For startups, less is more when it comes to cybersecurity
Startups are afraid of cyberattacks – here is why they should not let this fear paralyse them.
The UK suffers more cyberattacks than any other European country, according to IBM. You can hardly fault startup founders for fearing getting hacked. Falling victim to a cyberattack would be a disaster for a young company - or would it?
Hacking risk increases with success; hacking protection can prevent success
No startup wants to get hacked. However, striving for watertight security can often be counter-productive, particularly at the start of a company’s journey. This is because fear of cyber threats usually gives rise to a conservative attitude towards technology in general. Founders may be reluctant to use new technology in order to avoid the risk of hacking. This fear interferes with innovation, blocking the startup's path to market.
To understand when hackers become interested in a company, founders need to change their perspective and view their business through the eyes of a criminal. When a startup has low turnover and only a few customers, the potential gain for a hacker is small. Why would they infiltrate the system of a small company when their larger competitor has far more sensitive data and more money to pay a ransom? Only when a startup grows, gains many customers, and generates larger revenues, cybercriminals start paying attention.
Acceptable risk instead of exaggerated caution
As a startup thrives, it has two options for dealing with security: A well-planned approach from within, or a dynamic approach from the outside. Founders that take the first path - often called ‘security by design’ - can end up on a perpetual hamster-wheel of trying to improve their security. One never ‘achieves’ cybersecurity due to the ever-evolving nature of the threats. As more time is spent on security, that time is missing from experimentation and innovation, which are the true purpose of startups.
The second, dynamic path achieves a level of cyber maturity matching the startup’s technology and business maturity at each stage. With this approach, you regularly receive an outside hacker perspective and focus on only those improvements that effectively slow down hackers. With every major change to your product, the hacker’s perspective is updated through periodic manual ‘pentests’ and automated security scans to update the hacker perspective in between pentests. The tests identify and help eliminate the most-hackable issues while also helping you ignore other ‘nice to haves’ for which startups simply do not have time.
Bandwidth gained using this approach enables startups to experiment and grow, and with that growth comes additional responsibility for data and revenue - including protection against hacking. Inevitably, however, what also follows from that growth is increased complexity which gets in the way of the ‘security by design’ approach. For this reason, startups should continue seeking out the perspective of hackers and react dynamically to what they learn, rather than spend valuable time trying to win an unwinnable fight for ‘100% security’.
As a company grows and the transaction and data volumes increase, so does the complexity of its security situation. How many vulnerabilities do we have today? Where are new ones emerging and why? As IT complexity increases, the simple scanning tools used by many companies are no longer sufficient to answer these questions accurately. What is a growing startup, perhaps still in the early stages of building up its own IT team, supposed to do with the information that there are currently 5,397 vulnerabilities? Is that a lot? Is that little? And what can it do to fix them?
To stay agile, startups should rely on technical support that can help answer these types of questions. It is not unusual to find many vulnerabilities that can be traced to a single root cause - and that this root cause can be fixed with a few simple steps.
Focus on essentials
Fear of falling victim to cyberattacks often makes startups reluctant to experiment with technology. When it comes to security (and technology in general), one thing is true: we cannot know exactly how systems must be built securely before we try. We can only learn through experimentation. Delaying these experiments and trying to get everything right the first time, achieves the opposite: We delay getting the hacker’s perspective and learning about the inevitable issues in our initial implementation. Meanwhile, competitors more willing to take risks improve their systems through iteration.
Startups should aim to understand the true extent of potential threats, rather than constrain their innovation based on hacking fears. This is achieved with agile security management and tools providing a continuous external perspective. Crucially, the dynamic approach reveals not just the number of existing security vulnerabilities, but also helps with automatically categorising them around root causes so they can be addressed according to their priority. Often, just a few steps are sufficient to significantly reduce the risk of being hacked. Knowing exactly where these are and how they can be addressed is the be-all and end-all. By focusing only on the main root causes, founders and their teams gain back time to quickly iterate their actual business model and innovate towards market success.