This is a guest post by Jamie Akhtar, Co-founder and CEO at CyberSmart. CyberSmart is transforming the way that SME’s secure themselves and achieve compliance.
Today’s startup is a connected business. Your brand and your future growth prospects are dependent on staying secure in a world where cyber threats are growing at an unprecedented rate. You and your team members are connected to the Internet all day, every day, communicating with colleagues and stakeholders, sharing critical information, and frequently visiting customer and partner sites. Meanwhile, the prevalence and intensity of piracy, security breaches and ransomware attacks are increasing. It’s essential for your business to prepare for such an eventuality, take precautions and use appropriate solutions to minimise risk and ensure each team member knows what to do in the event of a breach. Government statistics show that threats to systems and data do not discriminate – companies of all sizes are being attacked. The evidence shows that small and medium-sized enterprises (SMEs) are often less prepared to deal with threats than their larger counterparts. In startups, cybersecurity is seen as important but, due to jargon and lack of understanding, it’s often put in the ‘to do later’ box. As a founder, you’re likely to be fully engrossed in running your business, right?
Why it Matters for Startups, not Just Big Companies
As a startup, you will hold sensitive customer data, likely have your own codebase and your reputation on the line. It is imperative to take security into consideration to enable you to protect your vital intellectual property and data assets. Further, the Data Protection Act 2018 (GDPR) means that you have legal obligations to protect customer data and can you’re liable for significant penalties in the event of a breach.
Staying Safe With a Startup’s Budget and Time Constraints
Among the numerous challenges and constraints facing startups and small businesses, digital security is often overlooked. Start early on in your journey and put it on the agenda for your next team meeting. We hope this article helps you understand the first key steps to take.
Regardless of time and budget constraints, it is essential for you to identify key cyber risks and protect your startup effectively.
Selecting the Right Protection Platforms
Effective security is applied in layers, and it starts with the foundation. The Government launched the Cyber Essentials scheme to make the UK the safest place to do business online. The Government Cyber Essentials scheme (CE) highlights the five key areas that need to be addressed to mitigate the risk of over 80% of cyber-attacks. Achieve these, and not only are you significantly reducing your online risk, but you will be able to get the CE certification and display the CE credentials to prove you take data security seriously – an increasingly important factor for your customers.
Cyber Risk Analysis
All companies are at risk, not just the large ones. As many startups fail in the first few years, you should appoint a team member, or take the responsibility yourself, for risk management. These include risks like running out of funding, not gaining sufficient market traction or suffering reputational damage.
At the outset, you may benefit from a basic risk management solution. As you grow, you may need to implement a business risk management framework.
With larger businesses, risk management becomes more complex. Some companies employ a team of risk managers to protect themselves and identify positive or acceptable risks. Data must be collected, monitored and analysed for structured reporting.
As the amount of data increases, a management framework becomes vital. If a risk management technology solution is introduced early in the growth of your business, you will have the essential processes in place, enabling risk management to be integrated effectively across the company.
Depending on the industry, as you grow, you may need a dedicated risk manager. The stage at which a risk manager is required will depend on the types of risks and regulations affecting your business, and the amount and sensitivity of data you hold.
How to manage growth:
- Identify the acceptable risk level you are prepared to take in order to grow. You may have a high, medium or low-risk appetite.
- Prioritise risks – categorise which risks are most likely to occur or have the greatest impact, this may vary between stage of business and industry. For example, in professional services, reputational risk is often crucial whereas in technology businesses the priority risks may be platform security and protection of intellectual property.
- Establish contingency plans – mitigate risks where possible and evaluate possible prevention scenarios.
- Look for insurable risks. Where it is economically attractive to transfer risks to the insurance market, these should be considered as methods of mitigating financial risks. Companies that have attained CE certification may secure better terms. CyberSmart customers receive £25K of insurance as part of their CE certification.
- Implement company-wide risk management – get all employees to follow the company’s risk management processes and familiarise themselves with the risk management framework. It is often human error that leads to breaches.
- As you grow, implement a technology risk management solution: choose an adaptable risk management system that will continue to support the company through its growth. There will come a time when your initial spreadsheet and manual reporting will be outgrown. Likely paths to achieve this are more advanced frameworks such as IASME Governance and ISO 27001.
- Monitor, review and analyse all risk data regularly. Continue to review the risks that should be highlighted and identify those that are new or out of date. A good risk management system will help you do that.
Defence Plan, Pre-remediation Measures
Cyber-security professionals agree there is no single product available today that can solve all cyber-security challenges problems. However, to be cyber smart, you can deploy a solution that will check whether you have all the components of ‘Cyber Essentials’ in place and to keep you protected 24/7. This can help you check whether you have enough technologies and procedures in place to provide comprehensive risk management. In addition, SMEs should continually monitor the risk of their systems, learn about new threats, put themselves in the shoes of a hacker and adjust their defences accordingly.
Here are key things you should be looking at.
- Antivirus Software should be your first point of security. Antivirus is designed to detect, block or remove viruses and malware. Modern antivirus software can protect you from ransomware, backdoors, viruses such as trojans, worms and spyware. Some solutions also help protect against other threats, such as malicious URLs, phishing attacks, social engineering techniques, and identity theft. Examples of antivirus software include Avast, Avira and Sophos all of which provide no-cost startup-friendly versions. Windows Defender is a Windows-integrated antivirus and is included with the operating system.
- Software Firewalls are an essential component of your network of defences. Firewalls are designed to monitor incoming and outgoing network traffic by implementing simple configuration rules – disassociating the internal network from riskier and potentially unsafe, external Internet traffic. Firewalls are usually built into the operating system and should be complemented with a virtual private network (VPN) to enable secure remote working over insecure networks. Examples of VPNs are Encrypt.me and Express VPN.
- Patch management should be carried out continuously, ideally via auto-update. Cybercriminals often design their attacks based on vulnerabilities in software. When software weaknesses are detected, software providers publish updates to fix them. That’s why using outdated versions of software can expose your business to security vulnerabilities.
- Password Management. A Data Breach Investigations Report by Verizon found that stolen and/or weak passwords are responsible for 81% of data loss. To minimise risk, companies should adopt the use of password managers. Such tools allow users to store, use and keep track of their passwords in a secure vault. Examples of password managers include 1Password and LastPass.
- Disk encryption should be enabled. If a laptop is stolen, encrypting the disk will render data inaccessible to those without a password to the machine.
- Backing up critical business data is vital. The precise frequency of backups depends on the specific needs of your business. Some backup solutions are designed to make incremental data backups throughout the day to minimise data loss. With solutions that perform incremental backups, the data can be restored to a point prior to a cyber-attack or system failure without losing crucial data (which may not be the case with a daily backup). Furthermore, you should regularly take complete backups and keep drives disconnected from your network to avoid the risk of them being corrupted too. An offline backup can help you quickly re-establish your business after a ransomware attack.
Implementing a Safety-Conscious Culture
Foster a security-first, no-blame culture. Team members must be comfortable reporting any potential security problems. All employees should be able to report anomalies, errors or concerns about unusual practices, openly and without delay. When a safety and security culture is established within an organisation, all employees know that they have a personal responsibility to protect the organisation from attack.
There is no point in having a policy that team members do not know about. The impact of errors or security breaches can be reduced by encouraging immediate reporting, so knowledge of security policies is paramount To be cyber smart, you should define and document your policy, make it accessible and make sure people know where to find it. If someone loses a laptop with customer data, is your policy readily available on their mobile phone? There are inexpensive systems available that enable you to be cyber smart and ensure that your important policies have been read and acknowledged.
Biggest Cyber Security Threats Facing Startups
Cybersecurity is of paramount importance. Any business is at risk, whether it’s a multinational or your startup. Nowadays, the plethora of B2B and B2B2C connections provide a lot of avenues for hackers, who often attack small businesses to gain access to their larger partners, customers or suppliers.
For any startup processing personal data, it’s important to understand the obligations of the data protection legislation – the GDPR, which applies to all businesses processing data of EU/UK citizens.
If you are wondering whether your start-up is subject to GDPR data protection legislation, this flowchart will help you to understand your responsibilities.
Large companies often ask their suppliers and partners, regardless of their size, to implement cybersecurity measures and prove that they have done this, as evidenced by the Government’s Cyber Essentials certification.
The amount of personal data being shared is increasing each year. Cybercrime is growing at a fast pace, quadrupling from 2015 to 2019. In the UK, 61% of businesses reported a cyber incident in 2019. In the US, the financial impacts of the damage can be crippling, as many as 60% of small businesses fold within 6 months of a cyber attack.
Developing a strong, multi-layered security strategy can save a business from the devastating effects of an attack. Regular training of employees and the implementation of security technologies will provide the first line of defence and significantly reduce the risk and impact of a security breach. A reliable backup and recovery strategy will be an important layer of defence, giving a business the ability to reboot quickly in the event of a major incident. And achieving Cyber Essentials should be a key goal for companies taking their own/their customer’s data protection seriously.
As hard as this all may sound, there are solutions out there, such as the CyberSmart platform and apps, allowing any sized organisation to take serious steps towards protecting their business. This allows you to achieve security and compliance implementation and monitoring, becoming your very own cybersecurity team, straight out of the box.
For more information on the topic and guidance on how to protect your business, please visit www.cybersmart.co.uk.