Cyber Security and Data Privacy 101 for Early Stage Founders
When well-known companies have security breaches, particularly when it affects their customers, it dominates headlines. As a result of their 2013 attack, Target lost nearly $300 million.1 Uber settled their 2016 data breach investigation for $148 million.2 These large companies are an obvious target with tens of millions of users.
However, the reality is any size company can fall victim to hackers. In fact, some hackers prefer smaller and newer businesses, because they are easier targets with less security. As VP of Business Development at cloud security company Avanan Michael Landewe puts it, “If you make money, someone will abuse weak security practices to take that money.”
Cyber security can feel unnecessary when you’re getting started but building a strong foundation can save you a lot of time, money, and frustration. It’s easy to ignore a threat that you can’t see. Lytical Ventures partner Lucas Nelson says a mistake he often sees is startups treat cyber security like other “technical debt” – where you create a quick and dirty solution for a quick win. The problem with security is the damage can be irreversible or too costly.
Think of it like dental hygiene. You could probably get away with ignoring it for a while, use gum and mints to fool people, but eventually you’ll have to deal with a bigger, more painful, more costly problem like a root canal – or even complete replacement of the teeth. The last thing you want is to be rewriting your product for security when you should be rewriting for scale.
Every company with customers should care about data privacy – also known as information privacy. Though the term “data privacy” is new, the concept has been around for a long time. Think about doctor/patient confidentiality or attorney/client privileges. You should protect your customer’s private information – even if it’s just their email address – like it’s your own.
Beyond ethical reasons, it’s just good business sense. Repeat business costs less than customer acquisition, and one easy way to lose a customer’s trust is compromising the privacy of their personal information. Additionally, the ability to share or sell information is becoming increasingly illegal and can be costly for your business. Target can afford hundreds of millions of dollars in settlements, most startups can’t. There are also regulations that to be considered. The new GDPR rules have fines based on your revenue (vs. profit), which could also devastate a startup.
“Every company is becoming a technology company.” It’s been said so much, we can’t even find the original source. While there still may be some artisans or mom and pop shops that deal only in cash and track their transactions with pencil and paper, every startup with venture scale potential is operating with technology. Cyber security describes the measures taken to protect your data from criminal or unauthorized use.
On top of your customer’s data, you need to protect your intellectual property. Whether you’re inventing new technology or simply building an app for your users to access your product or service, you want to ensure your IP isn’t compromised. Encrypt everything from the beginning and don’t take short cuts that could come back to haunt you later.
If this feels foreign to you, then you are not the person to take charge of your startup’s cyber security and data privacy needs. Consider bringing in a technical co-founder or hiring an expert to make sure your company is safe from threats. In the meantime, here are some quick tips to get you started:
- Passwords – Whether it’s for your team or your customers, require strong passwords – length and variation (numbers, letters, and characters) being the key factors. Also, don’t store all your business account passwords in a spreadsheet on someone’s computer. Consider multi-factor authentication instead.
- Phishing Scams – According to Wombat Security’s 2019 State of the Phish report, 83% of organizations have suffered phishing scams. This is when hackers try to get your login information by using the identity of a trusted source. Educating your staff on how to spot these scams can prevent most of them.
- Encryption – Especially now that we’re a mobile workforce, encrypting passwords and other data is becoming the norm. Hackers may still be able to access your data, but with encryption, they won’t be able to read it.
- Hire a professional – Seriously, this is not an area of your business to “fake it until you make it.”
If you’re not confident in the status of your security, don’t wait to address it. When asked what the biggest mistake a startup can make regarding their cyber security Landewe said, “Putting it off another day, because they think they’re too small or that their customers won’t care.” Your customers care and you are not too small – secure your startup from cyber threats today.
OWASP Top Ten (broad consensus about the most critical security risks to web applications)
Dark Reading (hacker blog)
Questions or Comments? Reach out to EGFS
Follow Us: @EarlyGrowthFS