Hackers don’t discriminate. Whether you’re a humble startup or global conglomerate, you’ll likely capture hackers’ attention if you don’t play it safe. And yet, too many startups assume they’re immune.
“A lot of startups think, ‘We’re new. We’re small. We don’t have anything yet that a hacker would want,’” said Sarah Pavelek, principal of cybersecurity at Plante Moran, a certified public accounting and business advisory firm. “The truth is, anyone can be a target. And startups tend to have fewer resources, making it more difficult to recover in the event that there is an attack.”
In fact, Verizon’s 2012 Data Breach Investigations Study shows that 71 percent of data breaches occurred in businesses with fewer than 100 employees.
Recently, Pavelek took some time to outline five of the top cybersecurity mistakes startups make:
Neglecting the buy-in. “Cybersecurity isn’t just an IT issue,” said Pavelek. “It affects the entire organization. If you’re in IT, you should know that, for any cybersecurity effort to be effective, you need to achieve buy-in from management first.”
It’s not about moral support. A business owner who understands the risk, as well as what it takes to implement a security framework, is more likely to allocate the resources to make it happen.
Neglecting the basics. Too many startup owners fail to get a handle on the basics: What data do they have and where is it stored? Until you have that baseline understanding, you won’t grasp the extent of your risk–and what to do about it.
Keeping employees in the dark. Employees need to be on board, too. Offer regular training, either via third-party online tools or by working with an in-person trainer. Pavelek recommended focusing on three areas:
Awareness: What are likely types of attacks?
Responsibility: What are your people expected to do to help prevent or report incidents?
Notification: What are your formal incident notification procedures?
Misunderstanding the cloud. Startups rely on cloud providers to store data, in part because it transfers some of the risk away. “Some” is the operative word here. You will likely still be responsible for a certain degree of risk.
“There’s more to the cloud than people think,” said Pavelek. “I encourage people to understand what I call ‘cloud politics’ by investigating your contract, or terms and conditions, with the cloud provider.”
Who “owns” the data in the cloud and who is responsible in the event of an incident breach?
Will you need to implement monitoring controls for the cloud system to work as intended from a security standpoint?
Is your provider backing up data? If not, employ a strategy to do so.
If you have a cyber insurance policy, does it align with your cloud contract? Your insurance may define key terms (“incidents,” “breaches”) differently. Get clear on this, as these definitions may affect who is responsible for what.
What’s in your Service Organization Control (SOC) Report? This report is generated, typically annually, when an independent third party tests your cloud provider’s control environment. It shows the controls your provider has in place and uncovers deviations.
Being out of date. Make sure all systems have the latest patches and updates. That includes the operating systems on your servers, workstations, laptops and smart devices, and your anti-virus and anti-spyware.
“Cyber attacks are on the rise,” said Pavelek. “And they’re not going away. Having a strong strategy won’t necessarily prevent an attack, but it will prepare you, in the event that something happens, to recover as quickly as possible.”