As startups and small businesses know well, small doesn’t mean insignificant. Size doesn’t matter when you are intent on making an impact on your field. Growth is the name of the game, and you will do everything you can to maintain an upwards trajectory. Including looking for cybersecurity tips for startups, because you know that staying safe from cyber attack is crucial if you are to be successful.
Just like you, cyber criminals know that small businesses are not insignificant. The NCSC’s Cyber Breaches Survey 2021 reports that 38% of micro and small businesses in the UK experienced cybersecurity breaches or attacks in 2020. Of those businesses, 27% said they were attacked at least once a week, and 22% needed to implement new cybersecurity measures to stop the next attack.
Startups and small businesses are seen as easy targets, perceived to have fewer skills and resources to protect themselves from attack, and a useful entry point to a supply chain. However, that is not necessarily true. Take advantage of our cybersecurity tips for startups and small businesses for a foundation for protecting your organisation from attack.
Knowing where to start can be a real challenge. If you take one thing from these cybersecurity tips for startups, take this: start with a plan. If you don’t know what you have to protect, then how can you protect it?
The act of creating a cybersecurity plan will help you understand the risks your organisation faces, the systems and data you need to protect, and how you will protect it. Writing it down creates focus and information for employees and service managers to carry out their cybersecurity responsibilities. It can also make you appear more serious about cybersecurity to current or prospective partners or customers.
However don’t forget the first rule of planning – simply creating policies and storing them on your shared drive won’t keep you safe. You need to implement them too. So make your plans doable, add incremental uplifts, and don’t waste too much time getting going.
Traditionally employees are seen as the weakest link. Cyber criminals constantly bombard them with phishing and other social engineering tactics in order to catch them out to get the information they need to launch an attack.
But, here’s more cybersecurity tips for startups – employees can also easily be security champions. With the right training and education they can help protect the organisation. Add security training to the onboarding process, include it in the annual training package, and create security policies that set out clear expectations and guidelines for employees to follow.
Things change rapidly in the cybersecurity world, so ensure that all employees get a refresher every year at least.
Passwords are a quick and easy way to protect systems and networks. But they have to be done right. Done wrong, and passwords can be your second weakest link.
Teach employees to create strong passwords. Invest in password keeper technology to help them store strong passwords, and use multi-factor authentication (MFA), whenever possible. Turning on MFA, and encouraging employees to use an authenticator app such as Google Authenticator, can help reduce the risk of a successful phishing attack by 90%.
Tip: Try creating passwords from three random words in a string. The three words shouldn’t be common words, but can mean something to the user to help them remember it.
Your website, application, and bespoke systems are central to your business. Attackers know that, so they will often try to exploit them.
It is easier, cheaper, and more effective to build a system securely from the start. Implement a security first approach to software development to support developers to build secure systems that protect users and customers. Putting resources in from the start will save time and money down the line. It’s also a good investment in the future – a cyber attack resulting from a weakness in the system could have a significant impact on business
Train developers in the security threats their system faces and how to code securely to prevent them. Make secure development central to their roles, and provide guidelines for them to refer to.
Put the system’s security to the test. Get external validation from expert penetration testers who will attack the application in the same way as criminals do, enabling you to discover and fix weaknesses before anyone else.
Endpoints are another weak link in an organisation’s security. The Covid-19 pandemic has increased the risks to endpoints as employees work from home and are outside the secure network with all the large scale security protections in place.
Protect computers, servers, printers, and mobile phones with a dedicated endpoint protection software which can detect and alert for suspicious activity. Support employees to protect their own computers and phones by giving them training and guidance. Establish a list of approved software that employees can use, and whitelist them restricting access to non-approved software packages that could harm the organisation, and turn off USB drives to avoid malware downloads from infected devices. Finally, turn off admin privileges on employee computers.
Data is the most important commodity organisations possess, and the ultimate target for cyber criminals whether they are attacking via ransomware, malware, phishing, or any other form of attack.
In addition, certain types of information are subject to stronger privacy regulations such as the GDPR. Users’ personal information (personally identifiable information or PII) is defined as information that can be used to identify and contact an individual, for example full name, address, or phone number. Failure to protect PII can lead to large fines from a regulator, and a loss of reputation.
Together with a wider cybersecurity plan, a data protection plan will help your organisation understand what data you have, where it sits, how it is used, and how to best protect it. Some of the key elements of a data protection plan include creating a backup process, and applying encryption to data at rest and in transit by default. Encrypting sensitive data ensures that even if it is stolen it can’t be used against you by criminals.
The cloud is vital to your company. It enables you to be quick, agile, and scale up as you grow. However it can also add risk to your cybersecurity. Sadly many organisations have found out the hard way what happens if the cloud is not configured correctly.
Your cloud provider’s security protections will only go so far. You need to ensure that your own cloud buckets are configured correctly and have their own protections. As with everything else, ensure that only the right people have access to the production environment in the cloud, and that they have MFA in place to access the cloud.
Given the risks, get peace of mind with an assessment of your cloud security posture.
Cybersecurity tips for startups would not be complete without looking at what happens if the worst does happen, and an incident takes place.
Incident management, business continuity, and disaster recovery, are all aspects of the wider response to any kind of incident affecting the organisation. Creating an incident response programme anticipates the types of incidents the organisation may face, and the steps needed to reduce their impact by planning in advance.
Planning for an incident requires you to think about backup and restore plans in advance, understanding of which systems are crucial to business and therefore need protecting, and definition of roles to help everything work well after an incident.
The final piece of advice in these cybersecurity tips for startups is testing.
Simply implementing cybersecurity policies and defences isn’t enough. You need to be sure that they can withstand attack. Penetration testing is one way to get a view of how systems, networks, infrastructure, and the cloud are protected.
In a penetration test, the testers will mimic the actions taken by cyber criminals to test cyber defences and search for weaknesses. They will provide vital insight to where vulnerabilities exist, and how you can mitigate against them.
Cybersecurity is not one and done. You will need to constantly monitor, review, assess, and even update your defences. As cyber criminals develop new techniques, you need to ensure that your defences are up to the task of defending against them.
Knowing where to start can be daunting. Starting with this list of cybersecurity tips for startups, you will move your cybersecurity forward quickly, automatically making you a tougher target, and reducing the chances of a cyber attack.
Stay safe.