There’s a lot to consider when starting your own business – and with almost all your resources focused on recouping your investment, it’s understandable that you might not consider information security a top priority.
You might reason that spending money on defences won’t provide the clear, short-term financial returns that are necessary if you are to grow.
Unfortunately, you cannot ignore the threat of cyber crime. Security incidents cost organisations more than €3 million on average, according to a Ponemon Institute study, a figure that almost no start-up can afford.
It’s therefore essential that they invest in strong defences as soon as possible. The good news is that money you spend isn’t just to prevent disaster; it will also help your business run more efficiently, while your focus on data protection could even give you a competitive advantage.
We explain how start-ups can make the most out of cyber security in this blog, as we break down the dos and don’ts of successful data protection.
Getting started on the right foot
New business owners are probably familiar with people telling them that “the first six months are the hardest”. They might even chime in with a statistic like 20% of small businesses fail in their first year.
It doesn’t take an expert to figure out why those businesses failed: they overestimated how much money they would make or underestimated how much they would need to spend.
But for that conclusion to be useful, you need to account for why their estimations were off. The answer comes in the form of another familiar business trope: you’ve got to spend money to make money.
Many failing organisations are so focused on cutting costs that they don’t factor in the long-term effects of their decisions.
You can put off information security investment to preserve capital early on, but defences will become increasingly more expensive to address if you only start 6 or 12 months down the line.
And guess what? Your business won’t be any more stable at that point. If anything, you’ll have more financial commitments and processes to maintain, making it more expensive to implement defences compared to if you’d rolled them out over time.
So, what conclusions can we draw from this?
Implement core cyber security practices from the outset. A great place to start is ISO 27001, the international standard for information security.
It contains a comprehensive framework of the security measures organisations can adopt to tackle of a range of threats. It also provides guidelines on how to complete a risk assessment, which helps you identify and prioritise threats and appropriate solutions.
Dive headfirst into an ISO 27001 certification project. Although the Standard contains excellent advice, you don’t have to certify against it right away.
That’s because your organisation will change substantially as it develops, forcing you to reassess your security requirements regularly.
Even if you follow ISO 27001’s guidelines as closely as possible, it will be difficult to tell whether you are fully compliant with its requirements.
More to the point, what is considered compliant at the time may not be the next time you expand your operations.
You should therefore hold off on certifying until your business is stable/
Familiarise yourself with the risks that employees introduce into an organisation as soon as possible.
By undertaking regular staff awareness training, you are in a great position to prevent phishing and ransomware – two of the biggest cyber security threats that businesses face.
It’s easier for start-ups to conduct staff awareness training that other organisations, because they have fewer employees. The lessons you teach can be tailored to their needs, and you can identify what’s working and what isn’t as you go.
Winning stakeholders’ trust
We are increasingly aware of the damage cyber criminals can cause. As such, the repercussions of a data breach aren’t limited to an organisation’s ability to do business but also to the way customers and partners react.
No organisation is immune from cyber attacks – and in fact, start-ups and SMEs are more likely to come under attack because of their burgeoning IT systems and processes, which could contain weaknesses.
Fortunately, people are generally aware of the difference between an unavoidable incident and one that resulted from negligence, so you can avoid criticism if you act responsibly.
Lie when you’ve suffered a data breach or otherwise downplay the severity of the incident. Not only is this morally wrong, but affected individuals or interested parties will soon catch on.
This will lead to an investigation under the GDPR (General Data Protection), where the extent of the damage will be revealed.
You’ll end up receiving a heavier fine than you otherwise would, as well as losing the trust of customers and stakeholders.
Own up to your mistakes – particularly if you can demonstrate what you’ve done to address the incident.
The worst thing that can happen is that you’ll face scrutiny over the breach, but because incidents occur so regularly, it will soon become yesterday’s news.
Meanwhile, you’ll have the opportunity to demonstrate which defences you’ve invested in, and assure customers that you take data information security seriously.
What’s your next step?
With so much contrasting advice on the best way to address information security, it’s hard to settle on a definitive answer.
The truth is that there is no one-size-fits-all approach; you must instead look at the needs of your business and the resources you have and figure out what’s right for you.
You can find out how to assess your needs by reading Cyber Security 101 – A guide for SMEs.
This free green paper was written by our team of experts and tailored specifically to start-ups and small organisations.
It explains what you need to consider when developing your cyber security strategy, and provides examples of some of the steps you can take.
A version of this blog was originally published on 20 August 2017.