December 25, 2014 By Christopher Burgess 3 min read

The old canard that “startups can’t or won’t invest in security” is unfortunately true for far too many businesses. One of the more common responses startups have for not investing in security is that they can’t afford to. When the founders or executive leadership are queried, they typically say they need to invest every single dollar and man-day of effort into creating their product. The fallacy within this logic is that they don’t realize the value a good security posture brings to both their product and brand.

The first step involves ensuring the topic of security weaves its way into the founders’ or executives’ thoughts as they blue-sky their next idea. The reality is that every startup, regardless of size, will fall within the target demographic of one criminal element or another. Not all will be engaged by the criminals, but then again, the company doesn’t get to decide who targets or attacks it — it only gets to decide what criminals will encounter should they show up.

Resources Are Thin

It is rare to find a startup whose funds aren’t tight. A new entity obviously can’t roll out the network security suite of tools and capabilities that a larger, more established company can bring to the table. That said, what startups can do is identify what is required and desired, then triage for risk and invest in the mitigation of the greatest risks first. Then, when resources are required, the mitigation implementation should evolve to the next security level, knocking down another risk.

Where Should Startups Start?

The first area of investment is locking down endpoint devices. Not every startup has an internal network infrastructure when they open their doors. In fact, many use a hub-and-wheel approach to put their infrastructure together by leveraging third parties that provide software-as-a-service and cloud infrastructure. These services and engagements with clients all come from endpoint devices, which should have some basic security implementations in place.

The following are three inexpensive security steps that startups should take to protect their endpoint devices:

  1. Utilize personal identification numbers or passphrase access control for all devices. This costs nothing and makes it more difficult for third parties to open it if they find the lost device.
  2. Employ hard disk encryption; both Windows and Apple OS have built-in encryption capabilities. If the device goes missing, the sensitive content within the hard drive may be out of your control, but its encrypted state makes the loss of the device a nonevent from the perspective of data being exploited.
  3. Use device-level security software, including antivirus.

The next area to address is employee security awareness. This doesn’t need to be expensive, but it should be consistent and all-inclusive. Implementation can be as economical as brown-bag security awareness discussions over lunch.

Reviewing Third Parties

Another area every startup should address and review is the aforementioned third-party applications and infrastructure. As the company walks through a build/buy/lease triage on all services required to enable the company’s success, it is important to ensure there is a checklist of all the security requirements and whether they are feasible. In the instances where buy/lease paths are chosen, investing a small amount of time reviewing the security documentation (SOC, SSAE-16, etc.), privacy and terms of service will pay immediate and long-term dividends. This review permits a higher degree of understanding of the third-party’s current security and privacy acumen and how it will protect the company’s data.

The last area every startup should address is the security of its products and customers. When developing a service or evolving a product, building security into the mix at the outset is and always will be less expensive than waiting and bolting on the security solution.

In sum, startups don’t have to wait to bolt on security to their company. Instead, they can implement security practices, procedures and capabilities at a minimal cost from day one.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today