5 Information Security Considerations to Make Your Startup Successful

From Silicon Valley to Times Square, startups of all kinds are popping up all over the United States and beyond. It’s easy for the founders to put all of their resources into starting the business and taking it to market, but what happens when the data that fuels that startup is breached? What happens when an immature information security program causes that startup to fail?

What Makes a Startup Successful?

There’s a lot that goes into making a startup successful – a great idea, strong leaders, a solid business model, investors, and grit – but there’s even more that factors into scaling a startup. In fact, there’s one key component to making a startup successful that’s often neglected: a robust information security program. In today’s age, information security is one of the top concerns of organizations because they know that it’s only a matter of when, not if, a cybersecurity attack will affect their business. Unfortunately, not all startups recognize how pervasive the current threat landscape is, or they don’t even know where to begin with implementing an information security program. In order for a startup to be truly successful, there needs to be a robust information security program created from the start. What should it include? We believe that there’s five key considerations that organizations must keep in mind when creating their information security program.

1. Get Executives on Board with Information Security from the Start

We often discuss the importance of implementing a culture of compliance from the start of your business, and this is especially true for startups. Why? Because a startup is usually made up of very few members and often does not include IT personnel. This means that for startups, it’s even more important that executives understand and acknowledge the importance of implementing a robust information security program; they need to make it a shared responsibility to design business processes and systems with security controls in mind from the start.

2. Know Your Assets

The value of having a robust information security program comes down to protecting your organization’s valuable assets. For startups, this should really hit home. It’s hard enough getting a company off of the ground, so what would happen if six months into launching, a breach occurred or a physical device containing your company’s data was stolen? It’s happened before and it will happen again. Knowing what assets you have and how much they’re worth to you will help you risk-rank which assets need to protected first.

3. Implement Information Security Basics

Almost all organizations use some form of technology to carry out their business processes, and startups are no different. In fact, most startups have mobile or web applications that are just as likely to be hacked or targeted as Fortune 500 companies. That’s why startups need to implement information security basics, such as firewall configurations, network access controls, antivirus software, password policies, and MFA, to mitigate the risk of malware attacks, DDoS attacks, API disruption, and the plethora of other cybersecurity threats startups are faced with.

4. Educate Your Employees

Employees are often thought of as the weakest link at any organization. Because of the limited number of personnel at a startup, focusing on security awareness training might not seem necessary, but that couldn’t be further from the truth. Every single person working at your startup needs to know how they could unintentionally compromise your organization by falling for phishing attempts, using bad passwords, or just not following policies. Whether your startup has a team of two or thirty, investing in security awareness training from the beginning reinforces a culture of compliance and helps mitigate the risk of human error causing a security incident.

5. Establish Physical Security Controls

Another focal point startups must keep in mind is establishing physical security controls. Many times, startups work out of incubators or coworking spaces, but these environments might not always have the most secure physical security controls in place to keep their assets protected. Let’s say that a startup is based out of a coworking space – what physical controls are in place to protect your assets? Does the coworking space have security cameras? Do they have badges, key fobs/cards, biometric access controls, security guards, and/or receptionists? There’s no telling who could enter a coworking space and gain unauthorized access to your sensitive assets, so establishing physical security controls needs to be a top priority.

Malicious hackers don’t discriminate against startups. If there’s sensitive data to access, they’re going to find a way to get their hands on it. That’s why investing in a robust information security program from the start is so worthwhile: security incidents can cause outages in critical services and operations, ruin your reputation, and cause your business to fail before it even takes off. It’s every entrepreneur’s dream to see their business succeed – don’t let an immature information security program keep you from achieving that. As a firm that started out small, we know what it takes to grow a business and we’re dedicated to helping you do just that. Contact us today to learn more about how KirkpatrickPrice can help you implement a robust information security program for your startup.

More Resources

6 Information Security Basics Your Organization Needs to Implement

Getting Executives On Board with Information Security Needs

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

Why is Ransomware Successful?

Ransomware is the attack method that you’ve seen over and over again in the headlines and, unfortunately, it’s not going away. Global outbreaks like WannaCrypt, Petya/NotPetya, and BadRabbit have made ransomware a household name. The FBI reports that over 4,000 ransomware attacks occur daily. With its sophistication and frequency of attacks, it makes people think – why is ransomware successful? How can it be stopped? Let’s discuss how company culture, the workforce, malicious outsiders, and proper security configurations contribute to the success of ransomware.

Culture of Apathy

I believe there is a growing apathy in our culture towards confidential data. Honestly, do people even believe data is confidential anymore? According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. It has become habitual to worry about data breaches, identity theft, and other privacy concerns.

It’s not just about hackers or human error – the apathy in our culture has led to a rise in malicious insiders. Verizon’s 2018 Data Breach Investigations Report includes that 28% of cyberattacks in 2018 involved malicious insiders. When Accenture surveyed 912 healthcare and payer employees in the US and Canada, they found that one in five (18%) would be willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. Even more so, about a quarter of these healthcare and payer employees know someone in their organization who has sold their credentials or access to an unauthorized outsider. One out of five healthcare employees, who are responsible for protecting your data, will give it or give access to it away.

What is your organization’s culture as it relates to information security? Are you building a control environment that will embrace, monitor, and enforce ethical practices?

Workforce Challenges

If your organization, thankfully, hasn’t faced the challenges of malicious insiders and an apathetic culture, you will probably face an ill-prepared workforce. Some things just stay the same, and human error is one of those things.

Phishing is the primary method of attack when it comes to ransomware. In 2017, the Microsoft Office 365 security research team detected approximately 180-200M phishing emails every month. Although more and more organizations are incorporating strong security measures into their strategies, it’s still easy to phish. The Microsoft Security Intelligence Report explains, “An attacker sending a phishing email in bulk to 1,000 individuals just needs to successfully trick one person to obtain access to that person’s credentials…Phishing and other social engineering tactics can be more simple and effective than other methods, and they work most of the time for more human beings. If successful, phishing is an easier way to obtain credentials as compared to exploiting a vulnerability, which is increasingly costly and difficult.” The most successful phishing attempts impersonate popular brands, users, and domains.

You may think that because millennials are becoming a larger portion of our workforce, your organization is better protected. Millennials won’t fall for phishing emails, right? They’ll be wary and spot a social engineering attempt, won’t they? Unfortunately, the data shows that adults aged between 20-29 fall victim to more fraud than adults aged over 70.

Are you providing the necessary training to the newest members of our workforce? Is your workforce your weakest link or your first line of defense?

Malicious Outsiders

Organized criminal groups aren’t stopping; they’re only getting more sophisticated. There’s obviously financial motivation, but malicious outsiders could also be motivated by a political agenda, social cause, convenience, or just for fun. We predict that US cities and the public sector will continue to be a target for malicious attacks, especially nation-states. Nation-states have a goal of disrupting public services. Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats and malicious outsiders.

What should the public sector invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.

Proper Security Configurations

Remote Desktop Protocol (RDP) has been called ransomware’s favorite access point – a place that’s commonly unsecure and easily hacked. Even the FBI warned organizations that the use of RDP as an attack vector is on the rise. CrySiS, CryptON, Zenis, and SamSam ransomware have all used RDP to their advantage.

No type of malware completely fades away. Every threat that has ever been classified remains at large. The very first worms and malware ever written still exist and are capable of system infection. Some remain actively developed, maintained, and deployed by proficient black hat hackers. Other older viruses just persist, allowed to continue by poorly maintained systems, old distribution networks, and user complacency. Even when not actively used for data destruction, malware can remain a threat to system stability and continuity.

Do those charged with governance maintain proper security configurations according to best practices? How are your security configurations being tested and validated?

Ransomware continues to be successful because organizations don’t create a culture of defense or a sense of responsibility for data, their workforce isn’t equipped to stand up against cyber threats, the threats from malicious outsider only persist, and proper security configurations are not implemented. How is your organization preparing itself for a ransomware attack? How will you assure your clients that their sensitive data is protected? Contact us today to implement a plan for training your workforce, changing your company culture, and strengthening your cybersecurity practices.

More Ransomware and Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

Horror Stories – 5 Cities Victimized by Cyber Threats

Ransomware Alert: Lessons Learned from the City of Atlanta