• Return on Security
  • Posts
  • Cybersecurity Essentials for Startups: Building a Secure Foundation

Cybersecurity Essentials for Startups: Building a Secure Foundation

Discover why cybersecurity, data privacy, and compliance are critical for startups from day one. Learn how to build trust, meet standards, and secure your startup's future in the digital age

Author

Mike Privette
February 01, 2021 • Reading Time: 7 minutes

Target Audience

  • Founders (technical & non-technical)

  • CTOs & Developers

  • Sales & Business Development

  • Investors (Private Equity, Venture Capital, etc.)

Why This Matters

Cybersecurity, data privacy, and regulatory compliance have become increasingly essential business challenges for startups and global organizations alike, and these issues impact starting, running, investing, or acquiring a business.

Today’s consumer has become more focused on data protection and privacy and has less confidence in a startup’s ability to safeguard digital assets.

Problems to Solve

  • Consumer Trust - Trust in a digital world is harder to earn and keep, and startups are considered riskier by the average consumer.

  • Meeting Standards - Enterprise customers expect mature data protection and data privacy practices, and early startups can struggle to meet standards.

  • Regulatory Costs - Solving the evolving regulatory landscape only gets more expensive with time and company scale

Where This Applies

Signs point to security flowchart

Does your startup:

  • Do your customers log into your platform?

  • Does your platform use a database?

  • Does your platform leverage cloud-based resources like IaaS (Infrastructure as a Service)?

  • Do you have intellectual property (IP) to safeguard?

  • Do you store, transmit, or process payment transactions?

  • Do you collect, store, use, or process Personally Identifiable Information (PII) data?

  • Do you collect, store, use, or process any regulated data (i.e., financial or healthcare)?

  • Do you have customers who operate in highly regulated industries (i.e., Critical Infrastructure,  Insurance, etc.)?

  • Do you have operations in geographies with consumer protection laws or regulations (i.e., EU for GDPR, US for CCPA, etc.)?

If yes to any of the above, security, privacy, and compliance need consideration early and often.

Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today

A few other reasons you need to consider security, data privacy, and compliance:

  • Your company brings in new employees (part-time or otherwise)

  • You want your company to be acquired

  • You are seeking private equity or venture capital investment

10 Reasons for VCs to Invest in a Network of Security Leaders

www.returnonsecurity.com/p/10-reasons-vcs-invest-network-security-leaders

Simply put, you cannot do business without cybersecurity, data privacy, and regulatory compliance in mind today (at least not for very long).

Common Arguments From Founders

  • ❌ “We’re here to sell product X or service Y first, not be secure…“

  • ❌ “We’ll take a look at that when we get bigger…“

  • ❌ “We’ll wait until we have enough customers asking…“

Many startups gauge their level of involvement and commitment to cybersecurity based on either the company’s financial expense or certain financial milestones.

Instead of waiting for a specific windfall event or a set number of times, a customer asks about your cybersecurity practices, do this instead:

  • ✅ Consider what industry you are in (or your customers are in)

  • ✅ Consider the risk associated with the data your company has (or hopes to have)

  • ✅ Consider what that would mean if that data was lost or stolen

Why to Start Early

  • Price You Pay to Play - Some enterprise customers will require specific security and regulatory compliance levels even to do business (i.e., SOC2, PCI-DSS, etc.).

  • Security Sells - Security and compliance are selling points in the current state of the world, and your customers will expect it. Security, or lack thereof, could make or break your first big B2B customer.

  • Create Your Moat - Do what others will not. Security, data privacy, and regulatory compliance in your industry can make you stand out and create a competitive barrier to entry into your market.

  • Limit Security Debt - Cybersecurity, data privacy, and regulatory compliance design decisions early on cost a lot less than down the road as your company begins to scale as customers and requirements get larger.

Security Guiding Principles for Startups

  • Create a Security Culture - Adopt strong security and data privacy practices from the beginning and make it a part of everyone’s job. Security is more process than technology.

  • Do the Right Things - And Do the Things Right. You can’t be good at everything early on, so pick a few things to be very good at and make it an essential piece of how you operate.

  • Work the Plan - You don’t have to have it all done up front, but you have to plan to get it all done. Customers will be OK with timelines to get compliant or resolve security issues. Customers will NOT be OK with no plans.

What You Can Do Right Now

While not meant to be an exhaustive or exact list of what may work for your company, here is a sample guide on what you can do now with associated timelines:

Use What You Have (0-3 months):

  • Use environment-native security controls where possible

  • Use environment-native compliance reporting (i.e., AWS Trusted Advisory, etc.)

  • Use available 3rd party tools/integrations for security

  • Start talking to employees about how to avoid phishing scams and Business Email Compromise (BEC)

Know Yourself and Know Your Vendors (0-3 months):

  • Understand the “Shared Responsibility Model” of securing your cloud resources

  • Be able to explain how you collect, store, process, and use a customer’s data

  • Hold your 3rd party vendors to a high level of security rigor with your data

  • Make sure all employees, contractors, etc. understand what information they can and cannot share

Understand Compliance in Your Industry (3-6 months):

  • Know the regulations and certifications that your industry or customers require

  • Make someone at your company responsible for cybersecurity, data privacy, and regulatory compliance (doesn’t have to be their only job, but this will ramp up quickly)

Get Outside Support (6-9 months):

  • Find out how other startups or companies in your market space are addressing security concerns

  • Seek out a part-time or fractional trusted advisor to help navigate cybersecurity, data privacy, and regulatory compliance

Nail the Basics (9-12 months):

  • Build your business with security and data privacy principles upfront

  • Create Information Security policies and standards

  • Use multi-factor/two-factor authentication wherever possible

  • Do not share passwords and get password vault manager to manage your company’s many accounts (I like 1Password)

  • Use the model of least privilege (e.g., the CEO should not be “admin” on everything)

Work Smarter, Not Harder (9-12 months):

  • Make managing users of your services easy to use, self-service, and auditable

  • Make it someone’s full-time responsibility to look after security or hire a new person to take on this role

Test Yourself (12+ months):

  • Do static/dynamic code analysis on your web and mobile applications

  • Audit yourself early and often (your institutional customers will)

  • Perform tabletop exercises to respond to threats or loss of your services due to a cybersecurity event

Every scenario will be different, and the risk of your particular company should be driving your roadmap here. Adjust as needed.

Join the conversation

or to participate.