An axiom for any business is that it exists for profit, whatever it produces or offers. Otherwise it\u2019s not a business. Of course, startups have to keep their belts tightened, and saving on their own security often seems logical. It is not \u2013 we\u2019ve said so many times, and it\u2019s not a problem to say it again :-) The question is how to substantiate these claims.<\/p>\n
So, let\u2019s just lay all the cards on the table.<\/p>\n
Day one<\/strong><\/p>\n Let\u2019s look at two examples: the first one is a small startup, formed just a few months ago at best, while the second is more of a SMB and it has already established itself in its niche.<\/p>\n It seems clear that the second one is more likely to have its data security in place \u2013 it has a bit more resources to allocate for secondary accessories\u2026 Wait, was \u201csecondary\u201d about security?<\/p>\n As a matter of fact, for many people, security measures are indeed a \u201csecondary accessory<\/a>.\u201d<\/p>\n #SMB companies and startups: growing secure #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n This is a common, but innately flawed, mode of thinking, a sort of \u201cinvulnerability by obscurity\u201d that we have written about before<\/a>. Smaller companies don\u2019t feel it is necessary to protect themselves because they are ostensibly too small and insignificant to draw cybercriminals\u2019 interest.<\/p>\n At first it may seem logical, but cybercriminals care little about the size and sales of their victim. There are just two questions they want answered: 1. Is there any money? 2. Is it difficult to get to them<\/a>? A \u201cyes-no\u201d combination is an attack in the making.<\/p>\n So when choosing between an established small company and a startup, it is the latter\u2019s bank account that criminals will most likely visit the first. An SMB company may have a larger sum of money there, but its cyberperimeter is much\u00a0harder to penetrate<\/a>.<\/p>\n It is wholeheartedly recommended to think of cybersecurity as something that is needed from\u00a0day one, just like the hardware and office software necessary to do business.<\/p>\n Coming in, going out<\/strong><\/p>\n Okay, so let\u2019s assume that cybersecurity is indeed set up properly from the very beginning in the offices of both in our startup and SMB company. Network, server(s) and endpoints are protected \u2013 probably even with some unified solution, not a hotch-potch of home-oriented antiviruses brought in by the employees themselves along with their personal laptops.<\/p>\n But then a data leak happens \u2013 in the form of, say, your company CFO\u2019s stolen or lost smartphone that had no security solution installed, had no remote wiping functions, and is totally irretrievable. Great! Now one can only\u00a0hope that the \u2018new owners\u2019 will just reset it to factory defaults, wiping everything, and won\u2019t sell the data from the phone to anyone extremely interested<\/a>\u00a0in undermining the company\u2019s operations.<\/p>\n Protecting endpoints today isn\u2019t just setting a security solution to your laptops (or desktops if such exotics are still in use today). It is actually a worker with an\u00a0array of devices that is the \u201cendpoint\u201d now \u2013 and it may go in and out of the main office\u2019s protected perimeter many times per day \u2013 not to mention off hours. Protection must be still active on all of the employee\u2019s smartphones, tablets, and laptops that is used for work, otherwise an endpoint one day becomes an entry point for attackers.<\/p>\n It\u00a0is extremely helpful if employees inform the company\u2019s IT workers (if there are any, which isn\u2019t always the case for the startups) of all of their devices, so they can install the corporate security software clients which would protect the working data. \u00a0It may be wishful thinking that they will do so without (repeated) requests<\/a> and assurances that their personal privacy won\u2019t\u00a0be violated.<\/p>\n Lease me a cloud<\/strong><\/p>\n Using a third party infrastructure<\/a> to store large amounts of data is common for businesses of all sizes. There are also a handful of free cloud-based collaboration suites out there (think of Google Drive\/Docs for instance) and those are extremely attractive to the most cost-savvy businesses such as startups.<\/p>\n Should the critical data be trusted to the outsource storage\/collabo suites without added protection? Well, most of these resources claim to have great security, but the topic of cloud security is still much debated. An extra security layer \u2013 like\u00a0data encryption \u2013 wouldn\u2019t take a lot of effort to provide, and may help to avoid a lot of trouble if something goes wrong.<\/p>\n The burning questions and a plain scheme<\/strong><\/p>\n We have written before that good security requires a good policy and understanding of what requires protection. The proper questions<\/a> should first be set and answered, based on which we can create a more or less plain scheme of how to ensure the security continuously.<\/p>\n #Security starts with proper questions #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n There are three questions that should be asked first:<\/p>\n 1) Where is my data \u2013 i.e. what exactly requires protection<\/a>?<\/p>\n 2) What should I do to protect my data? \u2013 i.e. to prevent loss of access, damage and\/or leak of the data?<\/p>\n 3) How do I make sure my data stays protected? \u2013 i.e. how to ensure that the data doesn\u2019t leave the \u201cprotected space\u201d.<\/p>\n And\u00a0two extra questions should be asked:<\/p>\n 4) What do I know of the cyberthreats<\/a> and is it enough?<\/p>\n 5) How difficult it is for the cybercriminals\u00a0to get to my bank account via electronic communications?<\/p>\n With those answers we may plan the defense layout, i.e. provide the needed security tools. Eventually the plan will look rather simple \u2013 most likely, it\u2019s just a list of the functions that a security solution needs to have and the steps to make sure it works within your company whether it has a dedicated IT worker or not<\/a>.<\/p>\n