Corporate information security, part 5 — Should startups pay for information security?
"Our financing is on hold and we need to keep pushing added value. Who has time for information security anyway?", said many startup entrepreneurs. Since you can’t add information security to your product retrospectively either, what is the right time for a startup to pay for information security? Does information security provide added value?
Five reasons to pay for information security
Even if your business is small it still generates revenue, pays bills, and can have intellectual capital or customer data that could attract the interest of cybercriminals. Many attacks are also purely opportunistic, and anyone could be targeted. That’s why I have listed five reasons why startups should take an interest in information security too.
1. For the customers.
Do you want to attract big companies as customers? Their customers or information security certificates, or the legislation applying to them may require a certain level of information security, and your company can be an unacceptable risk if you don’t live up to that. Studies have shown that consumers are interested in information security (in Finnish) and data protection too.
2. For the potential losses.
Investigating a data breach, repairing the damage, reinstalling everything and dealing with the authorities all take time that you could have spent on serving your customers and making money. Finding out the cause and extent of a data breach also costs money because it usually requires the help of specialists.
3. For your reputation.
4. You can be targeted by coincidence.
Cybercriminals use tools such as the Shodan search engine to look for vulnerable information systems to target with ransomware or other cyber attacks, so a data breach can be caused simply by an unpatched vulnerability in the operating system or a third-party library. Almost anyone who uses email can be targeted by phishing.
5. Due to the company's profit potential and market value.
Is your goal a lucrative exit? If your product is riddled with technical information security debt and vulnerabilities, buyers may think it is too expensive to fix. If your startup’s data protection has also been neglected, a potential buyer can smell trouble down the line, as happened with the Marriott hotel chain: A couple of years after buying the Starwood hotel chain, Marriott discovered that Starwood had been the target of a data breach in the past. Marriott was saddled with years of investigation work and a hefty fine.
Which aspect of information security should I invest in?
Information security is a broad concept encompassing technology, processes, and human activity. Which aspect should a startup invest in first? Should I put my money on the firewall or the recovery plan?
According to Matt Shealy, investing in information security awareness and information security culture among your employees is one of the first things you should do. This makes sense, as employees who are informed about information security are able to identify phishing and social engineering. They know how to write secure code, so you don't have to spend money on fixing problems.
Information security awareness also covers the assessment of information security threats and the level of risk involved. Michael Graham urges you to think about how much money your company could lose if you mismanage your business or the security of your customer data. You should take care to avoid logical errors in your risk assessments as it’s all too easy to underestimate risk, especially if you are operating on a small budget and have no first-hand experience of information security problems.
Secure workstations and ways of sharing data, for example through cloud services, access management and strong user identification in connection with processing important data form the basis of a startup’s information security. When you start to have more systems or employees, it pays to enhance your information security monitoring with measures such as automatic alerts of suspicious login attempts or unusual server events. Even if you outsource your security monitoring, someone from your company should always be available and able to react to alerts if required.
If your company is in the software development business, you should never overlook your product’s information security. It’s natural that information security may not be the first thing on the agenda if you’re not even sure whether your business idea is going to take off in the first place. However, you should be aware that adding information security to your product at a later stage will not be easy because redesigning your system could mean doubling the work. Potential investors or buyers are not interested in software that is technologically so weak that its code needs to be rewritten.
You can improve the information security of your software development with measures such as scanning open-source libraries for known vulnerabilities and using static code analysis tools to spot weaknesses in your own code. There are open-source tools available for both purposes, which will limit your costs to integrating the tools to your development pipeline and verifying the results. Light threat modeling for user stories, i.e., thinking about what can go wrong and what you could do about it, is also a useful way to detect problems, especially those related to architecture and processes, before going forward with implementation. The least you can do is document the shortcuts you took and the weaknesses you identified, even if there’s nothing you can do about them right now. This will give you a realistic picture of your current level of information security so that you can improve it later on.
Securing your source code, intellectual capital and development environments is also important. You will have a hard time creating added value for customers if your build server has been breached, your cloud resources are being used for crypto mining, or your business plans ended up in public distribution by accident.
Who is responsible for information security in a company of three?
Startups often have only a handful of employees, so hiring a full-time information security expert is unlikely to be a realistic proposition—unless you happen to be in the information security business. Jobs such as financial administration, risk management, sales or marketing, are often done part-time by certain individuals, and that’s what you should do with information security too. In her article, Tarah Wheeler gives an example of a ten-person company, where one employee handles IT with a quarter of their time allotted to information security. It’s important to make sure that such part-time duties are actually carried out, or you will have no one looking after your information security.
Wheeler suggests bundling information security risk management with the company’s other risk management functions. However, this does not mean that you should not tap into the expertise of other employees when making risk assessments.
In the early days, it will be useful to have an information security “generalist” who knows something about all aspects of information security: securing your company’s technologies and services, endpoint security, your company’s threat landscape, as well as administrative information security. It is sensible to outsource special expertise, such as information security monitoring and testing, and only consider recruiting in-house specialists as the company grows. Responsibility cannot be outsourced as the management is ultimately responsible for the consequences of any information security problems.
This blog post is part of a series on information security and awareness. The previous instalment discussed protecting yourself against cyber-attacks and testing your safeguards. Links to all of the posts are given below.