A cybersecurity report by Ponemon Institute, in association with Keeper Security, found that in the 12 months leading up to June 2016, 55 percent of small and medium-sized businesses (SMBs) experienced a cyber attack, while 50 percent encountered data breaches involving customer and employee information.
These statistics belie the common notion that cybercriminals attack only big businesses. In truth, SMBs and startups are often easier targets, as their defenses tend to be weaker. Limited financial resources make it challenging for these companies to invest in sophisticated security mechanisms or full-fledged IT departments – a fact that hackers and cyber attackers use to their full advantage.
Today, all it takes is one security breach to bring down a company’s brand and reputation. For startups, who depend so much on word-of-mouth recommendations, the impact of a breach could be fatal. Despite this risk, many startups continue to be woefully underprepared. According to the Ponemon Institute survey mentioned earlier, only 14 percent of SMBs rate their ability to mitigate cyber risks, vulnerabilities, and attacks as highly effective.
At a time when authorities such as the World Economic Forum are citing cyber attacks as one of the top global risks, both in terms of likelihood and impact, startups have an important mandate – to make cybersecurity an integral part of their business strategy.
A Good Cybersecurity Program Matters
Today’s startups are more mobile, hyper-connected, social, and globalized than ever – all of which have resulted in more complex data networks and more security risks. Additionally, with the cloud becoming the de facto choice for product development and deployment, newer and more challenging security threats continue to emerge.
Often, the weakest link in the chain could be a third party with inadequate security controls. The onus is on startups to keep these risks at bay, especially as their business amasses a growing volume of sensitive data such as customer contact numbers, credit card data, and intellectual property. Cybersecurity can no longer be a reaction to a threat that has already occurred. Investors and customers expect companies to do all they can to proactively protect the integrity, privacy, and confidentiality of this data.
Ultimately, strong security measures do more than just prevent risks. They foster customer trust, which is essential in driving growth and customer acquisition. In fact, nearly one-third of the respondents in a recent Cisco survey reported that the primary purpose of cybersecurity is to be a growth enabler, while another 44 percent consider cybersecurity a competitive advantage.
Adding further impetus are an increasing number of regulatory initiatives and guidelines around security, including the Cybersecurity Act of 2015, the Cybersecurity National Action Plan (CNAP), and the EU’s General Data Protection Regulation (GDPR).
What then should startups be doing to comply with these mandates, and keep cyber attacks in check?
Treat Cybersecurity as a Business Issue
Cybersecurity is no longer just a compliance or IT checklist concern, but a broader business priority that needs to be aligned with the company’s strategic goals, risk appetite, and risk management framework. In the absence of a CISO or cybersecurity expert, at least one person in the organization – be it a business analyst or enterprise architect — should take on the role of an information security officer, and be responsible for collaborating with the CEO to define a cybersecurity strategy, identify critical data assets, determine security risks and gaps, and implement appropriate controls. There also needs to be a common architecture that consolidates and rationalizes risk and threat data into a “single source of the truth,” which in turn, enables the business, IT, and security functions to collaboratively mitigate risks on time.
Understand the Risks
Many startups, relying on an established cloud services provider, are lulled into a false sense of security, thinking that the data protection measures of the service provider are all they need. This couldn’t be further from the truth. Startups need to be proactive in understanding the risks associated with the service provider, assessing their level of compliance with industry standards, and ensuring effective governance and control through service level agreements and continuous monitoring. It’s also important to clarify the division of responsibilities between a company and its