Embedding a security-first team culture in 2020 & beyond.
Up until recently, many founders viewed cybersecurity measures as a luxury reserved for larger organizations with better resources. After all, who is going to want to target a startup with only a handful of employees, and which still hasn’t made it big, right? Wrong.
The cyberspace changes at hyperspeed, and now there are threats to organizations of all shapes and sizes. Startups today utilize the same networks and cloud systems as ‘big ticket’ organizations, and can quickly accumulate large, tempting caches of user data and payment information, which can attract predatory hackers like drops of blood in the open ocean.
The reality is that your company is most vulnerable at its earliest stages – while it might not be as juicy a target as in 10 years, hackers are often drawn by the knowledge that early-stage startups tend to prioritize spending in other areas of their business versus cybersecurity.
But the more you wait, the harder it will be to integrate cybersecurity into your growing company. Whether you have one employee or twenty, here’s how you can get a head start on shielding your new business from current and future cyber threats:
Inform your team about the risks.
In order to protect yourself, you need to keep your team informed about what you’re up against, and what information hackers are most interested in. Hackers may try and hijack your virtual material and extort money from you to release it, or target your customer data to then sell on the dark web. Often, they will use a smaller company as a gateway to target bigger fish – your clients, investors, or law firm – perhaps damaging your reputation for good.
To achieve their goals, cybercriminals will be looking to steal or breach the following: customer and employee data; application functionality; financial information; third party contact details; and access to email accounts. Therefore, your company’s Achilles heel(s) are your software, source code, data protection system, hardware (employee computers, etc.) and email services.
Regardless of their position at the company, it is important that all employees understand that they are at risk of attack, and are encouraged to flag anything that they think is suspicious.
Today, phishing attacks are more specifically targeted than ever before. Rather than randomly spamming people with unsubtle emails, hackers will do their homework first and send employees personalized messages that lower their guard. Often, a phishing email will be sent falsely from another person within an organization that had previously been hacked, in a tactic known as lateral phishing.
Indeed, human error is the weakest point of any company. According to one study, 19 of every 20 breaches may have been avoided if it were not for human error. Hackers know this, and will target less experienced employees who may be easier to trick, using them as Trojan horses to attack executives or partner organizations. This brings us to the next point.
Train your team - but make it personalized.
Your team is your first line of defense (but it shouldn’t be your last, which we'll explain in more detail further on). Equipping your employees is important in reducing the likelihood of hackers breaching your company’s “walls,” but you need to give any training a personalized touch in order to make it effective.
There are plenty of tools available for increasing security awareness within your team, such as Wombat Security and KnowBe4. Your staff should be trained in phishing prevention, detecting cyber threats, and password hygiene. However, a few slideshows are not enough - especially given the highly personalized methods hackers today are using. In fact, a study by researchers from Vanderbilt and Dartmouth highlighted little difference in behavior between employees trained in phishing awareness using educational platforms, and those who hadn’t. As many as 30% of staff who have been trained via educational platforms will still click on malicious links. And it only takes one breach to compromise a startup, its partners, and its customers.
Educational solutions need to be accompanied by individual feedback, ideally in real-time, on staff members’ security practices, and ideally accompanied by other tools that take a more proactive approach to blocking attacks.
Cyber defense training needs to offer realistic examples of how strategies should be applied, and within different contexts. This is especially important given how frequently hackers change their methods. Employees should be able to recognize malicious techniques even as they shapeshift with time, and they can only do so if they can see how hacks are supposed to work in practice.
In short: training can’t be too standardized, because hacking techniques are anything but. Perhaps even more importantly, don’t rely on just staff to protect your company – they have other responsibilities too.
Have a dedicated cybersecurity operation.
To truly protect your company, you need a well-resourced strategy. Ideally, your company would hire a chief information security officer (CISO). A CISO can take charge when it comes to the staff training, and implementing security defense solutions and software. That means putting in place multi-factor authentication (MFA), Single Sign-On (SSO) or even biometric logins that may use fingerprints or facial recognition scans.
As well as taking the pressure off your staff, CISOs also keep you on your toes, making sure you never let cybersecurity slide and that you are always up-to-date on the latest trends. However, early-stage businesses are likely to not have the capacity to dedicate so many human resources to cyber defense.
So for those companies which don’t have the resources to hire a CISO, it is especially important to integrate new technology into your cyber defense strategy. This is your ultimate safety net, counterbalancing human error and criminal innovation as much as possible. Emerging software can automatically detect and block potential threats using technology such as Natural Language Processing (NLP), machine learning and machine vision AI. This AI technology can protect your cloud as well as the hardware used by your employees – from their laptops to their work phones – covering some of your most vulnerable bases.
As technology is an essential part of any business, cybersecurity cannot be seen as an accessory or an afterthought: it is a necessity. Act on this sooner rather than later. If you work cyber defense into your startup’s culture, it will evolve smoothly to deal with the growing capacity of the company. Further down the line, you’ll become a bigger target and have to invest more time and resources to setup your security infrastructure, while the stakes will be that much higher if you fail.
So make sure your team is well-trained, but don’t burden them unfairly. Technology and planning ahead is your best defense against cybercrime in 2020 and beyond.
This original post was written by Arun K Buduri, Co-Founder and President of Pixm, a B2B cybersecurity solution offering on-device phishing prevention at the point of click, and a Boston Founder Institute mentor.
Graduates of the Founder Institute are creating some of the world's fastest growing startups, having raised over $950M in funding, and building products people love across over 200 cities worldwide.
See the most recent news from our Grads at FI.co/news, or learn more about their stories at FI.co/journey.