Just like any other small & medium enterprise (SME/SMB), startups also face increasing threats of cyberattacks and disruption to business due to cyber related incidents. According to a 2019 study by Accenture, 43% of cyberattacks worldwide are aimed at SMBs. India has 6 crore SMBs that account for 30% of the GDP as per the Confederation of Indian Industry and with the adoption of technology their contribution is only likely to grow. SMBs in banking, financial services and insurance sector are more vulnerable as they allow cyber-criminals to make monetary gain and steal sensitive data at the same time.
It’s not always the money which makes it difficultMost SMBs attribute cost as the biggest hindrance to security, whereas our experience working with startups in India shows that it is the lack of strategy & proper oversight, that results in maximum damage.
Of course, there are costs involved in every action, but it is NOT the single-most barrier when it comes to building a better security posture.
It is not about tools & technology eitherMost people confuse security with implementing softwares and tools. There is a lot which can be done with available open-source & solutions already being used by startups.
Even the best of softwares would be rendered ineffective if they are not well integrated in their purpose of providing a complete protective layer to the organisation.
We put together ten simple reasons why startups and businesses in general miss out on being a secure enterprise.
|1||Lack of involvement of Founders/Board members||The top management doesn’t get involved in data privacy & protection matters, which leads to mismanaged accountability. However, In every lawsuit that has been ever filed over information security related issues, the senior management has been always named as culpable.||Make the board and senior management — not IT — own the ultimate responsibility to protect information. The board can delegate day-to-day responsibility for protecting information, but it retains the full responsibility. Build a Security Governance Framework.|
|2||Mistaking security with just IT||Confusing cybersecurity as an IT function, gives an incomplete view of the organization’s security needs. Your information security program must include more than just IT.||While IT is important, there are several other areas such as Human Resources, Asset Management and Incident Response that are out of IT’s ambit in general. Securing these areas would make your information protection measures complete.|
|3||Missing out on the Big Picture||Most startups fail to maintain a holistic approach to cybersecurity. You cannot focus on one area to the exclusion of another. A good information security program must cover every aspect of a business. About 90% of startups are not even conducting an annual Security Audit.||Assess and validate your Cybersecurity maturity in comparison to peer organizations and leading industry frameworks. Based on your score, go ahead and implement a proven roadmap. Perform an InfoSec Audit periodically.|
|4||Lack of continuous Risk Management||Not everything is as valuable & not everything requires as much protection. Startups usually don’t focus on the crown-jewels by undertaking a proper risk assessment which would help determine the overall exposure to threats & risks.||Information security is risk driven & in essence a risk management programme. Since no two companies are the exactly same, no two information security programs should be same either. Your program must be driven by your specific risks & it should be done continuously.|
|5||Leaving out individuals||If only a couple of IT employees can explain what your company does to protect its information, then you don’t have an integrated information security (Infosec) program.||A full InfoSec program such as an Information System Management Standards (ISMS) includes everyone. To be effective, your program must include staff member in the company, making them a part of your program.|
|6||Limiting its reach||Sometimes contractors, vendor and third-party providers are not included in the security scope. As it has been witnessed in many cyberattacks, if these agencies cause a breach of your company’s data, your brand integrity and reputation will suffer.||Information security should cover all people & teams who work with you. There should be a coupled third-party risk management program to cover all such members, who are external to your organisation but have data exchanges done with.|
|7||Missing people patches||Companies miss out on regularly updating their staff with the ongoing in the world of cybersecurity. Since newer threat vectors emerge everyday, people can become outdated in learning, if they are not trained at regular intervals.||Communicate, Educate & Repeat. Just like brushing, the cyber hygiene principles must be reinforced periodically to ensure that users don’t become the weakest link in the enterprise security chain. Nothing lasts forever, therefore training should keep evolving with time.|
|8||Ignoring incidents & lessons learnt||Any form of cyber incident is an opportunity for startups to become better than yesterday & secure for tomorrow. Yet, most companies avoid monitoring incidents & putting an incident management plan in place. And instead of reaction, there should be a response mechanism in place.||Be prepared to respond to incidents before they occur. Organizations who are prepared to respond when an event occurs respond faster, with fewer financial losses and less damage to their brand integrity and reputation. Learning from past incidents result in better preparedness for the future.|
|9||Absent or Ineffective policies||Mostly policies are missing, but if they are present sometimes, they are half-cooked, half-baked or just generic templated ones. This leaves gaping holes in creating a culture of security & enforcing best practices||An effective cyber security policy is a company’s first defense in protecting information, assets and people. Having a clear policy outlining security and ensuring that the policy is both understood by employees and enforced by management is critical. Policy making is critical.|
|10||Lack of Data Governance||As startups compete to amass data for different reasons, they forget to understand the massive responsibility such data carries, and the privacy risks & complications. Most end up storing unnecessary data which they can safely discard.||With the cost of restoring victims’ identities in the case of identity theft continuing to rise, give thought to what data your organization is storing and then consider whether that data is necessary. A lot of breaches could be prevented simply be appropriately disposing of data that is no longer in use. Identify your crown-jewels, too.|
Startups cannot afford to go wrong with security, because all the hardwork, which a group of like minded individuals put together with so much passion & heart, can go to waste very easily by even the smallest of cyber attacks. Not to mention the high cost of recovery & the brand reputation to salvage in case of such a crisis.