Why cybersecurity has to be part of your startup strategy
While cybersecurity might feel like just one item down a list of priorities for a startup, it should be viewed in the context of a world of escalating online threats.
Particularly with the global pandemic, as more companies developed a hybrid workforce, with access to company assets through a wider network of devices, the sharp increase in cybercrime came as no surprise.
Is a startup too small to need to worry about cybercrime?
A successful startup might be small, but it’s agile and manoeuvrable.
It has to be adaptable and able to pivot with market forces if it wishes to grow. However, that sort of flexibility brings with it opportunities for risk.
According to the figures, startups are often targeted by cybercriminals: 1-in-5 according to the 2021 Verizon Data Breach Investigations Report. Losses were valued around $22k in the same report. And around 60% of small businesses close within six months of a cyber-attack, according to this.
Any business starting out is generally spread thin, in terms of finances and resources.
Cybersecurity considerations might be a bit of a grudge at this point. But, like insurance policies, a saviour in retrospect.
What’s the starting point?
A strategy for cybersecurity is a good place to start.
It should detail a plan for implementing cybersecurity across various layers of the business, with policies and processes in place as well as relevant security technology.
The idea is to have the necessary gates and locks in place (technology) as well as the staff awareness to bolt those gates. This is how you prevent the charming and well-disguised wolf from making it through the door.
The documented strategy should outline a plan for both short and long-term.
It should include looking at priority areas of the business, as well as assets ranked by value, that need greater protection.
It should align with the overall business roadmap, taking into consideration aspects of scaling, supporting business rather than hindering it, as well as efficiencies.
The business should be provided with a proactive approach to security, rather than a reactive one. Preventative monitoring and response plans also help to get everyone on board with an understanding and awareness of possible threats and how to mitigate them before they become attacks.
Policies, procedures and documented strategies are also valuable to demonstrate a certain level of professionalism in a startup, while communication and training of staff ensures everyone understands their role in keeping the business safe.
What are you protecting and why?
Understanding the business’ digital assets and how they’re prioritised is good practice anyway. But in terms of your security policies, it’s key. These would be things like IP, customer and staff data, code. Then, where are these assets held: in the cloud, in physical data centres, on mobile devices? From there, it’s important to look at the size and reach of the impact of a breach on the business.
A few questions to ask at this stage:
- What specific threats face the business, particularly in the context of the environment in which it trades?
- What are the industry regulations that affect this business?
- What are the regulations that affect this business’ customers?
- What would motivate attackers to target this business? What are they looking for?
- How much risk are we willing to take?
How far down the line are we?
Running a gap analysis against an industry accepted standard is a good way to determine the organisation’s maturity. The ISO27001 is the standard specifically for information security management, ensuring that businesses are managing information security risks and data effectively. Other standards can be adopted too.
Give yourself a timeline
A cybersecurity strategy takes time to implement properly, which is why it’s important to have a priority list which can be implemented in a phased approach, alongside the business’ growth. For example, if you don’t have customers yet, protecting client data is irrelevant. Obviously, you’re looking for quick wins: protecting the most precious assets as a matter of urgency and putting the easy bits in place first.
Some questions to consider:
- Are our current processes secure enough to protect the assets that we have now?
- What do we need now and what will we need down the line?
- What can we do now for the most effective wins?
- What do we get with the tools we have? Some software packages come with inbuilt protection.
Always document your strategies
As with all strategies and processes, it’s a good idea to document them and ensure everyone has access to them. These documents are key in communicating goals and direction, as well as guidelines and processes, while also showing a high level of professionalism and commitment to clients and regulators.
Get the whole team on board
Education of staff is imperative in staying safe. Research shows that small businesses received 94% of their detected malware by email, through various forms of social engineering (opening email attachments with malware, for example). Secure processes need to be adopted by everyone in the organisation, because with attacks being as ongoing and relentless as they are, it just takes one little slip by someone to allow an attacker in.
It's about the journey…
A cybersecurity strategy is an ongoing process, not a destination.
It should be incorporated into the larger business strategy to ensure it’s scaling in parallel to the business. The world of cybercrime is evolving so rapidly that businesses have to stay on top of their game, or be brought to their knees.