You think it’s too early to focus on cybersecurity
At the very dawn of your journey as a small business or startup, the line between before and after is often blurred. You don’t clearly realize when you’ve crossed over. Just yesterday, your laptop was for personal use only (education, some side projects, watching movies); today, lots of personally identifiable information, credentials to the production environment, and other sensitive business-related information is stored and manipulated on the only computer you own. Probably, like the majority of users, you do a full disk backup once in that rare moment of cautiousness when one of your friends loses everything to ransomware.
No matter what you think of your business and how much you believe that it’s too early for hackers to be interested in you, the truth is that you’re exactly in a hacker’s sweet spot. If you’re a new startup, then probably you’re trying to onboard your first customers. And if you’re a B2B startup, your next customer could be a gigantic corporation.
This is exactly why governments and corporations develop and enforce cybersecurity supply chain regulations — they want to build trusting relations with those who understand the risks and care about their cybersecurity. Moreover, you should take cybersecurity seriously not only because it’s expected of you but also because your clients may be at greater risk than you are.
You first thought cybersecurity was too expensive and now think it’s just a matter of spending a few bucks per endpoint
One of the biggest mistakes is thinking that your organization’s cybersecurity is just a question of a relatively small investment. Yes, it should be affordable. There’s no sense starting a business if you spend more on cybersecurity than you earn. But the ugly truth is that to build solid cybersecurity, you need to change the way your organization works. Cybersecurity is a risk-based domain, which means that you need to manage your cybersecurity risk just like any other risk, work with probabilities, and mitigate threats. You can accomplish this only by changing your mindset and implementing a cyber/information security framework — a set of rules and processes that allow you to manage your cybersecurity risks.
Sure, you want to keep a cozy family feel within your team: no controls, approvals, or boring meetings. You think this is your huge advantage as an employer. But while you might be right about the impact on your employer brand, the cybersecurity risks don’t decrease due to a smaller headcount.
You believe that cybersecurity equals compliance
By the time you start thinking about your cybersecurity, your favorite customer or an industry regulator has likely already informed you that in order to continue your business development journey, you’ll need to achieve compliance with one of the popular cybersecurity frameworks such as SOC2, ISO27k, or the NIST family of standards. And if you haven’t thought about your cybersecurity before such a conversation happens, you surely will start thinking about it afterwards.
Luckily, a simplified cybersecurity standard, SOC2, is now accepted by most stakeholders and makes everything a little bit easier. Okay, you think. I need to implement this and cybersecurity will come automatically.
The truth is that while following a framework such as SOC2, ISO27k, or NIST standards is mandatory for sustainable cybersecurity, it’s not sufficient. Cybersecurity is not a state; it’s a process. Which means you should constantly monitor what’s happening in your infrastructure. A cybersecurity framework makes sure you’re not monitoring complete chaos. You can think of it as a labyrinth for hackers, where all the routes can be monitored so you can spot an anomaly quickly and respond easily.
Compliance can be faked in order to get a piece of paper confirming you’ve implemented SOC2 requirements. In reality, however, this is a ticking time bomb that will detonate during the next APT (advance persistent threat) attack. Thus, compliance without due care is wasted money.
You think that once you hire a Chief Information Security Officer, cybersecurity will be fully their concern
You should ideally have a manager dedicated to cybersecurity who runs the sometimes boring cybersecurity operations and keeps an eye on all internal cyber-related activities. This is the correct approach, but it should not mean that you fully delegate your cybersecurity to a manager employed by you.
Don’t forget that cybersecurity is a risk-based domain. And the final owners of this risk are the CEO, the co-founders, and the management board.
A good Chief Information Security Officer (CISO) will study, prepare, and implement lots of things, but eventually they will come to you to justify the costs and explain why you need to stop using your favorite tool and instead buy a whole list of special software to make your attack surface monitorable and controllable.
You assume that once you’ve implemented cybersecurity practices, you’ll finally become secure
The unfair truth is that even after years of investments and focusing on your cybersecurity, you’ll still be vulnerable. It is the nature of cybersecurity and the rapidly growing tech industry to evolve.
There is no final destination in cybersecurity. It’s like cleaning your teeth — you do it every day and still visit your dentist twice a year.
No destination means this is an endless road for as long as your organization lives, and over time you will lose some employees and gain new talents. That’s why regular cyber hygiene and cybersecurity awareness programs are an essential element for the sustainability of your cybersecurity.
You may hold or have held one of the above beliefs, and you’re not the only one. On average, it takes five years to raise a cybersecurity pro. However, as a company that has been fighting some of the most devastating cyberattacks in history over the last fourteen years, we know that half-baked security measures are not the best option for innovative companies.
If you want to secure your business today you should cover all vital aspects of startup’s cybersecurity journey: compliance, hardening of your infrastructure and actual attack prevention, incident detection, and response. It’s the only way to mitigate the potential consequences of a cybersecurity incide