Start-ups are filled with some of the most skilled and computer-literate people on the planet, at least that has been the perception many have had of these think tanks.
However, don’t rest easy on your tech-savvy laurels, because it’s this false sense of cyber security that hackers are keen to exploit.
In fact, start-ups are sometimes the most vulnerable to being hacked, because they’re the ones who least expect it.
By not putting the right cybersecurity precautions in place, start-ups are risking their reputation, finances and livelihood.
While it might be reported in the mainstream media, many tech start-ups have come close to fully closing down their business after a cyber-attack.
Unless you can ensure the perfect balance of people, systems, and processes to combat cyber-attacks, then your business certainly isn’t secure.
Hackers are like a mutating virus; they’re always one step ahead. The question is not if they have the ability to attack, but simply when and how they’ll decide to strike.
So, if you’re facing a cyber security breach, or simply want to prepare in case one should occur, here’s the cyber security checklist every start-up needs to know, including how and why you need to create one for your own business.
Stop relying on ‘let’s wait and see’
Many businesses are under the assumption that all they need to protect them from a cyber- attack is a security penetration test once a year. Unfortunately, it’s not that simple. Start-ups cannot treat cyber-security as a ‘wait and see’ situation.
Cyber-security needs to be planned and implemented well in advance of an attack.
In order to assess your cyber-security risks, people and systems need to be mapped to a cyber-security framework like the ISO27001 Security Framework, allowing you to investigate how those weaknesses can be exploited to cause damage to your business.
If no training was ever given to the people in your company, how likely is it that staff would click on a link that could install malicious software? If your systems don’t have the latest security patches, how easily can they be breached? If there are no policies or processes for cyber-security in place, is it even possible to prevent an imminent attack?
Answering these questions will help you get prepared for a potential attack, while providing clues for the steps you need to take to better secure your business.
Put policies and processes in place
If there are no policies or processes for cyber-security in place, an attack is guaranteed – no matter what the size of your company is. Start-ups are famous for their scattergun approach to policies and processes. They’re the domain of big boring corporations, right? When it comes to cyber-security, that’s certainly the wrong way to think about things.
If there are no policies or processes for cyber-security in place, an imminent breach is guaranteed – no matter how new or small your company is.
For example, if your staff are not trained in ransomware, phishing, and the signs to look out for, it’s more likely that they would click on a link that could install malicious software.
If your username and passwords are compromised on the dark web or you have left a port open for an external vendor to help configure, then your infrastructure or even your vendor can be compromised making an attack very easy to execute.
Passwords should be rotated at least every 60 days, although every 30 days is better.
To make them harder to guess, passwords should be at least 8-10 characters long, have at least one number, one capital letter, and one special character, such as: ‘!@#$)’. Adding multi factor authentication will also significantly reduce your exposure to a cyber attack.
Changing passwords is great, but it won’t help if those passwords and special answers are being shared between multiple staff, with the potential for them to be leaked.
Instead, every staff member should have their own accounts with their own unique user ID and password, so that there is no need to share passwords between staff members.
Ongoing monitoring and detection
Once you have the right policies and processes in place, it is crucial to ensure that you also have continuous monitoring, detection and response on your applications, networks and infrastructure from a security standpoint. This will ensure you are covered in the event a hacker is able to bypass your security controls to launch an attack.
Application, network and infrastructure monitoring is very different to security monitoring. IT security is often mistaken for cyber-security and it is important to keep them separate.
IT security manages your network and endpoints and cyber-security teams test, monitor, detect, respond, and manage your policies to ensure overall integrity of your systems.
They also work with your people to train them in best cyber-security practice.
Lastly, you may need someone internal or external, like a virtual cyber-security consultant, to manage all your cyber-security related business functions and work with IT to remediate, improve and mature your overall protection and defence from cyber-attacks.
There are a wide range of ways that a business can get hacked – even for the most tech savvy of start-ups. Thankfully, by having the right policies, systems, and training in place, you’ll be putting your business in a much more secure position now and into the future.
Ajay Unni has over 30+ years’ IT industry experience, with over 15 years as a cyber-security specialist. He is the founder of StickmanCyber, a business that helps companies mitigate their cyber-security risks.