The old canard that “startups can’t or won’t invest in security” is unfortunately true for far too many businesses. One of the more common responses startups have for not investing in security is that they can’t afford to. When the founders or executive leadership are queried, they typically say they need to invest every single dollar and man-day of effort into creating their product. The fallacy within this logic is that they don’t realize the value a good security posture brings to both their product and brand.

The first step involves ensuring the topic of security weaves its way into the founders’ or executives’ thoughts as they blue-sky their next idea. The reality is that every startup, regardless of size, will fall within the target demographic of one criminal element or another. Not all will be engaged by the criminals, but then again, the company doesn’t get to decide who targets or attacks it — it only gets to decide what criminals will encounter should they show up.

Resources Are Thin

It is rare to find a startup whose funds aren’t tight. A new entity obviously can’t roll out the network security suite of tools and capabilities that a larger, more established company can bring to the table. That said, what startups can do is identify what is required and desired, then triage for risk and invest in the mitigation of the greatest risks first. Then, when resources are required, the mitigation implementation should evolve to the next security level, knocking down another risk.

Where Should Startups Start?

The first area of investment is locking down endpoint devices. Not every startup has an internal network infrastructure when they open their doors. In fact, many use a hub-and-wheel approach to put their infrastructure together by leveraging third parties that provide software-as-a-service and cloud infrastructure. These services and engagements with clients all come from endpoint devices, which should have some basic security implementations in place.

The following are three inexpensive security steps that startups should take to protect their endpoint devices:

1. Utilize personal identification numbers or passphrase access control for all devices. This costs nothing and makes it more difficult for third parties to open it if they find the lost device.
2. Employ hard disk encryption; both Windows and Apple OS have built-in encryption capabilities. If the device goes missing, the sensitive content within the hard drive may be out of your control, but its encrypted state makes the loss of the device a nonevent from the perspective of data being exploited.
3. Use device-level security software, including antivirus.

The next area to address is employee security awareness. This doesn’t need to be expensive, but it should be consistent and all-inclusive. Implementation can be as economical as brown-bag security awareness discussions over lunch.

Reviewing Third Parties

Another area every startup should address and review is the aforementioned third-party applications and infrastructure. As the company walks through a build/buy/lease triage on all services required to enable the company’s success, it is important to ensure there is a checklist of all the security requirements and whether they are feasible. In the instances where buy/lease paths are chosen, investing a small amount of time reviewing the security documentation (SOC, SSAE-16, etc.), privacy and terms of service will pay immediate and long-term dividends. This review permits a higher degree of understanding of the third-party’s current security and privacy acumen and how it will protect the company’s data.

The last area every startup should address is the security of its products and customers. When developing a service or evolving a product, building security into the mix at the outset is and always will be less expensive than waiting and bolting on the security solution.

In sum, startups don’t have to wait to bolt on security to their company. Instead, they can implement security practices, procedures and capabilities at a minimal cost from day one.