It’s never too early for a start-up business to begin to strategize and operationalize its cybersecurity goals–in fact, it’s a necessary prerequisite for high-yield growth. And yet, with all the high velocity activity and rapid decision-making that characterizes most startups’ early existence, it can be easy to overlook some of the critical prophylactic steps that must be taken to safeguard a nascent company’s value potential. The importance of this cannot be overstated, given that the harm to a startup’s reputation and brand name can be existential if proper controls are not in place. A recent Forbes CommunityVoice article by start-up founder Isaac Kohen offers some helpful starting points for businesses of all sizes to keep in mind. The major takeaways are summarized below, with additional perspective added.
Growing a CyberSecurity Culture from Day One. A critical reminder for all is that cybersecurity is not at heart an infrastructure issue—it’s a cultural one. Most data-related incidents and lapses actually occur as a result of unintentional employee actions or an organization’s nonchalant approach to protecting personal data and intellectual property. To combat the establishment of lax norms, it’s important to identify privacy and cybersecurity champions within each group, incentivizing, proselytizing and making fun the training and reinforcement that goes into building a cybersecurity culture.
Elevating Accountability as a Key Attribute. Talk is cheap, and without proper follow-through being met at each level of an organization, the best laid cybersecurity plans will topple like a house of cards. This can involve performance metrics, enforced policies (such as no “bring-your-own-device” or taking company computers to public outings where loss is more likely to occur), discussions in managerial reviews and even employee monitoring–if done carefully, transparently and respectfully. Such employee oversight is generally effectuated via monitoring software that restricts data collection to specific, data-centric applications, enables auto-redaction and masking of personal data, and is inclusive of all employees–including founders and management–to set the proper top-down tone.
It’s Not Only Good Business–It’s the Law. As TrustArc customers are already aware, most data protection regulations around the world impose security requirements on organizations, meaning that these costs should be expected and built into overall compliance and IT budgets. This is certainly the case with respect to startup businesses seeking to operate in or target products and services to European Union audiences thanks to the GDPR, but it’s also the case in an increasing number of Asian, African and South American nations as well. Moreover, the United States already has a number of industry-specific federal laws with security obligations (such as HIPAA, FCRA, GLBA and an alphabet soup of other regulations), but states like California and others are now passing their own privacy laws with possible comprehensive federal legislation on the horizon as well, and so proper cybersecurity practices must be a fact of life for all companies going forward.
Training and Best Practices Are the Way To Go. Technology and threat vectors evolve, and so too should the measures a startup business takes to thwart such external threats. Team members recognizing, understanding and knowing who/what/where/when/how to escalate an issue is critical. That said, it is not necessary to “reinvent the wheel” on all things. From a U.S. perspective, which can in many cases be leveraged interoperably towards compliance with other major frameworks around the world, the Federal Trade Commission has released terrific resources that provide a blueprint for startups. Examples of this include the FTC’s 2015 “Start With Security: A Guide for Business” page, which was followed in 2017 with a “Stick With Security” series of blog posts that provide data security-related guidance, examples, and best practices for small, mid-sized and even enterprise businesses to spin-up throughout their organizations.
In all, start early, have a plan and document your steps, develop a multistakeholder approach to privacy and cybersecurity across all teams, imbue accountability throughout–then add water and watch your business grow.