December 25, 2014 By Christopher Burgess 3 min read

The old canard that “startups can’t or won’t invest in security” is unfortunately true for far too many businesses. One of the more common responses startups have for not investing in security is that they can’t afford to. When the founders or executive leadership are queried, they typically say they need to invest every single dollar and man-day of effort into creating their product. The fallacy within this logic is that they don’t realize the value a good security posture brings to both their product and brand.

The first step involves ensuring the topic of security weaves its way into the founders’ or executives’ thoughts as they blue-sky their next idea. The reality is that every startup, regardless of size, will fall within the target demographic of one criminal element or another. Not all will be engaged by the criminals, but then again, the company doesn’t get to decide who targets or attacks it — it only gets to decide what criminals will encounter should they show up.

Resources Are Thin

It is rare to find a startup whose funds aren’t tight. A new entity obviously can’t roll out the network security suite of tools and capabilities that a larger, more established company can bring to the table. That said, what startups can do is identify what is required and desired, then triage for risk and invest in the mitigation of the greatest risks first. Then, when resources are required, the mitigation implementation should evolve to the next security level, knocking down another risk.

Where Should Startups Start?

The first area of investment is locking down endpoint devices. Not every startup has an internal network infrastructure when they open their doors. In fact, many use a hub-and-wheel approach to put their infrastructure together by leveraging third parties that provide software-as-a-service and cloud infrastructure. These services and engagements with clients all come from endpoint devices, which should have some basic security implementations in place.

The following are three inexpensive security steps that startups should take to protect their endpoint devices:

  1. Utilize personal identification numbers or passphrase access control for all devices. This costs nothing and makes it more difficult for third parties to open it if they find the lost device.
  2. Employ hard disk encryption; both Windows and Apple OS have built-in encryption capabilities. If the device goes missing, the sensitive content within the hard drive may be out of your control, but its encrypted state makes the loss of the device a nonevent from the perspective of data being exploited.
  3. Use device-level security software, including antivirus.

The next area to address is employee security awareness. This doesn’t need to be expensive, but it should be consistent and all-inclusive. Implementation can be as economical as brown-bag security awareness discussions over lunch.

Reviewing Third Parties

Another area every startup should address and review is the aforementioned third-party applications and infrastructure. As the company walks through a build/buy/lease triage on all services required to enable the company’s success, it is important to ensure there is a checklist of all the security requirements and whether they are feasible. In the instances where buy/lease paths are chosen, investing a small amount of time reviewing the security documentation (SOC, SSAE-16, etc.), privacy and terms of service will pay immediate and long-term dividends. This review permits a higher degree of understanding of the third-party’s current security and privacy acumen and how it will protect the company’s data.

The last area every startup should address is the security of its products and customers. When developing a service or evolving a product, building security into the mix at the outset is and always will be less expensive than waiting and bolting on the security solution.

In sum, startups don’t have to wait to bolt on security to their company. Instead, they can implement security practices, procedures and capabilities at a minimal cost from day one.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today