A cybersecurity report by Ponemon Institute, in association with Keeper Security, found that in the 12 months leading up to June 2016, 55 percent of small and medium-sized businesses (SMBs) experienced a cyber attack, while 50 percent encountered data breaches involving customer and employee information.
These statistics belie the common notion that cybercriminals attack only big businesses. In truth, SMBs and startups are often easier targets, as their defenses tend to be weaker. Limited financial resources make it challenging for these companies to invest in sophisticated security mechanisms or full-fledged IT departments – a fact that hackers and cyber attackers use to their full advantage.
Today, all it takes is one security breach to bring down a company’s brand and reputation. For startups, who depend so much on word-of-mouth recommendations, the impact of a breach could be fatal. Despite this risk, many startups continue to be woefully underprepared. According to the Ponemon Institute survey mentioned earlier, only 14 percent of SMBs rate their ability to mitigate cyber risks, vulnerabilities, and attacks as highly effective.
At a time when authorities such as the World Economic Forum are citing cyber attacks as one of the top global risks, both in terms of likelihood and impact, startups have an important mandate – to make cybersecurity an integral part of their business strategy.
A Good Cybersecurity Program Matters
Today’s startups are more mobile, hyper-connected, social, and globalized than ever – all of which have resulted in more complex data networks and more security risks. Additionally, with the cloud becoming the de facto choice for product development and deployment, newer and more challenging security threats continue to emerge.
Often, the weakest link in the chain could be a third party with inadequate security controls. The onus is on startups to keep these risks at bay, especially as their business amasses a growing volume of sensitive data such as customer contact numbers, credit card data, and intellectual property. Cybersecurity can no longer be a reaction to a threat that has already occurred. Investors and customers expect companies to do all they can to proactively protect the integrity, privacy, and confidentiality of this data.
Ultimately, strong security measures do more than just prevent risks. They foster customer trust, which is essential in driving growth and customer acquisition. In fact, nearly one-third of the respondents in a recent Cisco survey reported that the primary purpose of cybersecurity is to be a growth enabler, while another 44 percent consider cybersecurity a competitive advantage.
Adding further impetus are an increasing number of regulatory initiatives and guidelines around security, including the Cybersecurity Act of 2015, the Cybersecurity National Action Plan (CNAP), and the EU’s General Data Protection Regulation (GDPR).
What then should startups be doing to comply with these mandates, and keep cyber attacks in check?
Treat Cybersecurity as a Business Issue
Cybersecurity is no longer just a compliance or IT checklist concern, but a broader business priority that needs to be aligned with the company’s strategic goals, risk appetite, and risk management framework. In the absence of a CISO or cybersecurity expert, at least one person in the organization – be it a business analyst or enterprise architect — should take on the role of an information security officer, and be responsible for collaborating with the CEO to define a cybersecurity strategy, identify critical data assets, determine security risks and gaps, and implement appropriate controls. There also needs to be a common architecture that consolidates and rationalizes risk and threat data into a “single source of the truth,” which in turn, enables the business, IT, and security functions to collaboratively mitigate risks on time.
Understand the Risks
Many startups, relying on an established cloud services provider, are lulled into a false sense of security, thinking that the data protection measures of the service provider are all they need. This couldn’t be further from the truth. Startups need to be proactive in understanding the risks associated with the service provider, assessing their level of compliance with industry standards, and ensuring effective governance and control through service level agreements and continuous monitoring. It’s also important to clarify the division of responsibilities between a company and its
service provider in various situations such as incident handling and virus infection, writes Vidya Phalke, CTO of MetricStream. “Who manages such situations, should they arise, depends on the chosen service model. And this needs to be completely clear and transparent – there is nothing more valuable to a business than its data; its protection can’t only be half understood. Governance around all aspects is essential,” emphasizes Phalke.
Embed Security into Product Development Right from the Start
Rather than treating security as an afterthought, startups would do well to bake it into their products, right from the conceptual stage, through the design, development, testing, and release phases. That means recruiting teams of not just product engineers and UX/UI designers, but also data security experts. In addition, it means incorporating security standards into products early on in their lifecycle. Often, businesses face a lot of pressure to deliver their products faster and cheaper – but that does not always mean better, observes Phalke. One needs to find that balance where enough time can be spent on implementing the right security testing processes, and doing things more thoughtfully.
Develop Effective Cybersecurity Processes, Policies, and Tools
A clearly defined cybersecurity risk and control assessment, as well as an incident response strategy, go a long way towards ensuring that the business is well-prepared to deal with threats and disruptions. The key is to focus less on cost, and more on evaluating the risks, implementing sound security controls, and establishing consistent taxonomies that are linked to critical data assets. Having clear, written policies and robust training processes is also important, as it helps employees understand what constitutes sensitive data, and how to protect it. At a broader level, an individual or team should be appointed to maintain oversight of how the entire organization is handling, storing, and sharing data. Finally, automation and big data mining tools can help by accelerating security risk assessments, and directing resources to the risks that really matter. Cyber insurance is another useful solution. Today, multiple insurers offer coverage to fit the needs, risks, and budget limitations of small businesses.
Look Ahead, Not Behind
As cybersecurity threats become more sophisticated, startups will need to start thinking one step ahead of a potential attack. That will involve looking less in the rear-view mirror, and more ahead at the security risks that could occur. It will require that businesses leverage analytics, artificial intelligence, machine learning, automation, and other such tools to bring together information from various internal and external sources, filter through this data to identify emerging security threats, and report this intelligence to the right decision-makers at the right time. Many businesses are also investing in a scalable governance, risk, and compliance framework that allows them to manage and track in an integrated manner the full gamut of security requirements, ranging from controls monitoring and penetration testing, to incident response management, business continuity, audits, and reporting.
According to the Verizon 2016 Data Breach Investigations Report, which analyzed 2,260 breaches across 82 countries, it took attackers just minutes or less to compromise systems in 93 percent of cases. Against this backdrop, startups have a choice — either ignore the risks, and face the eventuality of a serious cyber attack; or take informed steps to protect the business, brand, and customers. By understanding the full range of risks, and developing a clear strategy on how to deal with them, startups have the chance to fully realize the value of cybersecurity as a growth enabler and competitive advantage. The time to act is now.