data, and set out a framework for learning how to prevent an attack like this from happening again. It should be a living document that is reviewed regularly to ensure that everyone knows what to do in the event.
Incident response plans (and their current relevance to your company) are also super important to your customers who are looking for reassurance that you will be on top of any kind of incident.
Data protection regulations such as the GDPR in the European Union, or the California Consumer Privacy Act (CCPA) in the United States have changed the discussion around data privacy, placing new requirements on every company who processes data within their geographic boundaries or for their citizens wherever they may be in the world.
These regulations place many requirements on you, but we suggest the following GDPR inspired activities as a good place to start:
Data mapping
For most of you, data is the ‘new oil’. Data is the most valuable resource you have, enabling you to add value to your customer, whatever your business is. The GDPR requires you to properly document your every data processing activity, from collection, to retention, sharing and eventually, disposal.
Data protection impact assessments (DIPA)
The GDPR also requires you to carry out periodic assessments evaluating how your business protects personal data, identifying and minimising the data protection risks of projects and reducing risks for the entire organisation.
Appoint a Data Protection Officer (DPO)
The GDPR again requires you to appoint an official data protection officer who will lead your company’s data protection activities, and act as the point of contact for all internal and customer data protection queries.
GDPR gap analysis
If you operate within the territories covered by the GDPR, and you utilise personal data to drive your business, you should carry out a GDPR gap analysis to ensure that you are fully compliant with all of the regulation’s requirements. If you don’t align with any of these requirements, you are in infringement of the law, and could end up having to pay a fine, or losing business opportunities. Many countries across the EU have made it clear that they are very ready to hand out these fines, so make sure you have everything in order.
Investing more in security does not necessarily mean investing better, as at some point your returns on security investment (ROSI) will decrease. How and why this happens is a discussion for another time, but the bottom line is that you need to invest smartly in your cybersecurity.
Customer expectation and compliance frameworks have placed the responsibility for your company’s cybersecurity firmly on your shoulders. The buck stops with you, and you can’t pass the responsibility to an employee or external service provider. As a startup leader, you have to be on top of how your business processes and secures clients’ data.
At Cynance, we pull together our years of cybersecurity for startups and data protection experience to help support start ups just like yours to put in place the culture, policies, practices and mindsets necessary to effectively secure your business. The responsibility for data protection and information security may seem like a daunting task, but we are here to support you every step of the way.
Wishing you a safe and secure future. Stay safe.