At the end of 2018, 30 million small businesses were operating in the United States, many of which relied on a variety of technologies to deliver their services. No matter how small in size or how new on the startup scene, these growing companies often face the same cyber risks that large and well-established companies face. Startups often make the mistake of thinking cybersecurity is something that can be addressed later on as the company matures, the truth is that failing to integrate cybersecurity from day one can stunt a startups growth and even tank it all together under extreme cases.
Adding fuel to the fire is that, while established businesses usually have the resources to prioritize cybersecurity, startups are often operating with minimal funding and thus may not be able to invest as freely in protecting their assets from cyber threats. To ensure cybersecurity risks don’t tank your startup or small business, here are some key rookie mistakes to understand and avoid.
Mistake 1: Thinking small companies aren’t at risk.
The mega data breaches that usually make the news are the ones featuring large corporations who may have lost millions of customer records and endured events that impacted massive amounts of people. Small companies and startups usually don’t make the news leading some to believe that cyber threats don’t pose as significant a risk to these companies. That couldn’t be further from the truth.
All it takes is a single breach to take down a startup potentially. I’d argue that the impact of cyber breaches is more grave for a startup than a larger company. The companies seen in the headlines tend to have a strong brand and image to fall back on and, eventually, thought costly, they will likely survive the breach. For a small startup still working to establish a loyal customer base and brand image, an early security compromise or cyber breach can be catastrophic.
Mistake 2: Trying to boil the cyber ocean.
Working with a limited budget means that entrepreneurs must find creative ways to outline security needs and stretch the budget as far as possible. While the paranoid leader may have good intentions in wanting to protect everything to the best of their abilities, illogically throwing money at security problems can get unnecessarily expensive. It’s essential to find balance. To do that, create a strategy that focuses on the most significant risks to the startup at its various phases as well as outlines priorities and plans for addressing those risks. Also, note that there is a difference between business operations security and product security if you are in the product business. When it comes to building products, integrating secure design and development from day one is highly recommended.
Mistake 3: Failing to do the basics.
Companies of all sizes tend to struggle with delivering on basic security hygiene, but it appears to be a more significant problem for startups. There are basic best practices that can save a company a lot of time and effort when addressed proactively. For example, asset management and understanding of technology environments is something that large companies struggle to control. As a new company building asset inventories from scratch, a startup can get in front of this problem by creating a robust asset management program from day one. Similarly, other cybersecurity basics should be integrated from day one. For example, systems should require strong passwords, software, and technology that should be frequently updated. Anti-virus should be installed on every device and more. There should also be adequate policies and guidelines that employees can refer to. Lastly, asset and network visibility through logging, employee monitoring, and other technologies should be leveraged. While depending on organization size, all of the recommendations can be scaled up or down, regardless of size, these elements must be a part of a startup’s security program.
Since resources and headcount may be constrained, consider what can be outsourced vs. what will require full-time support. In addition, some startup companies consider using freeware to address some security concerns while saving costs in the process. This is a practical route only when evaluated and leveraged very carefully. For example, ensure you are downloading the authentic version of technology by scanning files for viruses, checking to ensure file hashes match, and so on. There are a ton of free or discounted software options available, but you may experience tradeoffs in quality, service, and SLAs. For an operational business, the risks associated with these limitations should be considered as well before choosing freeware.
Mistake 4: Failing to focus on people
Within the startup, employees play an essential role in preventing cyber incidents. A positive note when it comes to smaller businesses is that fewer employees mean a smaller human attack surface. For example, a company with 100,000 employees has 100,000 human entry points of attack into the company. A startup with 25 employees, for example, has a much smaller human attack surface. The manageable number of employees also makes it easier to deliver comprehensive cybersecurity training and awareness programs.
Regularly educate employees on cyber risk and what they can do to avoid falling victim to cyber-attacks. Remember that email is one of the most active attack vectors and gateways into companies. Teach employees how to detect and respond to phishing emails, and you’ll proactively eliminate a considerable portion of your risks.
Mistake 5: Leaving out 3rd parties
Startups with small teams may elect to outsource certain functions or seek external support. While an often logical choice, third parties can introduce additional cybersecurity risk to startups. What happens when your service provider is hit with ransomware, and it takes down your operations as well? Or what happens when your email provider is breached and all of your data is exposed in the process. It’s essential to pay close attention to whom you are partnering with and hold them accountable for protecting your assets no matter how small your company may be.
Many unexpected challenges can cause a startup to go under. Don’t let cybersecurity be one of them. Avoid these five mistakes by ensuring you have a cybersecurity strategy that embraces best practices and focuses on internal and external parties, and the role they play in security within the organization.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.