Another founder was walking me through their product the other day to have us consider using it. At the end of the session, I said: “This is probably an obvious question, especially coming from me. But how’s your security?”.
They said: “Oh. That’s not an obvious question at all. I haven’t considered it. Our CTO might have a better answer. We at least force our users to log in. Is that enough?”.
You might think I’d be shocked at the answer. But I’ve spoken to enough startups to know most don’t know where to start, so they find it easier to ignore it until they are forced to.
When in fact, security should be built in from the start.
The key is to be pragmatic about it. Do just enough to align with your risk profile, not more. Until you need to.
We’re too small to worry about cybersecurity
Admit it, you’d rather not have to worry about securing your product. You have better things to worry about like your cash runway, burn, product-market-fit, sales pipeline, active users, churn, NRR, CAC, LTV, and a hundred other metrics you are supposed to track.
I get it. You’re thinking security doesn’t matter if you end up going out of business.
The reality is that today most startups only care about security under the following circumstances:
1. If a customer asks you about it and it becomes a barrier that stands in the way of revenue:
- Most commonly, it’ll be another company that wants to make sure they aren’t going to put their data in a service that isn’t properly secured;
- Or your consumers. Don’t assume they don’t care. They do, but they don’t call it “security”. To them, it’s about privacy and trust. In a world where many of your users are digital natives, they care and many will not sign up for your service if they don’t trust it.
2. You are in a regulated industry and have to prove to an official that you are taking security seriously.
3. You suffer a cyber incident.
The main problem is that if you wait until one of these events, it’s likely too late. Or you end up scrambling to come up with answers that aren’t on the mark. When you inevitably realise you have questions you can’t answer, you end up paying someone else a fee (likely too much) to tell you what to do and implement it for you.
Addressing this proactively is almost always going to be cheaper than reacting to it when you are forced to.
I’m not here to preach about “securing all the things”. The most important thing when you are trying to make every dollar stretch is to be practical about what you spend money on. You probably don’t need to do nearly as much as a tier one bank. However, you shouldn’t be doing nothing either.
Minimum Viable Security (MVS)
As startups, we should be familiar with the concept of a Minimum Viable Product (MVP). Using the same concept, what does Minimum Viable Security look like?
- Key Business Systems Registry – This is a listing of the systems you use that hold your most important data. Also known as “crown jewels”, this is a list you maintain of the critical data that you hold, and which systems they reside in. For an added bonus, you should assess the security and suitability of each for your needs. If a system doesn’t meet minimum security requirements, you should reconsider its use and migrate to an alternative. This should be reviewed regularly (at least quarterly). All your Key Business Systems should have multi-factor authentication enabled.
- Employee Awareness and Education – Every employee in your company should undergo basic security awareness training. This should not be a once-a-year exercise otherwise nothing sinks in. It should be periodic, done in smaller chunks, and interactive. The worst type of education is the kind that feels like an exam.
- Security Monitoring – For the most critical of systems that you have control over (e.g. the cloud infrastructure that your product runs on), you should at least have logging enabled so you capture an audit trail of what’s going on. If you hold data that should be protected with more than logs, you should have malware and behavioural anomaly detection and alerting enabled.
- Access Controls – The most important access control restriction you need is to ensure you restrict administrative access to all your critical systems. In security, this is known as the principle of least privilege. In short, no one should have more access than they need to do their jobs. For example, at Avertro, we are very strict about who has administrative access to the production environment of CyberHQ (our product); despite being the founder and CEO, I do not have access to our customer environments and associated data.
- Endpoint Protection – Even if you don’t have a budget to pay for a commercial endpoint protection product that gets deployed to all employee laptops and workstations, you should at least ensure that each has a free endpoint protection product installed. You should also ensure that hard drive encryption is enabled (this is free and comes with both Microsoft and Apple operating systems, so you really have no excuse).
There are a lot of cost-effective (some are actually free) options to implement the points above. Of course, there is some cost associated with getting to MVS, but you’d be surprised to learn what you can achieve with a budget of a few hundred to a few thousand dollars per year.
As part of our upcoming series of articles designed to help technology startups, we are offering free twenty minute Ask Me Anything sessions with our experts. If you have any security questions you’d like answered, book time with us by emailing firstname.lastname@example.org.