There’s a lot to consider when starting your own business, and with almost all your resources focused on recouping your investment, it’s understandable that you might not consider information security a top priority.
Indeed, you might reason that spending money on defences won’t provide clear, short-term financial returns. However, the threat that cyber crime poses means it’s something you can’t ignore.
Almost a third of organisations suffered a data breach in 2019, and without adequate defences in place, a security incident could severely jeopardise your business.
Small organisations are the most likely to be affected, because they often don’t have the resources to withstand the financial loss and drop-off in productivity that so often accompanies a security incident.
However, there’s more to cyber security than mitigating the risk of disaster. In fact, when implemented correctly, defences can help your business grow and give you an advantage over your competitors.
Getting started on the right foot
New business owners are probably familiar with people telling them that “the first six months are the hardest”. They might even chime in with a statistic like 20% of small businesses fail in their first year.
It doesn’t take an expert to figure out why those businesses failed: they overestimated how much money they would make or underestimated how much they would need to spend.
But for that conclusion to be useful, you need to account for why their estimations were off. The answer comes in the form of another familiar business trope: you’ve got to spend money to make money.
Many failing organisations are so focused on cutting costs that they don’t factor in the long-term effects of their decisions.
For example, you can put off information security to preserve capital early on, but defences will become increasingly more expensive to address if you only start 6 or 12 months down the line.
And guess what? Your business won’t be any more stable at that point. If anything, you’ll have more financial commitments and processes to maintain, making it more expensive to implement information security controls compared to if you’d slowly rolled them out over time.
We’re not suggesting that you dive headfirst into an ISO 27001 implementation project during your business’s infancy.
Not only would this be prohibitively expensive, it’d also be a waste of time. Your organisation will change substantially as it develops, forcing you to reassess your security requirements after just a few months.
However, it’s definitely worth implementing core cyber security practices from the outset.
For example, a risk assessment-led ISMS (information security management system) gives you a governance structure that your business can grow around, and which will support an ISO 27001 implementation project when the time is right.
Similarly, it’s never too soon to familiarise yourself with the risks that employees introduce into an organisation. By undertaking regular staff awareness training, you are in a great position to prevent phishing and ransomware – two of the biggest cyber security threats that businesses face.
Win stakeholders’ trust
We are increasingly aware of the damage that can be done when cyber criminals steal our personal data. As such, the repercussions of a data breach aren’t limited to an organisation’s ability to do business but also to the way customers and partners react.
People are generally aware of the difference between an unavoidable incident and one that resulted from lax defences, so they will know how much you are to blame.
As such, a preventable data breach will lead to customers losing trust in you and considering their alternatives just as you’re making a name for yourself.
By contrast, should you demonstrate effective information security, you will gain the respect of stakeholders and have the opportunity to sweep up customers and clients who have decided to take their business elsewhere after being the victim of a data breach affecting your competitors.
Customers aren’t the only ones concerned about your information security practices; organisations in your supply chain also typically want assurances that the information they share with you remains secure.
This might come in the form of contractual requirements that borrow from ISO 27001 or other information security frameworks. This will probably include, as a minimum, a risk assessment to identify risks and the implementation of appropriate controls that correspond to your biggest threats.
What’s your next step?
With so much contrasting advice on the best way to address information security, it’s hard to settle on a definitive answer.
The truth is that there is no one-size-fits-all approach; you must instead look at the needs of your business and the resources you have and figure out what’s right for you.
You can find out how to assess your needs by reading Cyber Security 101 – A guide for SMEs.
Written by our team of experts and tailored specifically to start-ups and small organisations, this free green paper explains what you need to consider when developing your cyber security strategy, and provides examples of some of the steps you can take.