by Andrew Ostashen, co-founder of Vulsec
When an organization is within the startup phase, the first thing on their mind is “How do we get our product to market as fast as possible?” followed up by “How do we scale our product(s) the fastest and most efficient way possible?”
Typically, the idea of cyber security comes later down the road after a company compromise or when the organization is filing for compliance & regulations.
Yet cyber security should be a crucial consideration for entrepreneurs during the initial steps of creating their vision. This includes creating the Information Security Program, training on secure development of products, and/or implementing the security architecture of their infrastructure.
In fact, startups are at the perfect spot to implement a rock solid program at their foundational level, and then eventually grow it from there. This way, employees, partners, and board members will all be on the same level with the understanding that information security plays a major role in the success of a company.
Conversely, enterprise organizations get breached as a result of the complexity of their infrastructure at the present moment. These organizations have outdated technology, mismanaged processes, and poor implementations, leading to a constant uphill battle against hackers. Companies like these wish they had a blank slate where they could re-create their entire infrastructure, much like the situation most startups begin with.
As a startup, companies should answer these questions when researching their own personal cyber security goals:
Are we an online business? Do we have store fronts? Do we have an internet connected product/app? Are we collecting/storing sensitive information? Do we have offshore developers? Do we deal with foreign companies that create our product? Are we looking at 100% growth within the next X number of months? When are we looking for funding, investors, or going IPO?
Key steps in making sure your organization is on the right path for cyber security and protection of data include:
- Create an Information Security Program, keeping in mind the growth of your organization. Business continuity steps, incident response plans, and disaster recovery policies should be the nucleus of this program.
- Add multi-factor authentication to SasS applications and cloud environments.
- Implement identity and asset management tools within the organization to monitor anomalies around users.
- For efficient and secure expansion, understand what types of resources and technology are needed: colocation, cloud providers, internal resources?
- Bring awareness to employees with social engineering, training, and positive reinforcement tactics.
- Conduct assessments within the various business units to determine risks associated with loss of data.
- Create effective remote user and BYOD (Bring Your Own Device) policies – such as implementation of anti-phishing software – to ensure devices are protected, flow of data is encrypted, and data is protected from theft.
- Communicate with board members and executives about the importance of developing this secure environment, as well as the process.
- Hire qualified internal resources or outsource as needed for the required IT positions. Bring on a security-conscious CTO at the beginning.
- Be conscious of the flow of data within your organization to make sure data is encrypted at rest and in transit. Detect anomalies during this phase to keep ahead of unauthorized access.
The complexity of cyber security is increasing as more and more Internet of Things (IoT) devices are being brought online. As a startup, you are on the ground floor of creating the future of your product and company. Create your organization with cyber security at the forefront of your development and creative thinking strategies, and keep your data, intellectual property, and brand safe from hackers.
Andrew Ostashen is co-founder of Vulsec, a Boston-based firm established to provide clients with the highest methodologies in data protection by delivering versatile tactics to safeguard information technology departments from hackers.