SMB companies and startups: growing secure

For many people security measures are a “secondary accessory,” and not something that should be cared for first and foremost. This is a common, but innately flawed mode of thinking.

An axiom for any business is that it exists for profit, whatever it produces or offers. Otherwise it’s not a business. Of course, startups have to keep their belts tightened, and saving on their own security often seems logical. It is not – we’ve said so many times, and it’s not a problem to say it again :-) The question is how to substantiate these claims.

So, let’s just lay all the cards on the table.

Day one

Let’s look at two examples: the first one is a small startup, formed just a few months ago at best, while the second is more of a SMB and it has already established itself in its niche.

It seems clear that the second one is more likely to have its data security in place – it has a bit more resources to allocate for secondary accessories… Wait, was “secondary” about security?

As a matter of fact, for many people, security measures are indeed a “secondary accessory.”

This is a common, but innately flawed, mode of thinking, a sort of “invulnerability by obscurity” that we have written about before. Smaller companies don’t feel it is necessary to protect themselves because they are ostensibly too small and insignificant to draw cybercriminals’ interest.

At first it may seem logical, but cybercriminals care little about the size and sales of their victim. There are just two questions they want answered: 1. Is there any money? 2. Is it difficult to get to them? A “yes-no” combination is an attack in the making.

So when choosing between an established small company and a startup, it is the latter’s bank account that criminals will most likely visit the first. An SMB company may have a larger sum of money there, but its cyberperimeter is much harder to penetrate.

It is wholeheartedly recommended to think of cybersecurity as something that is needed from day one, just like the hardware and office software necessary to do business.

Coming in, going out

Okay, so let’s assume that cybersecurity is indeed set up properly from the very beginning in the offices of both in our startup and SMB company. Network, server(s) and endpoints are protected – probably even with some unified solution, not a hotch-potch of home-oriented antiviruses brought in by the employees themselves along with their personal laptops.

But then a data leak happens – in the form of, say, your company CFO’s stolen or lost smartphone that had no security solution installed, had no remote wiping functions, and is totally irretrievable. Great! Now one can only hope that the ‘new owners’ will just reset it to factory defaults, wiping everything, and won’t sell the data from the phone to anyone extremely interested in undermining the company’s operations.

Protecting endpoints today isn’t just setting a security solution to your laptops (or desktops if such exotics are still in use today). It is actually a worker with an array of devices that is the “endpoint” now – and it may go in and out of the main office’s protected perimeter many times per day – not to mention off hours. Protection must be still active on all of the employee’s smartphones, tablets, and laptops that is used for work, otherwise an endpoint one day becomes an entry point for attackers.

It is extremely helpful if employees inform the company’s IT workers (if there are any, which isn’t always the case for the startups) of all of their devices, so they can install the corporate security software clients which would protect the working data.  It may be wishful thinking that they will do so without (repeated) requests and assurances that their personal privacy won’t be violated.

Lease me a cloud

Using a third party infrastructure to store large amounts of data is common for businesses of all sizes. There are also a handful of free cloud-based collaboration suites out there (think of Google Drive/Docs for instance) and those are extremely attractive to the most cost-savvy businesses such as startups.

Should the critical data be trusted to the outsource storage/collabo suites without added protection? Well, most of these resources claim to have great security, but the topic of cloud security is still much debated. An extra security layer – like data encryption – wouldn’t take a lot of effort to provide, and may help to avoid a lot of trouble if something goes wrong.

The burning questions and a plain scheme

We have written before that good security requires a good policy and understanding of what requires protection. The proper questions should first be set and answered, based on which we can create a more or less plain scheme of how to ensure the security continuously.

There are three questions that should be asked first:

1) Where is my data – i.e. what exactly requires protection?

2) What should I do to protect my data? – i.e. to prevent loss of access, damage and/or leak of the data?

3) How do I make sure my data stays protected? – i.e. how to ensure that the data doesn’t leave the “protected space”.

And two extra questions should be asked:

4) What do I know of the cyberthreats and is it enough?

5) How difficult it is for the cybercriminals to get to my bank account via electronic communications?

With those answers we may plan the defense layout, i.e. provide the needed security tools. Eventually the plan will look rather simple – most likely, it’s just a list of the functions that a security solution needs to have and the steps to make sure it works within your company whether it has a dedicated IT worker or not.

Kaspersky Small Security Office, for instance, is specifically tailored for the small businesses that require simple to use, but effective protection tools. Check it out here.