My Company Just Raised. What Do I Do About IT Security?
Raising the capital you need to get your startup off the ground is definitely a reason to celebrate, but it’s also a time to ensure that funding will get you through to the next stage of business growth. A big portion of your startup’s budget will be allocated for recruiting and hiring the talent capable of making your ideas a reality. You’re probably also looking at office space, infrastructure, and fixed assets that will give your team the tools they need as well as create the environment to support the work culture you envision.
While all of that is inarguably important, keep in mind: Your budget must cover your startup’s other expenses as well, such as supplies, utilities, and fees. A line item that’s missing from many startups’ budgets - but one you can’t afford to overlook - is IT security.
Don’t Open the Doors of Your Company with Security Risks
Make no mistake. Startups are targets for cyberattacks. In its 2019 Data Breach Investigations Report, Verizon points out that 43 percent of data breaches involved small businesses. Your business doesn’t have to be around for long before hackers find you. For example, cybercriminals hacked sales engagement startup Apollo in 2018 and the graphic design startup Canva in 2019.
Hackers always gravitate toward easy opportunities, and startups that haven’t executed a comprehensive IT security plan are low-hanging fruit. Hackers bet on the fact that a startup has back-burnered some security tasks while getting their operations off the ground, leaving their networks, applications, and customer data vulnerable. Furthermore, inadequate IT security puts your intellectual property at risk. Could your new business afford to have your innovations or products stolen or held for ransom?
The costs of recovering from a cyberattack or data breach can be astronomical. In addition to repairs and data restoration, depending on your industry, you may also face fines. For instance, the General Data Protection Regulation (GDPR) requires that any business or organization, in any country, processing or controlling data from European Union residents follow specific data protection practices. Data covered by the regulation includes names, addresses, photos, and social network posts, as well as more sensitive data such as payment card numbers or medical information. Penalties for noncompliance are high. Businesses could face fines up to 4 percent of their annual revenue or $24 million, whichever is higher. Since GDPR enforcement began in May 2018, numerous businesses and organizations have been penalized for a range of infractions.
It’s not just GDPR compliance your company has to worry about. As of January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect. In addition to giving consumers more control over the types of data that businesses collect and whether they permit them to sell it, CCPA also gives consumers the right to sue companies that collected data but neglected to take measures to protect it. The act empowers the California Attorney General to enforce the law and levy fines of up to $2,500 per violation.
The bottom line? Although it may not be appealing to create a budget line item for IT security or allocate funds to other areas of your business, the risks associated with inadequate IT security and noncompliance with regulations that require it are immense and expensive. If your budget seems too lean to cover IT security expenses, would there be funds to cover the costs of noncompliance and recovering from a data breach?
Essential Components of an IT Security Solution
When you budget for IT security, ensure you are considering all of the expenses associated with a layered security strategy that will protect your business on all fronts. Although there is no 100 percent guarantee that any business or organization can prevent a cyberattack in a constantly changing threat landscape, a comprehensive plan based on your specific activities can mitigate a huge proportion of the risks to your business.
Implementing your startup’s security plan isn’t something that can wait weeks or months while you attend to other demands. You need your plan in place from the outset to minimize vulnerability to cyberattack. Key elements of your security solution should include:
Firewall & Virtual Private Network (VPN) Solutions
Different types of cyberattacks occur at various layers of communication on the network and between endpoints. It’s crucial to protect your network and applications with technologies including deep-packet inspection, intrusion prevention, zero-day threat detection, and defenses against distributed denial of service (DDoS). Palo Alto Networks, Fortinet, Cisco, and Check Point are the leaders in this space.
The packet filtering that comes on the router or modem provided from the broadband ISP is not going to provide adequate protection - you need something more comprehensive, something that includes elements of next-generation firewall technology, like application-based filtering, identity management, malware blocking as well as elements like website filtering, and QoS.
Endpoint Protection
Your security strategy should also include host-based anti-malware solutions to protect your business from phishing, ransomware, and other types of malware. Many vendors offer endpoint protection and management, like Crowdstrike and Palo Alto Networks Traps.
Data Backup
Although you are backing up data to prevent loss, it’s smart to consider backups as a part of your security plan. A system backed up at the right intervals can prevent having to pay a ransom to recover files if you’re hit with crypto or locker ransomware. You can eliminate the malware on your network, and then revert back to a time before it infected your system.
Vulnerability Assessments & Threat Mitigation
New cybersecurity threats continually emerge, so the security plan you execute today probably won’t be effective six months from now. Your security strategy must include periodic assessments designed to uncover vulnerabilities and give you the inward visibility you need to eliminate them.
Training
Businesses don’t always think of training as a component of a security solution, but people are often the weakest link in your IT security chain. Even your smartest team members can make mistakes. Make them aware of current attack vectors and best practices to avoid falling prey to them.
Incident Response
Your IT team needs a plan for when things go sideways, because they will. If and when the CEO or another high-level executive needs a new phone, or when a critical employee clicks the wrong email or attachment, you need a response plan. Even if something more mundane happens, like the power going out of the building, IT needs to spring into action, often on very short notice, and someone needs to be there minding the store, around the clock.
How Will You Manage IT Security?
Skillfully managing IT security takes specialized training and expertise. However, there is a shortage of IT security professionals. Currently, about 2.93 million cybersecurity positions are unfilled worldwide. It will probably be a challenge to find - and afford - a qualified person take this role at your startup.
You may be tempted to try to divide cybersecurity responsibilities among your team. It’s not a wise strategy, considering what’s riding on executing an effective security plan for your growing business. You also need to consider the workload your team members already have focusing on their primary responsibilities. There likely isn’t room in their job descriptions to take on IT security responsibilities “on the side.”
An option that many businesses are choosing is outsource IT security to a managed security service provider (MSSP). Continuum’s State of SMB Cybersecurity in 2019 white paper states that 77 percent of small and medium-sized businesses anticipate outsourcing at least half of their cybersecurity strategy, and 89 percent are considering hiring MSSPs.
Benefits of outsourcing include:
Advanced Technologies: A managed security provider invests in state-of-the-art solutions that they use for multiple clients. Therefore, they can afford advanced solutions that are probably beyond your budget capabilities.
Lower Costs: Your startup can often leverage those advanced security solutions as well as auditing and assessment services, consulting, and strategy for less than the salary and benefits of an in-house IT security professional.
Flexibility: Outsourcing means you get the quantity and quality of IT resources you need when you need them, instead of personnel that are unsustainably overworked or bored and waiting around.
24/7 Monitoring: Managed security providers are focused, day and night, on security. You, on the other hand, have a million things on your plate. By outsourcing IT security, you have the assurance that a team of skilled professionals is always monitoring your network.
Up-to-Date Security Intelligence: The security threat landscape changes daily - it’s hard for a single person on your staff to keep up. Managed security providers use extensive networks for the latest intelligence and threat mitigation strategies, and can ensure security patches are promptly tested and implemented.
Expertise: Partnering with IT security specialists can strengthen your business with advice, resources, and best practices to help your team avoid errors that could result in a data breach. The right partner will also advise you on the smartest security solution investments based on your industry, your risk, and your operation.
Managing IT security on your own will require making an upfront capital expenditure for solutions that provide IT security and management. Another advantage of working with an MSSP is that you can replace that CAPEX with an OPEX. When you contract with a provider for managed services, you pay for Security as a Service on a monthly or annual basis.
Your Startup’s Most Important Expense
When you are ready to switch the lights on in your new facility and put your new team to work, make sure your network, data, and IP are secure. Security isn’t a luxury that only established enterprises can afford. It’s a necessity you need now to protect your startup and give it a chance to thrive.
If IT security isn’t something you can effectively manage in-house, reach out to us. Even if Black Mountain Dynamics isn’t a good fit for your company, we’ll help you find an experienced and skilled managed security provider. Once this crucial element of protecting your company is in place, you and your team can breathe a little easier and get down to the business of making your startup a success.