Startups are incredibly vulnerable to cyber attacks in their first 18 months. However, most ventures today still have a false sense of security due to their smaller size. As a result, cybersecurity for startups often ends up at the bottom of a long entrepreneurial laundry list.
RIC Centre’s latest Expert Speaker Series, Cybersecurity for Startups, featured Charles Finlay from Cybersecure Catalyst and Michael Castro from RiskAware Consulting Group. This fireside chat explored how cybersecurity threats can be managed as an entrepreneur, what potential investors look for when it comes to cybersecurity, and also gave our entrepreneurs practical strategies that they could implement in their own business.
Startups must first treat cybersecurity seriously. There is a natural convergence of operational and cyber risk – once you identify this inherent risk in your own company, you can estimate the vulnerability of your company’s systems and apply controls.
How Can Startups Manage Cybersecurity Threats?
Once you have identified and understand your company’s risk it is important to develop a cybersecurity plan. As levels and types of risk vary from company to company, your startup’s plan will likely be tailored to specific company needs.
However, thinking of security at a higher level, Castro shares with us a set of global standards that should be adopted by any company – from large corporations all the way down to early stage ventures.
The Center for Internet Security provides a prioritized set of actions to protect companies and the data they host from known cyber attack vectors. The list of 20 controls are broken into 3 distinct categories: basic, foundational and organizational.
Basic Controls are key essentials to become ready for cyber attack. This includes controlling your hardware and software assets, continuous vulnerability management and monitoring audit logs.
Foundational controls include technical best practices all companies should implement. The list includes malware defenses, controlled access and email and web browser protections.
Last, organizational controls take store of the people and processes in your company. Employees are often the weakest link in cyber risk management regimes. Training and educating your employees to create a culture of prevention is a necessary layer in cyber risk mitigation.
More information on 20 CIS Controls along with resources can be found here.
SANS Institute’s 5 Keys for Building a Cybersecurity Program can be found here.
Training and Certification
You yourself may choose to develop skills in cybersecurity that will benefit your startup in the long run. There is a wide range of courses and programming available to get you on your way. Ryerson University’s Cybersecure Catalyst aims to do just that, providing solutions for Canada’s current cybersecurity challenges by driving collaboration and excellence.
Their Signature Program will provide cybersecurity skills training to groups currently underrepresented in cybersecurity including women, new Canadians and workers dislocated from legacy sectors, as well as for those who simply require additional training.
There is a wide range of opportunities available to give you the knowledge needed to systematically reduce your company’s cyber risk. Finding courses and programs with a scope and time commitment appropriate for you is key.
Vendor Security Questionnaires
Vendor management isn’t only for large corporations.
It is important that your company evaluate security risks of your third-party vendors. Vendor security questionnaires are useful tools to assess the security practices of potential vendors and make sure that these same practices comply with your own.
As you will most likely also approach your first clients as a relatively unknown third-party vendor, it is also a good idea to familiarize yourself with common security requirements you may be presented with.
What Will Investors Look For?
Caring about security can be a competitive advantage for your company. It’s important to remember that investing strategically in cyber can come with an ROI.
Investors want to back trusted brands and potential clients want to feel safe.
From the collection of payment information to user experience data, clients and customers are becoming more and more concerned about the confidentiality and integrity of systems handling their information.
Be Prepared to Answer Questions
Investors will likely ask the tough questions about your security practices. They may also request internal and external audits to trust the resilience of your processes. Taking ongoing, preventative measures that are embedded into product development the right way, not only betters investment preparedness — it’s often more cost effective too. Small, incremental investments in security show thoughtfulness and intent to investors and can prevent costly big fixes for hacks down the road.
5 Steps to Cybersecurity (That Won’t Break the Bank)
Knowing that startups often like simplicity, Castro has left us 5 simple cybersecurity measures your company can start with to build better security practices.
Credit: Michael Castro, founder of RiskAware Consulting
Developing an IoT Product?
The next installment of Driving Dreams is September 19th, 2019. Register to learn how to select components and solutions for hardware design & how to understand “DFX”