Every company has valuable assets vulnerable to hackers. The size or stage of the company doesn't matter. All companies bear some degree of cybersecurity risk. Implementing a documented security program should be as foundational a task as devising your business model. Yet too many small companies don't take serious steps to harden their assets against a cyberattack. We hear a consistent set of reasons from entrepreneurs and CEOs that hold them back.
Security isn't their area of expertise: Cybersecurity is a complicated, wide-ranging field. Unless you're starting a cybersecurity company, there's no reason why it should be your area of expertise. Accounting and legal compliance aren't likely your areas of expertise either, but you still make sure your business has access to resources that are.
An effective security program doesn't happen on the fly; it requires expertise. The ability to assess the nature and scope of your company's risks and vulnerabilities clearly is imperative. It also requires deep knowledge to survey the broad range of policies, practices, and tools available to mitigate those risks. Consequently, lack of cybersecurity expertise is often paired with the next two common reasons companies avoid dealing with cybersecurity.
Security is overwhelming: Feeling overwhelmed by the scope of cyber risks and means to protect against them is understandable. The landscape of cybersecurity risks and protective practices is constantly expanding and evolving. New threats and vulnerabilities arise every day. New standards, tools, and practices to counteract them change too. A practice that provides solid defense one day may be insufficient the next in the face of a new threat. You also need to regularly reassess your company's security posture and risks as it grows.
Security is costly: Staying on top of emerging threats and best defensive practices is literally a full-time job. Few small companies and startups have the resources to hire in-house experts to take responsibility for building a documented security program and overseeing its execution. Fortunately, like accounting and legal, you can partner with external experts to manage your cybersecurity.
Security isn’t a top priority: Most new companies, especially startups, have other priorities that they deem more important than creating a security program, like achieving a minimum viable product (MVP). Or growing customer count or revenue. The focus is on gaining traction and building the business before investing energy and resources into cybersecurity.
We are too small to be an attractive target: You may think you can get away with pushing cybersecurity needs farther down the road because you're too small to be a target of cybercriminals. You're not. Small companies are very much on the radar of bad actors exactly because of their size. Hackers assume that small companies have weaker security and fewer resources to respond to an attack. They trade a smaller pot for an easier target.
Trends in cybercrime bear out the growing popularity of targeting smaller companies. Verizon's "2020 Data Breach Investigations Report" reports that small business now make up 28% of all data breaches. The popular vectors cybercriminals used in 2020 to compromise small companies are email communications, mobile devices, and social media accounts. All basic technology that every small company uses.
5 EVEN BETTER REASONS WHY YOU NEED TO GET A CYBERSECURITY PROGRAM STARTED EARLY
It is never too early to start planning and documenting a security program. The earlier you do, the greater the benefits your company will realize. Get a quick jump with this checklist of 21 things you can do easily to improve your company's cybersecurity posture.
The checklist is a valuable place to start, but it's not a substitute for planning and implementing a formal security program. Here are five reasons why you want start building security into your business as early as possible.
Avoid the costs of accepting the risk: Not having a cybersecurity program is its own sort of plan. It means you've set your risk tolerance to 100%. Your company accepts the full risks of not having any cybersecurity. This approach brings with it high costs, even if your company doesn't suffer a cyber event.
First, you're growing your technical debt. The concept of "technical debt" comes from the software development world. It's the idea that a company starts accruing delayed costs when it doesn't implement a timely solution. Early implementation generally results in achieving a simpler, less costly solution. The longer a solution gets postponed, the more expensive and complicated the solution will be once it is implemented. And complicated solutions are rarely the most effective solution. Starting with even a small security program that you continually build on minimizes your technical debt.
The second cost is the opportunity costs your company incurs by not meeting vendor standards of larger clients. The RFP process from large companies will inevitably include a section where your company will have to outline its security program. These companies won't contract with companies that either have no documented security program or have one that's insufficiently mature to meet its standards.
Eliminates the false confidence of ad hoc security: Some smaller companies take an ad hoc approach to their security. You issue an IT security policy to employees to use complex passwords. You install anti-malware on the company network, computers, and devices. You instruct employees to do the same with devices they use to connect to your network. While it may not feel that way, if these IT security policies aren't part of a documented program with formal oversight, they're not necessarily better than having no plan at all. They can provide a false confidence that your company's assets are secure when an ad hoc, self-regulating approach often creates a variety of vulnerabilities.
Provides solid foundation to build a more mature security program as your company grows: Every company has assets. Some are incredibly important to the success and future of the company. Others aren’t. We recommend you prioritize your most valuable assets. The process of identifying your high priority assets, assessing their vulnerabilities, and the level of risk you're willing to accept becomes the kernel around which you can expand your cybersecurity. You'll start answering vital questions about how to secure you want them and making security decisions that have broad application. Hardening your top priority targets first simplifies the expansion of your cybersecurity program. Going through this process early also embeds cybersecurity into your company's architecture and culture.
Allows you to respond confidently and thoroughly to RFPs from larger companies: Growing your company involves attracting bigger companies and contracts. These companies want to understand how you'll protect their data and their customers' data. If you haven't been documenting your security program, it will be difficult to prepare thorough and timely responses to the RFP security questionnaires. Building a security program early includes developing necessary documentation, allowing for quick, comprehensive responses.
Increasingly, the larger organizations want to see how your security program aligns with a specific security standard. We find most companies can start building their security program around NIST 800-53, a widely used security standard that provides a useful framework for maturing your program. We recently wrote a guide to the most common security standards that can help build a general framework for your company.
Provides opportunity to game plan your company's response: To quote Mike Tyson, "Everyone has a plan until they get punched in the mouth." A critical piece to your security program is your response plan in case of a cyber event. When you develop your response plan, you'll think about how to gauge event severity and decide which types of events need escalation. You'll determine who the decision-makers are to formulate both action and communication responses. You do not want to test your response plan during a live event. Having a security program in place early gives you chances to test your security program and your response plan.
PROTECT YOUR COMPANY TO GROW YOUR COMPANY
Cybersecurity is an operational necessity. The risks of a cyberattack—including losses that are both financial and reputational—are high, and small companies and start-ups are the most affected by such losses.
Assembling an effective security plan isn’t an on/off switch. You don’t need to go from zero to 100 mph in an instant. Nor do you need to do it alone. Compliance management software and resources, like securityprogram.io, provide expertise and support so you can get started with an efficient security plan that you can broaden gradually to support your growing business.