As a startup, you might have branded swag well before a cybersecurity strategy. And it’s not hard to understand why. Printing stickers is easy. Knowing where to start with security – the who, what, how, and why – can feel a bit more daunting. But it doesn’t have to, and is far more important to your company’s future.
Cybersecurity risks are growing by the day, especially for startups. Almost half of smaller businesses reported cybersecurity breaches or attacks over the last year, up from less than a third in the previous year. It’s an epidemic that forces 60 percent of affected businesses to close within 6 months.
Part of the problem is a lack of resources – small companies are often stretched thin, and IT hires aren’t always seen as a priority early on. But the larger issue is a lack of awareness. Startups often don’t know the extent of risks they face, their particular vulnerabilities, or that solutions don’t need to be expensive or complicated.
If you’re leading a startup, and have a steady stream of Instagram posts but no cybersecurity plan, let’s fix that. The first step is building awareness so you can pass the baton of knowledge to your team and help nurture safe habits that protect your data.
The many roads to your business' data
Love it or hate it, the internet is integral to modern business. You may offer a product or service that’s directly tied to it, like an enterprise chat app or a battle royale video game. Regardless, your business likely uses the internet to communicate – internally and with customers – perform certain tasks, and store information.
If your business uses the web to store or share any kind of business data, you need to be mindful of cybercriminals. Even your employees’ web browsing is a risk factor. So if you think your data is safe and sound, you may need to reconsider.
The remote work transformation tossed a bunch of gasoline onto the cybersecurity fire. With employees working anywhere and everywhere, each new device, app, and network they use could create the opening cybercriminals are looking for. In some cases, even personal and family web usage can open a backdoor to company data. Without the right strategy, this can be overwhelming for a startup to deal with.
Devices, apps, routers, networks – there’s plenty to consider when it comes to securing your data. One compromised account can potentially expose your most sensitive data. To minimize those risks, make security a teamwide effort.
If you don’t have one, create a small handbook or set of security policies that everyone can follow – like using strong, unique passwords for all their accounts. As you scale, you’ll want a dedicated security expert or team to help oversee these efforts. In the meantime, make it a collective responsibility with some clear messaging from the top. Third-party security services are available for different aspects of security as you go, or if you just need cybersecurity consulting in general.
Make access a privilege with account permissions
Any employee or business partner with access to your startup’s information needs to maintain long, complex credentials for their accounts. (The largest cause of data breaches is weak and reused passwords, after all.) Another major step is keeping this access on a “must-have” basis.
This basic idea is nothing new. Years ago, security experts adopted the “principle of least privilege” (or PoLP) to describe a safer approach to access management. PoLP encouraged companies to limit all access – device, software, network, sensitive data – to those who need it. And to add new users on a case-by-case basis from there. Doing so limits your data’s exposure, and the number of accounts that are susceptible to being compromised.
Recently, the term “zero-trust model” picked up where PoLP left off. Popularized by Microsoft, which used the model in their own security strategy, zero trust requires even those most trusted in an organization to reverify their identity when accessing a critical system or drive, or executing certain functions. This is done through multi-factor authentication (MFA) or another advanced verification method.
Larger businesses will often use identity access management (IAM) tools like Okta to assist with PoLP or zero-trust authentication. As a startup, you might not have the budget or team size to justify these sorts of tools. But that doesn’t mean you can’t invest in the same principles.
Use segmentation to control what people can see on apps like Slack, and set permissions on productivity tools such as Google Docs. For that added “zero-trust” layer, encourage employees to use two-factor authentication (2FA), especially with your more critical data or systems. These security solutions don’t require much time or money to implement – and can save you from major headaches in the future.
Test, protect, and monitor your digital assets
It’s a good idea to document and track your portfolio of digital assets, including devices, apps, and hard drives. Asset monitoring and application performance monitoring software might come in handy for the task, especially as your digital footprint scales.
The next step is taking care of any suspicious files or activity. Antivirus software can help detect and erase unwanted files or programs on devices and networks, whether they currently exist or appear in the future. Use tools like security risk analysis software to scan IT assets for problem areas and suggest updates for optimal protection.
There’s no shortage of high-tech security tools out there. But the best defense is also the most obvious (and affordable). Wherever a login credential might be used – be it an employee’s laptop, your Wi-Fi networks, cloud storage folders, or software tools – make sure they’re up to par. Every registered user should create strong, unique passwords and keep them safely stored, to reduce the chances of an attacker gaining unwanted access. 1Password can assist with the whole process, from generating passwords to storing them and even safely sharing items across your team.
(Read how a culture of security can help foster safe habits across your startup.)
1Password Watchtower will also alert your employees if any site or service they use is compromised. Anyone with admin privileges can routinely create domain breach reports that show any company email addresses affected by breaches around the web. You can also monitor your technology with other risk management and security tools like vulnerability scanner software, which can help rectify potential issues and identify new vulnerabilities as they arise. Lastly, threat intelligence software can be used to keep your finger on the pulse of emerging threats.
Even with incredibly tight measures in place, you need to plan for all possibilities. Put together a detailed incident response plan so your team can collectively investigate red flags and minimize the damage.
Check your list, check it twice
Staying agile is a core part of #StartupLife, and cybersecurity is no exception. Security is never “done” as threats evolve along with your company’s own risk factors. Stay alert and don’t allow your startup to fall behind; attackers pounce quickly on any security gaps that open up.
Each new app, user, and device should be audited and secured before use. Employees will need to stay vigilant when downloading personal apps or connecting their own devices and accounts at home, and create strong credentials wherever they’re needed.
When updates are made available – for devices, software programs, what-have-you – they should be downloaded and installed immediately. Work with your employees to keep technology and accounts up to date. If you or your team are notified of any compromised sites or weak passwords they have in place, this information needs to be updated to eliminate possible pathways to your vulnerable data.
If you have an IT team or an appointed “security specialist,” schedule regular meetings with them. Here you can review the health of your IT infrastructure, discuss any recent incidents, take note of emerging threats, and plan action items to bolster security.
At least one person needs to keep up with the people and projects inside the business, and modify account privileges where necessary. When someone is promoted, for example, they generally need access to more passwords, projects, and chat rooms.
It’s equally important that administrators revoke access when a team member decides to leave the company, or wraps up their portion of work on a highly sensitive project. This is especially true for any IT workers themselves. A recent 1Password survey showed that 88 percent of developers and IT professionals working at startups still have access to a former employer’s technical infrastructure or development environments.
Here’s a checklist of items to go over with your team to cover security from all angles:
- Fill or create IT/Security roles, or hire a managed services provider.
- Educate employees and stay up-to-date on potential threats.
- Take inventory of all assets (hardware and software).
- Test, scan, and update all assets, networks, and drives.
- Encrypt sensitive company data and drives.
- Create security guidelines and make them easily accessible to your team.
- Determine minimum access levels and add permissions only where necessary.
- Mandate that employees create strong, unique passwords for all devices and accounts.
- Enable threat detection and other asset monitoring.
- Create an incident response plan and train/test IT on readiness.
- Schedule regular updates for all assets and review of policies.
Empower employees to do their part to protect your company
Effective security is a true team effort. Just like your employees rock the company swag, they should be proud and fully invested in your security guidelines. With the right messaging, education, and tools, you can bake cybersecurity into your startup’s culture.
Secure habits and things to look out for should be clearly spelled out, and easily accessible for all employees. A few guidelines to include:
- Create strong, unique passwords for each account and device, including those not provided by the company.
- Update passwords immediately in the event of a data breach or other security incident.
- Only share passwords and other private information over secure channels (like 1Password).
- Don’t click on suspicious links in emails, fill out random forms on the web, or download untrustworthy files.
- Install software updates and security patches when made available.
To help educate employees and keep them engaged, include security training as part of onboarding and plan ongoing teamwide training sessions. This should include training on tools like 1Password that not only help them build secure habits but improve productivity and collaboration as well. Take advantage of 1Password University (which is completely free!) to build your team’s security knowledge and create an army of 1Password experts.
A password manager like 1Password is not just the easiest consideration for your small business security, but can also be the most impactful, closing your most prominent security gap (weak and reused passwords). 1Password Business users also get free accounts for their families. That means you can protect your team and their loved ones at home, and eliminate these backdoors to your company data.
A culture of security will grow with your startup, and offer peace of mind as you reach milestone after milestone. So the considerations you make now are an investment that will last. Your logo may change – and you’ll need to reprint your hats, if so – but a security-first mindset will be a reliable companion in your startup’s journey, wherever it leads.