Surprisingly, many startups don’t consider security a key priority and are often forced to address it when it becomes too late. While there are several priorities when it comes to securing big contracts, if your company’s existing security program doesn’t meet expectations when faced with an inquisition by a prospect’s security and privacy team, the deal may be dead.
If high growth companies selling into the enterprise or highly regulated industries don’t take security seriously from day one, it will cost them BIG – as in lost business, and lost trust, making it incredibly hard to recover.
So why overlook security when it could jeopardize big client wins? Maybe it’s overconfidence in what is already in place, or a cavalier attitude because your company uses “third party apps with security protocols”. Or maybe it’s due to a lack of understanding of just how important having a strong security approach is when selling to enterprise companies. Hackers are increasingly targeting supply chains, knowing that lax security postures in vendors give them an easy backdoor into bigger companies. Sometimes, startups simply think they have the right certifications, tests, or standards in place – until they receive a lengthy questionnaire from a client asking them to explain their security policies, only to realize they can’t.
At the root of the problem are several misconceptions about security. Here are five of the most common misconceptions, along with a reality check to reset your company’s security mindset:
Misconception 1: cybersecurity is a technology issue
- Reality check: Cybersecurity is the responsibility of every team member: from the founder who sets a security-minded tone, to the teams that implement the policies, to the new employee choosing a password. Security is the tools, tasks, and routine activities each team member does every day to protect the company.
Misconception 2: our application is built on a cloud service, so we’re secure
- Reality check: You need to take ownership of your security, and can’t rely on someone else’s policies to cover your own. Your team is accountable for your data, so you need to be responsible for how you use your cloud service, who has access, and how you set up your policies around cloud usage.
Misconception 3: we can get by with the bare minimum for security
- Reality check: A hacker will find a way to get in, especially if your security is at the bare minimum. That, or a regulator may flag you for not being compliant. Be proactive in putting standards in place and adhering to data regulations before anyone comes asking about them.
Misconception 4: we can focus on security later
- Reality check: Putting security off until later means your company is vulnerable now. It will also result in a ton of security debt; meaning at some point, you’re going to have to pay for cutting corners. The time to start thinking about security is when you start building the company, so that you can incorporate security into the culture and policies from the very beginning.
Misconception 5: we don’t need a penetration test
- Reality check: A penetration test, or pen test, simulates a hack to your system, which can reveal blind spots and vulnerabilities you might be missing. It also allows you to stress test your systems to see if they will hold up against an attack.
What you can do
If any of these common misconceptions ring true for you and your organization, don’t panic. There are practical things you can do today to strengthen your company’s security posture, and lay the foundation for a robust information security and privacy program. The top five include:
- Implement security meetings: Start with a meeting to reposition the culture of your company. As mentioned above, security isn’t just a tech issue or an issue for a specific team, rather it should be a focus for everyone. Get key team leaders together to assess what your systems are, what risks you’re facing, and what plans you need to put in place going forward.
- Practice proactive compliance: Next, make sure you are compliant with all frameworks and regulations, including any industry-specific or regional standards. Don’t wait until the regulators flag you for non-compliance. Be proactive in implementing the standards you need and be sure to also include any standards your clients use so that you’re on the same level as their security.
- Review your strategy: Create a thorough set of policies and procedures, and ensure each department knows their roles and policies regarding customer data. Be clear about what to do in the case of an incident. If the policies and procedures aren’t already documented somewhere, make that a priority.
- Inventory your assets: Take an inventory of your hardware and software assets to know what you have, and what you need to upgrade. Don’t only think about what hardware needs to be updated, but who has access to it. Is there any hardware that’s been forgotten about that could be an entry point for hackers? Is your software up to date, or does any of it need to be uninstalled?
- Ask for advice: As you build your company’s security program, ask colleagues and vendors for advice, and seek out security experts to help you sort out your approach. Don’t be afraid to outsource security tasks to trained experts as well.
While misconceptions can be changed through awareness and education, breaches and hacks can’t be taken back, and trust is nearly impossible to regain as a young organization. By reassessing your company’s security mindset, policies, and procedures, you can take steps today to focus on the right things when it comes to protecting yourself and your clients. The sooner you embed security and privacy into the very DNA of your organization, the more quickly and effectively you can drive your business forward.