Managing security and compliance for Start Ups

Start Ups are known for their laser focus on product and customers. But running an organization also means managing risks. Time and again I have seen CEO’s struggling with areas that can be perceived as distractions.

Internet is buzzing with new breaches everyday and constantly distracting the executives from one threat to the other. The scope and complexity of security risks has grown so much that even bigger organizations are struggling to get their hands around it.

It’s not hard to imagine how lost a Start-Up would feel about where to start and draw a line for its investment on information security. Although the risk profile for every organization is different, here are a few suggestions for smaller organizations to at least get started and find a path for continuous improvement on security and compliance.

Baseline your Assets and Risks

This is the first task before you build a plan for improving your security posture. Identify what your most critical assets or processes are, where they reside and what business impact they can have.

These assets could be your customer or employee data, your company IP, or your future roadmap.Once you know your Assets, you need to quantify the risks around them by mapping threats and probability.

I strongly advice for this to be a simple enough process, so stakeholders can understand and contribute to the review process. It’s not practical to mitigate all risks, no matter what sized company you are.

Depending on heir business impact and probability, some risks can be accepted, mitigated or transferred.

The key is to have your top management involved in the review and prioritization about what risks to be addressed first

Corporate policies are your first defense

Think of the policies as your guiding principles that employees can refer to, while running their daily operations. Policies also establish an organization’s viewpoint on security related matters for external regulators and auditors.

Not having a clear policy around security not only provides an excuse for bad behavior , but may also make you look bad , should there be an investigation by a 3rd party.

A recent survey by SoftwareAdvice confirmed that 44 Percent of Employees don’t Know Company Policies

Start Ups need to pay extra attention to policy awareness, as they might not be able to afford tools and technologies to augment the gap.

Culture of security starts from the top

In a similar survey conducted by Stroz Friedberg, it was found that almost 90% of senior managers upload work files to their personal email or cloud accounts

It’s important to note that Sr management probably has most access to company IP and other Assets.

Although there is enough support from Sr executives about the need for security awareness among employees, they sometimes also have this false sense of security about their own habits and awareness.

Additionally, security programs need to be reviewed and measured on a regular basis, just like any other corporate objectives

Over privileged Users

Start Ups thrive on the principle of ‘shared responsibilities’ and ‘wearing multiple hats’. Sometimes this model gets misinterpreted for the need to have too many employees with administrative access.

Pace of work can sometimes take precedence over everything else. There is a fine balance that can to be maintained by regularly auditing the permissions and refining them.

What you need to remember is that you are making it easy for an invader , if he has plenty of targets with excessive permission set

SaaS and IaaS Sprawl

SaaS and cloud based infrastructure has turned out to be a boon for start ups, as they don’t have to worry about building large data centers or business applications.

A simple credit card swipe can instantly give you access to powerful servers , data warehouses and applications. This has led to hundreds of apps and servers that aren’t managed by a full time IT person and may not be adhering to corporate policies.

Gartner predicts that through 2025, 99% of cloud security failures will be the customer’s fault.

There is no going back from Cloud, but I encourage start-up leaders to become more aware and ask more questions about how their teams are managing risks with SaaS and IaaS sprawl. On the other hand, you also have the advantage of leveraging latest SASE and zero trust cloud native security solutions, as you aren’t carrying the baggage of traditional on-premise setup

Incident Response Plan

You are lucky if you haven’t faced a security incident yet, but you’ll have to face it some day. Although most small / mid sized companies make investments on preventing the breaches, there are few who invest in building a robust incident response process.

You need a well defined , cross functional response that’s been practiced many times before a real incident takes place.

Start by giving a few hypothetical scenarios to you your IT and Legal teams what actions they’ll take in what order.

Do they get the same level of commitment from 3rd party suppliers? Do they know how and where to report to report such incidents or what kind of evidence to preserve?

Cyber Insurance

We are used to buying insurance to cover for damages in our personal lives, but did you know that you buy insurance against cyber attacks as well.

Although its not as black and white as buying an auto insurance, you can get some protection against certain types of damages .

However, they don’t always cover you against reputational damages that may affect your future revenue. It’s still a good idea to invest in cyber insurance as long as you understand what they’ll cover or not.

Adopt an industry standard framework

Security is such a wide subject, sometimes you just don’t know where to start from.

There are a number of frameworks (e.g. CIS, ISO 27001, NIST 800–53 ) that can help you putting a method to this process. However, you need to remember that not all controls or solutions suggested by these frameworks will always apply to you.

You’ll still have to identify and prioritize your risks. There are other benefits of following these frameworks. You’ll do a favor to your sales team, as they can cut the time to sell because customers trust 3rd party certifications.

Conclusion

Security risks are evolving every day and so are the ways to manage them. We all hear about new tools that have come up to handle a specific threat, but none of these tools will be effective unless a basic security hygiene and governance model is established.

The key is to keep hardening your defenses without becoming barriers to employee productivity. You are the best judge to decide if a specific risk needs to be handled by enforcing a policy, procedure, tool or trainings.

Stay engaged and stay safe.