A well-entrenched cyber security programme is an absolute must for any budding startups. Data breaches reached an all-time high last year. Millions of people were affected as hackers stole information via phishing emails, watering hole attacks and ransomware. Burgeoning internet penetration and usage made the world a global village. This ease of access and availability also acted as a boon to cyber attackers. Businesses lost cash, reputation and sensitive information and individuals suffered due to breaches in bank accounts. Cybercrime is a huge threat these days and these can be committed single-handedly from a remote location.
Cyber security in startups
Many startups assume that cyber criminals only target larger organisations. The fact is that startups are not immune from cybercrime and breaches. Startups typically lack a huge budget for security, but there are steps that can be taken even with a small budget to mitigate and control risks.
Objectives for cyber security projects
Businesses can have four primary objectives for cyber security projects. Satiating the demands of clients and increasing their trust in the services and products being delivered to them, meeting compliance requirements for data security and privacy, safeguarding sensitive data or intellectual property that businesses own and finally to fight off reputation risks that cybercrime often brings with it. A startup needs to pick the most important objective and build the cyber security programme around that. More objectives can be added as the startup matures and grows bigger.
If your objective is to showcase to your clients your business’s robust security infrastructure, you can very well put a security certification programme in place. Certifications such as ISO 27001 for security, ISO 22301 for BCP are fine. If there is a software product, get it tested and certified via Plynt certification. In case it is a SaaS solution, you need to get both the product as well as the cloud tested and certified.
If compliance is your priority and you sell your products to regulated industries such as the financial sector, healthcare sector or the retail sector, you should go for security standards relevant to these industries like PCI, HIPAA, DPA, etc.
For startups that prize intellectual property and sensitive information, data protection services are the way to go. Thus, it is essential to put in place vulnerability assessments and breach scenario planning and also set controls, technologies and processes in order to keep attacks at bay. Innovative technologies such as data leakage prevention, encryption, identity and access management are useful here.
Cyber security, it must be understood, is a strategy and not just security products, solutions and resources working in silos. Since startups have cost constraints, it is beneficial for them to look for security vendors who would offer cloud services on pay per use model. This obviously brings down overall investment upfront and negates the necessity of having an in-house cyber security expert team. And often such services are considerably cheaper. Several providers such as Qualys, Zscaler, and Alert Logic offer on-demand security services.
Security activities startups should implement
- Risk or vulnerability assessment on yearly basis and key controls for high risks assets
- Endpoint security protection on desktops, laptops, mobile devices and other connected devices
- Unified threat protection or next Gen firewall for network protection
- Security scanning of external facing high value assets, both at network level and at the application level
- Security monitoring for assets that has sensitive data or intellectual information
- Manage user identities and access on a need to know basis
- Stronger authentication for privileged and high risk accounts
- BCP planning for critical processes
- Information security awareness and training for all employees
Lastly, startups should have an incident response plan in place, which must be reviewed and updated from time to time. A cyber security breach can obviously impact you but if you manage it properly, the damage can be minimised to a considerable extent. Organisational security usually fails because their incident response team fails.
Security threats will only multiply with time. Startups need to start thinking of integrating cyber security into their business plans instead of bolting them on later. Cyber security is possible without a large cash outlay if done right.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)