Cyber Security is always an afterthought in the startup world. It does not directly impact any of the metrics you care about the most in the early stage of a startup. It does not directly help you increase revenue or your valuation or gain more users. It surely does not attract VCs. No VC is going to the market to pick and choose the most secure startup. Obviously, it is going to be an afterthought.
Why Bother About Cyber Security?
If you are frequently in technical discussions, it is very likely that you have encountered the term “Technical Debt”. It is used to denote a situation where the easier of the available options is chosen to move forward, knowing that this would mean added work to fix this in the future. Startups accrue a lot of technical debt while gaining initial traction, even while scaling. And most of the time, this decision is conscious.
Although everyone talks about “Technical Debt”, no one notices or speaks about “Cyber Security debt”. The later you start thinking about and integrating Cyber Security into your business, the bigger the debt.
Will Cyber Security Slow You Down?
Startups are high-velocity businesses. No one wants to get bogged down by controls when you are in a fast-paced world. Bringing in Cyber Security in your fast-paced world is akin to installing new brakes on your supercar. Brakes slow you down, right? Yes, but they also allow you to go fast with confidence because you know that you have fully functional brakes. So, no, Cyber Security will not slow you down.
Get Started On Your Cyber Security Journey
Enough theory, now let’s get into some practical advice. Let’s understand what are the bare essentials you need to get started.
The Must-haves
- Anti-virus
Anti-virus software is probably the oldest cyber security defense out there. It did not take long for criminals to jump on the computing bandwagon once it started to gain pace. Malware is usually delivered to users either via email or via malicious websites. Most of the time, it is the innocent user clicking on that link, downloading that attachment or executing questionable executables that start the chain of infection.
The damage caused by malware is two-fold:
- Disruption of operations: Most malware either causes a slowdown of infected systems or may also render them completely unusable. You have to inevitably stall operations to get users back to speed. With a limited IT staff, this can be a daunting task. On the other hand, there is also a risk of ransomware. If your business-critical data gets encrypted, and you cannot do without it, you might need to raise a funding round just to fund the ransom.
- Sensitive information leakage: Malware is designed to exfiltrate data to an external server that is under the criminal’s control. If they find juicy data in your exfiltration such as PII, credit card details, or trade secrets, this data will soon be up for sale on the dark web.
A decent anti-virus solution is the cheapest investment you can make to ensure the security of your business.
2. Cloud Security Posture Management Solution (CSPM)
If you are a tech startup, you have to inevitably be on the public cloud. Cloud Security Posture Management (CSPM) is a proactive approach to ensuring the security of cloud environments. It involves continuously assessing and managing security configurations, settings, and policies across cloud services and resources to align with best practices and compliance requirements. A single misconfiguration in your cloud environment can mean a catastrophe for your business.
3. Open-Source Vulnerability Scanner
Open-source libraries can contain vulnerabilities that expose your application to potential security risks. These vulnerabilities might range from outdated components with known weaknesses to hidden backdoors inserted by malicious actors. Having a good Open-Source Vulnerability Scanner integrated in your source code repository solution can be a huge help in identifying and remediating these vulnerabilities. In most cases, the fix is to just upgrade the vulnerable package to the latest version, which can be done automatically by these tools.
4. Multi-factor Authentication
Passwords are good, but MFA is much better. Passwords are shared rampantly in a fast-paced business such as a startup, most of the time, insecurely. It’s a common sight to see passwords pinned to a desk in a startup’s office. It’s easy to inadvertently leak them to unintended parties. In cases like these, MFA ensures that your data and systems are not accessed by unauthorized individuals. It’s like having a virtual bouncer at the door, making sure only the right people get in and keeping your valuable data safe from any sneak attacks.
5. Use a CDN provider
CDNs were originally designed with the goal of easing content delivery for your website. However, as the landscape evolved, people started to realize that CDNs are not only effective for speeding up your public websites, but they are also useful for protecting your website against DoS attacks.
6. Security Awareness Training
You might have this cliched saying: “Humans as the weakest link in cybersecurity”. Like it or not, it’s true. People, due to their natural behaviors and vulnerabilities, can inadvertently open the door to cyber threats. Humans can be tricked or manipulated through various methods like phishing emails, social engineering, or even unintentional errors.
Obviously, you would not want your users to sit through boring security awareness training when they could do a thing or two that will move your valuation needle upwards. Security Awareness Training indeed sounds unnecessary and boring, but trust me, it is effective. Whether your team likes it or not, it makes them aware of things they need to watch out for when faced with a real social engineering attack.
Good-to-haves:
7. Ransomware Protection:
We already discussed the need for anti-virus solutions above. Ransomware is the most damaging threat in the current Cyber Security landscape. Although anti-virus solutions are adept in identifying most of the well-known ransomware, a specialized ransomware protection tool can make your infrastructure more resilient against ransomware attacks.
8. Web Application Firewall
If it’s on the Internet, it’s going to be attacked. When you host anything on the Internet, your systems are inevitably scanned and probed for open holes. If your main product is a web application, which is most likely the case, then a critical vulnerability in your web application can lead to a serious data security risk. WAFs sit between your users and your application to filter out traffic that contains common attack patterns. This prevents attack payloads from reaching your main web application, thus saving your system from compromise.
9. Cyber Insurance
This is not a technical defense measure per se, but having a good Cyber Insurance policy can provide you peace of mind. In the event of an attack, this may actually help you from going bankrupt. The underwriting process for cyber insurance generally entails a review of your existing security measures. The most robust your measures, the smaller premium you would have to pay to cover your cyber risk. However, if your cyber security measures do not meet the baseline defined by the insurance company, they may reject your insurance proposal.
Hey There, I am Amey Anekar - Cyber Security Specialist with a passion for solving security problems even when resources are limited. I've been fortunate to develop a knack for gauging an organization's cyber security posture and helping them plan a transition towards becoming more resilient in the face of cyber threats. It's a privilege to be able to contribute to the field and assist organizations in safeguarding their digital assets.