Sep 10 2021

Building Sound Security Strategy for Startups

Early-stage companies often see sophisticated cybersecurity as a cost center, not a growth driver. That should change.

In many startup companies, cybersecurity can be overlooked. Frequently, they lack the budget or the experience to recognize the importance of security. Sometimes, they naively believe cyberattacks only happen to larger organizations.

According to a research conducted by McKinsey earlier this year, “Mounting cybersecurity threats are particularly fraught for small and medium-size enterprises (SMEs), defined as those with fewer than 500 employees. Even before the pandemic, SMEs faced challenges when it came to limited budgets and hiring skilled personnel.”

Despite those hurdles, experts emphasize the need to develop an agile cybersecurity strategy that anticipates future growth and incorporates the flexibility to adapt to change and scale up when the time is right.

Security Must Be Embedded into a Startup’s Culture

It’s important to make security a part of any company’s culture — and for startups, that should happen at the very beginning. “As security starts to become part of their culture, it’s almost like fluoride in our water,” says Brittany Penny, integrated technology solutions senior cybersecurity adviser at CDW.

Click the banner below to avoid the top tech mistakes that can kill startups.

Startup companies don't always know what they don't know, says CDW Startup Strategist Teague Goddard. “When you’re just starting your founding team, you may not have those talents and skills just yet. You may have some supersmart folks, but from a security perspective, they may not necessarily know all the risk considerations.”

Jason Kaser, manager of integrated technology solutions for small business at CDW, agrees with Penny and Goddard. “There are two pieces that you just have to pay attention to, and that’s your people and your data — having the basic protocols in place to keep your people safe from external threats, as well as being able to understand what access they have to the information within the organization.”

The Four Pillars of a Sound Security Strategy

Penny and Kaser said every company’s security strategy should include the following elements:

  • Endpoint security. Every device an employee uses to access network resources, from company-issued laptops to their own smartphones, must be secured. Businesses should have visibility into that access.
  • Email security. Email continues to be the most common avenue threat actors use to acquire employee passwords or other sensitive data. Businesses must have a solution for protecting their email gateways.
  • Firewalls. Even as more businesses deploy zero-trust security strategies, firewalls that serve as a frontline perimeter defense aren’t going away. Business must have the right ones in place.
  • Identity and access management. Correctly verifying the identity of employees and others authorized to access corporate data is a basic function of any security plan. To do so, businesses must have an appropriate identity and access management solution in place, preferably one that includes multifactor authentication, and they must ensure that employees adhere to corporate security policies.

MORE FROM BIZTECH: Learn how startups can adapt their tech at every stage of growth.

How the Right Partner Can Make Security Easier for Startups

For startups that are ill-equipped to manage a robust security strategy on their own, a strategic partnership with a trusted adviser can provide critical services, such as routine security posture review and security event response. For example, a virtual CISO allows companies to “rent hours to get that guidance that they need without employing somebody full time,” Kaser explains.

Even large companies with dedicated security teams can be overwhelmed by the many detections and alerts created by common security tools. For a startup company trying to focus on its core business, keeping up can feel impossible, and in such cases, a business needs help from a partner that can “manage all of those detections and alerts and help them be able to remediate regardless of where their data resides,” Penny says.

Penny suggests working with a partner that offers a risk rating platform, which can analyze different risk scores of vendors, competitors and customers. She says it’s becoming increasingly common for companies to ask for reassurance from their vendors.

Businesses often think of security as a cost center, so budget-constrained startups naturally seek to mitigate those costs. “We often see the lack of cybersecurity planning and investments bottleneck sales for startups. Many of them sell to enterprises who have enterprise security compliance standards and will certainly do their diligence before purchasing,” Goddard says. “It’s high time we underscore the importance of cybersecurity investments, policies and procedures becoming growth drivers.”