We spoke to Brian Stuckey, a cybersecurity and risk management expert, investor, and co-founder who provided helpful insight and expertise for this article.
For many startup founders and cofounders, the process of raising money from investors and other VCs brings a few different challenges.
Potential investors are looking for financially sound companies with a hyper growth potential, the right leaders, and a vision they can trust in. This puts a tremendous amount of pressure on company leaders to ensure their companies are viable and successful enough for investors to back them.
And while growth rate, revenue, and customer acquisition are top-of-mind priorities, cyber risk can often be forgotten, overlooked, or neglected as a company grows. Investors often assume that startups are effectively managing their risk, securing their data, and taking the right steps to minimize exposures, breaches, and attacks. However, for many startups, they may not realize that being able to demonstrate a strong cyber security posture will position them more favorably.
In many instances, if a company fails to responsibly manage their cyber risk, the resulting liability and financial risk could be too great for investors. A larger company may be able to survive a significant cyberattack, but for a small company that has no track record and just starting its climb - a breach of client trust, can be fatal.
While startups must carefully balance their resources, they cannot afford to ignore cybersecurity and risk management. The later this journey starts, the harder it will be to implement. This accumulated effect is called “cyber debt,” and the more it accrues, the more it will weigh a business down.
Here are a few tactical steps to take as your company grows that will help manage risk and cyber debt appropriately.
Secure your client and employee data
Data breaches, leaks, and exposures can be incredibly damaging from a financial and reputational standpoint, especially for early-stage companies. Not only will it be harder to find investors if you suffer a data breach, but it might also actually put you out of business. This is further compounded with potential privacy regulation fines from for example, GDPR or Singapore’s PDPA.
While it is important to secure your code and application data as you build out your product, it is just as important to consider security as you build out other business functions such as marketing, sales, HR, legal and finance. Wherever business and client data reside, across all your departments, applications, and tools, make sure it is secure.
For example, if you use a SaaS marketing automation platform and fail to configure it properly or secure your employees' accounts, a malicious hacker may have no trouble finding their way in and accessing valuable data. The same is true for cloud-based infrastructure services like Azure, AWS, and Google Cloud, which are used by almost all new startups.
Don’t build in-house security tools
If you do prioritize security and risk management, you may consider taking matters into your own hands by building it all in-house. However, it is best to leverage tested solutions already on the market as it is quite easy to get wrong. Even billion dollar companies like Zoom can’t get it right.
These tools could include:
- Authentication and secure access tools such as Auth0 and Okta.
- Package analysis and static analysis tools (IDE and other software dev tools).
- Exploit and vulnerability assessment tools like Veracode.
These are development-focused tools that will help your product team more securely build and deploy your products safely and more successfully while saving time and resources, letting you focus on other priorities.
Get your house in order
Having your IT operations halted by a cyberattack could just be as devastating as leaking customer data. You should invest in fundamental cybersecurity solutions that prevent, detect and response to automated and targeted cyber-attacks.
- Endpoint Detection and Response (EDR) and Endpoint Protection EPP tools that help you catch bad actors and respond quickly in case of a compromise.
- Spam filters and advanced phishing protection to block automated email attacks from reaching your employees.
- Cloud security with a focus on securing permissions and leveraging identity access management to reduce the risk of an attacker finding your most sensitive data.
- Active Directory protection and lateral movement monitoring which are telltale signs of a compromise.
Furthermore, where possible enable these best practices to minimize the chance of a successful attack:
- Use 2FA/MFA: This is an easy way to get additional protection. Enable this for as many accounts as possible, not just for administrators.
- Enable auto-updates: Most updates are security updates. By keeping your tools and software updated, hackers will have a harder time exploiting older vulnerabilities.
- Properly configure public-facing systems: Anything that’s potentially public-facing, like GitHub or AWS, should be configured properly to keep unauthorized users out.
- Secure third-party tools and apps: Startups use several different third-party services, like Slack, Google Apps and social media management tools. Configuring these accounts to a secure form will help keep hackers out and prevent accidents from happening. This should also be the case for any third-party libraries you integrate into your developer environment.
- Minimize admin access: Limiting permissions, access, and privilege (at the account and role level) via policy enforcement and tools are crucial to get right in the beginning. This becomes much harder when working with larger organizations and more difficult to know how many tools and vendors are part of your overall IT environment.
Consider a modern MSSP
During the early stages, startups are focused on growing as fast as possible, and seldom consider cybersecurity and risk management because they run counterintuitively with current priorities. This means there may not be anyone who is directly responsible for cybersecurity - and instead might fall into someone's broader remit, who may not have the deep expertise required to put the correct measures in place to properly secure the environment.
- Provide essential security tools to help you scale your organization securely.
- Bring security expertise and guidance, which will help you address new risks and threats.
- Offer 24/7 SOC monitoring, which is hard to come by with internal security departments.
- Support detection and response capabilities in the face of a compromise.
- Demonstrate effective security and risk reduction, which will appeal to investors.
Cybersecurity gets easier the sooner you start
If there’s one piece of advice to follow, it would be this — don’t wait to get started. If you ignore or postpone cybersecurity and risk management, you’re only going to find it much more burdensome, resource intensive, and costly to implement later. You want to avoid racking up cyber debt.
Startups face the same attacks as larger companies, and you don’t want to be the company that left their doors unlocked. Ideally, you should build and grow your company with security in mind, incorporating tools, systems, controls, policies, and security partners that will scale with your business.