The old canard that “startups can’t or won’t invest in security” is unfortunately true for far too many businesses. One of the more common responses startups have for not investing in security is that they can’t afford to. When the founders or executive leadership are queried, they typically say they need to invest every single dollar and man-day of effort into creating their product. The fallacy within this logic is that they don’t realize the value a good security posture brings to both their product and brand.

The first step involves ensuring the topic of security weaves its way into the founders’ or executives’ thoughts as they blue-sky their next idea. The reality is that every startup, regardless of size, will fall within the target demographic of one criminal element or another. Not all will be engaged by the criminals, but then again, the company doesn’t get to decide who targets or attacks it — it only gets to decide what criminals will encounter should they show up.

Resources Are Thin

It is rare to find a startup whose funds aren’t tight. A new entity obviously can’t roll out the network security suite of tools and capabilities that a larger, more established company can bring to the table. That said, what startups can do is identify what is required and desired, then triage for risk and invest in the mitigation of the greatest risks first. Then, when resources are required, the mitigation implementation should evolve to the next security level, knocking down another risk.

Where Should Startups Start?

The first area of investment is locking down endpoint devices. Not every startup has an internal network infrastructure when they open their doors. In fact, many use a hub-and-wheel approach to put their infrastructure together by leveraging third parties that provide software-as-a-service and cloud infrastructure. These services and engagements with clients all come from endpoint devices, which should have some basic security implementations in place.

The following are three inexpensive security steps that startups should take to protect their endpoint devices:

  1. Utilize personal identification numbers or passphrase access control for all devices. This costs nothing and makes it more difficult for third parties to open it if they find the lost device.
  2. Employ hard disk encryption; both Windows and Apple OS have built-in encryption capabilities. If the device goes missing, the sensitive content within the hard drive may be out of your control, but its encrypted state makes the loss of the device a nonevent from the perspective of data being exploited.
  3. Use device-level security software, including antivirus.

The next area to address is employee security awareness. This doesn’t need to be expensive, but it should be consistent and all-inclusive. Implementation can be as economical as brown-bag security awareness discussions over lunch.

Reviewing Third Parties

Another area every startup should address and review is the aforementioned third-party applications and infrastructure. As the company walks through a build/buy/lease triage on all services required to enable the company’s success, it is important to ensure there is a checklist of all the security requirements and whether they are feasible. In the instances where buy/lease paths are chosen, investing a small amount of time reviewing the security documentation (SOC, SSAE-16, etc.), privacy and terms of service will pay immediate and long-term dividends. This review permits a higher degree of understanding of the third-party’s current security and privacy acumen and how it will protect the company’s data.

The last area every startup should address is the security of its products and customers. When developing a service or evolving a product, building security into the mix at the outset is and always will be less expensive than waiting and bolting on the security solution.

In sum, startups don’t have to wait to bolt on security to their company. Instead, they can implement security practices, procedures and capabilities at a minimal cost from day one.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…