How early-stage startups can approach cyber security from day one
Security isn’t a nice-to-have. It’s critical to businesses today, and recognising and acting on threats quickly is a sign of operational efficiency. How can early-stage (and cash-strapped) startups embed cyber security best practices in their businesses from day dot? In this article, we hear from Ben King, Manager of Application Modernisation for JAPAC at Google Cloud, on how early-stage startups should approach security – with actionable insights that startups can implement today.
In the early stages of building a company, founding teams have a lot to prioritise when it comes to where they put their resources. I wouldn’t be surprised if security doesn’t always rank high on that list unless you’re operating in regulated or at-risk industries like healthcare and finance.
Regardless of industry and size of your company, it’s still important to prioritise cyber security in order to protect your business, customers and partners. There are a number of approaches you can take to secure and protect your startup from its earliest days.
Ultimately, security isn’t about reducing risk to zero. It’s about continuously rebalancing risk as your startup grows, and embedding cyber best practices and responsibility across the full team.
The rise of breaches
Cyber attacks come in many forms, including crypto mining, exploitation of misconfiguration, data theft and leakage, credential abuse and ransomware – just to name a few.
In Australia, we’re facing a widening cybersecurity talent gap, with not enough skilled professionals to help prevent or manage cyber attacks as and when they occur.
In addition, the pandemic accelerated companies’ digital transformation plans and led to distributed workforces, which has increased organisations’ vulnerability to cyberattacks, and therefore exacerbated shortages.
In light of these challenges, there are several steps that startups can take to protect themselves, depending on how much they decide to budget for their business’s security and where they are at in their startup’s lifespan.
Establish a good software engineering culture
Attacks can happen as quickly as 2.5 minutes, and are often automated by bots. By taking a proactive approach and setting up alerts for wherever something happens, you can respond just as quickly or at least be made aware.
One of the biggest challenges for anyone writing software now is that developers reuse code by importing libraries, or packages. Vulnerabilities can be in any of that code. Good software engineering culture is about having a software engineering mindset over a developer mindset. Anyone can develop software, but software engineering is about ensuring that software will be able to run effectively in 10+ years. This involves incorporating cloud-native security design patterns to create platforms and systems that are secure-by-design for the cloud and establishing frameworks to ensure a startup’s team is developing and continuously validating its security, governance and compliance posture.
What can you do – and when?
You don't need to stop every bad thing from happening – in fact, trying to do so will slow down your ability to move fast. You should, however, empower your engineers with enough detection capability and ownership across the full team so people can notify them of perceived threats or attacks so that they can react in real-time.
When you’re seed or early stage, be mindful of having too many security measures that will bog you down and instead focus on the stuff that matters at this early stage – odds are that no one is actively targeting you yet. Set yourself up with the key stuff and then get back to building your business:
The above practices are a good starting point, particularly for early-stage startups where a lot of the onus lies on the founder(s) to create a secure company. When startups reach the Series B stage or about 100+ employees, it’s fair to consider bringing on additional security support, whether a consultant or a full-time hire.
It’s important to remember that security is everybody's responsibility, not just the technical team’s. While technical leads should adapt processes to enable the transformation of security and governance for the cloud, it’s the full team’s responsibility to contribute to the businesses' protection as it scales.
Subscribe to our newsletter for updates delivered directly to your inbox.