Startup companies don't always know what they don't know, says CDW Startup Strategist Teague Goddard. “When you’re just starting your founding team, you may not have those talents and skills just yet. You may have some supersmart folks, but from a security perspective, they may not necessarily know all the risk considerations.”
Jason Kaser, manager of integrated technology solutions for small business at CDW, agrees with Penny and Goddard. “There are two pieces that you just have to pay attention to, and that’s your people and your data — having the basic protocols in place to keep your people safe from external threats, as well as being able to understand what access they have to the information within the organization.”
The Four Pillars of a Sound Security Strategy
Penny and Kaser said every company’s security strategy should include the following elements:
- Endpoint security. Every device an employee uses to access network resources, from company-issued laptops to their own smartphones, must be secured. Businesses should have visibility into that access.
- Email security. Email continues to be the most common avenue threat actors use to acquire employee passwords or other sensitive data. Businesses must have a solution for protecting their email gateways.
- Firewalls. Even as more businesses deploy zero-trust security strategies, firewalls that serve as a frontline perimeter defense aren’t going away. Business must have the right ones in place.
- Identity and access management. Correctly verifying the identity of employees and others authorized to access corporate data is a basic function of any security plan. To do so, businesses must have an appropriate identity and access management solution in place, preferably one that includes multifactor authentication, and they must ensure that employees adhere to corporate security policies.
How the Right Partner Can Make Security Easier for Startups
For startups that are ill-equipped to manage a robust security strategy on their own, a strategic partnership with a trusted adviser can provide critical services, such as routine security posture review and security event response. For example, a virtual CISO allows companies to “rent hours to get that guidance that they need without employing somebody full time,” Kaser explains.
Even large companies with dedicated security teams can be overwhelmed by the many detections and alerts created by common security tools. For a startup company trying to focus on its core business, keeping up can feel impossible, and in such cases, a business needs help from a partner that can “manage all of those detections and alerts and help them be able to remediate regardless of where their data resides,” Penny says.
Penny suggests working with a partner that offers a risk rating platform, which can analyze different risk scores of vendors, competitors and customers. She says it’s becoming increasingly common for companies to ask for reassurance from their vendors.
Businesses often think of security as a cost center, so budget-constrained startups naturally seek to mitigate those costs. “We often see the lack of cybersecurity planning and investments bottleneck sales for startups. Many of them sell to enterprises who have enterprise security compliance standards and will certainly do their diligence before purchasing,” Goddard says. “It’s high time we underscore the importance of cybersecurity investments, policies and procedures becoming growth drivers.”