Skip to Main Content
Main Menu
Articles

A Digestible Action Plan for Startups’ Cybersecurity Success

Annie Greenley-Giudici

It’s never too early for a start-up business to strategize and operationalize its cybersecurity goals–in fact, it’s a prerequisite for high-yield growth. And yet, with all the high-velocity activity and rapid decision-making that characterizes most startups’ early existence, it can be easy to overlook some of the critical proactive steps that must be taken to safeguard a growing company’s value potential.

The importance of this cannot be overstated. The harm to a startup’s reputation and brand name can be existential if proper controls are not in place. A recent Forbes CommunityVoice article by start-up founder Isaac Kohen offers some helpful starting points for businesses of all sizes to keep in mind. The major takeaways are summarized below, with additional perspectives added.

Growing a cybersecurity culture from day one

A critical reminder for all is that cybersecurity is not at heart an infrastructure issue—it’s a cultural one. Most data-related incidents and lapses actually occur as a result of unintentional employee actions or an organization’s nonchalant approach to protecting personal data and intellectual property.

To combat the establishment of lax norms identify privacy and cybersecurity champions within each group first. Next, incentivize and make the training and reinforcement that goes into building a cybersecurity culture fun.

Elevating accountability as a key attribute

Talk is cheap. Without proper follow-through being met at each level of an organization, the best laid cybersecurity plans will topple like a house of cards. This can involve performance metrics, enforced policies (such as no “bring-your-own-device” or taking company computers to public outings where loss is more likely to occur), discussions in managerial reviews, and even employee monitoring–if done carefully, transparently, and respectfully.

Such employee oversight is generally performed via monitoring software. This software often restricts data collection to specific, data-centric applications, enables auto-redaction and masking of personal data, and is inclusive of all employees. Include founders and management to set the proper top-down tone.

It’s not only good business – It’s the law

As TrustArc customers are already aware, most data protection regulations around the world impose security requirements on organizations. Meaning that these costs should be expected and built into overall compliance and IT budgets. This is certainly the case with respect to startup businesses seeking to operate in or target products and services to European Union audiences thanks to the GDPR. But it’s also the case in an increasing number of Asian, African and South American nations as well.

Moreover, the United States already has a number of industry-specific federal laws with security obligations (such as HIPAA, FCRA, GLBA and an alphabet soup of other regulations). And states like California and others are now passing their own privacy laws. Consequently, proper cybersecurity practices must be a fact of life for all companies going forward.

Training and best practices are the way to go

Technology and threat vectors evolve, and so too should the measures a startup business takes to thwart such external threats. Team members need to be able to recognize, understand and know who/what/where/when/how to escalate an issue. That said, it is not necessary to reinvent the wheel on all things.

From a U.S. perspective, which can in many cases be leveraged towards compliance with other major frameworks around the world, the Federal Trade Commission has released resources that provide a blueprint for startups. Examples of this include the FTC’s 2015 Start With Security: A Guide for Business page, which was followed in 2017 with the Stick With Security blog series. Both resources provide data security-related guidance, examples, and best practices for small, mid-sized, and even enterprise businesses.

In all, start early, have a plan and document your steps, develop a multi-stakeholder approach to privacy and cybersecurity, imbed accountability throughout–then add water and watch your business grow.

Key Topics

Get the latest resources sent to your inbox

Subscribe
Back to Top