When’s the right time to create formal processes to protect your company's cybersecurity?
Ideally it would be from Day 0 or at least Day 1. Though we know a lot of small to medium businesses tend to not prioritise this until you’ve been compromised.
So how can you avoid it?
Below we’ve listed 4 easy steps to help set yourself up from Day 1.
Note: This article is still applicable to any tech company/ SMB in its growth or scale-up phase.
1. Identify the data that you collect, store and process
Data is the most valuable asset for any business, big or small, and therefore should be the first thing that a business identifies, controls and protects.
- As soon as your business acquires its first customer (sometimes even before), it already has a duty of care towards the customer in protecting their data and identity. Most startups request a substantial amount of information from their customers via onboarding forms, surveys, website cookies, etc. To reduce risk exposure, start by ensuring only information that is relevant to the business is collected.
- As you build your product tech stack and the supporting business processes, identify the different sensitive data sets that will be collected by each component. Start restricting access to these sensitive data sets within systems.
- Pay extra attention to other data that may compromise the identity of people. If your business requests copies of IDs, health records, contractual information, etc. secure them in password-protected systems or folders.
- Other sensitive data sets such as software code or patents need to be controlled so your ways of working and trade secrets are well protected.
It is much easier (and cheaper) to develop processes to secure data early, rather than wait until your business scales.
Time = money
2. Protect critical processes that run your business
Identifying your business-critical processes and operations enables a risk-based approach to cybersecurity.
- Identify what operations and processes directly impact customers, revenue generation, costs, etc. (e.g. Payment transaction processes). Critical processes are those that directly contribute to your overall business strategy and mission.
- Assess the potential effects and impacts of an interruption to these critical business processes as a result of a cyber-attack (e.g. a disruption to the website could potentially block an entire revenue generation stream). Rate the impacts on a scale (e.g. High, Medium, Low).
- Develop strong Backup and Disaster Recovery protocols to help your team restore these processes if and when disaster strikes (e.g. when a customer data loss incident occurs).
3. Determine your ‘crown jewels’
Once you’ve identified the critical data and operations, it is time to understand what systems support these.
A business technology infrastructure is a nervous system of applications. It is essential to determine which of these systems directly manage the critical data sets and operations (identified in steps 1 and 2). Applying the 80-20 rule, in most cases, 20% of the systems drive 80% of the business operations and data.
- The industry term for these critical systems is ‘Crown Jewels’. A clear distinction between crown jewels and all the other systems enables prioritisation of what cybersecurity controls need to be built.
- If your ‘crown jewels’ are primarily third-party applications, it is essential to have a good understanding of who the vendors are and ensure there are adequate contractual agreements in regards to up-time and risk management.
- Limit access to the crown jewels by providing access on a need basis.
- In addition, it is equally important to have a formal process in place to get rid of access as soon as roles change or when the person quits the organisation.
4. Apply baseline cybersecurity controls and monitor them periodically
A quick web search will reveal a number of cybersecurity frameworks and regulations, which can be very overwhelming.
- For tech companies, third-party risk or supply-chain risk is an area of increasing concern due to heavy reliance on vendors for key services and infrastructure. As mentioned in the previous point, if your product tech stack relies on key third-party applications, your business must validate whether these vendor organisations have good cybersecurity hygiene. This step is especially important if a vendor-provided application has access to your network and/or sensitive data.
- The reverse of the above situation also holds if your company sells products to other businesses. These business customers would very likely want to review your organisation’s cybersecurity capability before approving an order. Therefore, a mindset shift is needed to understand that cybersecurity is no longer just a cost function but can also have a direct impact on revenue.
- The MVSP (https://mvsp.dev) is a good starting point to understand what baseline/ foundational controls can be implemented within your organisation. You can also use this framework or a similar framework to assess the cybersecurity hygiene of your critical vendors.
Once baseline cybersecurity controls are in place, advanced capabilities can be enabled as the business scales in size and revenue.
Incorporating good cybersecurity practices from the get-go will set your company up for success which helps your business build strong trust and brand within its ecosystem.
You’ll avoid spending substantial effort and time in the future to fix processes and systems that are not secure, and it ensures the business is more resilient to cyber-attacks and compromises.