How to tackle cyber security when you’re starting out in business

If you’re running a business today, then you’ll know that there are a number of risks out there that you need to navigate properly, and cyber security is no different.

It’s almost accepted that any business can get breached, and we can’t protect everything, nor should we necessarily be worried about every possible thing that can go wrong.

What we can do is identify and prioritise the key areas that are important or critical in order to minimise or transfer some of that risk through a cyber insurance policy.

Which businesses are most vulnerable to cyber-attacks?

Any business which primarily relies on digital technology will attract cyber risk.

This could include data-rich organisations like digital and marketing businesses which target users to collect data or fintech businesses that rely on technology to support business transactions.

So, if you know your business will be using any type of technology and would be impacted if someone were to turn it offline, steal it or compromise your data in any way, then ultimately, you’re vulnerable to cyber risk.

The ecosystem in which the business operates must also be considered.

If cyber risk isn’t important to you, it might be pertinent to your suppliers or business partners.

So, even if it doesn’t affect you, it may indirectly be relevant to your business interests.

Simply put, businesses can’t exist in the cyber world without having the proper level of protection.

Do online community groups and associations need to be cyber aware too?

Unfortunately, these organisations are a big target for cyber criminals because they’re an aggregator in the sense that they’re bringing together people into communities and sharing and storing data.

Companies following this business model should carefully consider the impact of cyber risk and put measures in place to increase confidence and trust in the network that is being built.

Such groups or associations are built on trust and if that trust gets broken at an early stage – because people are sharing information on a forum, and this leads to a virus – this can have huge consequences.

For example, there was a software developer forum which was penetrated by malware in a ‘watering hole attack’, meaning that every individual on the forum was impacted by the virus.

This is the main risk with having centralised communities where people come together to share information, as they become targets themselves.

These communities are inevitably building up value in their businesses through the connections and mappings between individuals, and this can be monetised.

But as much of this value is stored digitally if companies don’t protect it in some way, that could easily be lost through being copied or stolen.

As they build these platforms, companies need to think about copycat attacks i.e. people stealing the business model and making it their own or through people in the community pulling out relevant information and using it to build their own community.

Further, if you’re thinking of building one of these environments to share information and pull people together, there’s an implied responsibility to do some level of governance over that community – especially in combatting the spread of hate speech and viruses.

How much should businesses spend on cyber security?

It’s ultimately a matter for each business individually as they’ve got to think about what needs to be protected in value terms.

Companies need to scrutinise their budgets and review their spending on cyber security each year as the value of data increases.

The spending must be linked to the value of the IP or potential loss experienced if that IP gets stolen.

What can business do to be cyber aware and cyber ready?

The first step is to understand the importance of cyber-security to your business, the risk implications of something going wrong and how much damage a cyber breach could cause to that business.

Once you’re aware that something needs to be done you can really begin…

1. Start with a set of business risks and outcomes that cyber security could impact.

Document this on your cyber risk register.

This is something businesses should carry out about once a year as part of a general business risk assessment of which cyber-security is a part.

You should include a list of potential outcomes such as systems going down or data getting lost that will inevitably make the business uncomfortable.

2. Have your technical team convert the potential outcomes into practical steps

This will help to build a security improvement plan or security strategy for the business which is aligned with the business risks.

The plan should articulate things that can be done to protect the business.

3. Implement solutions

On one level, that might include setting up a proper governance structure where you have monthly meetings on cyber-security and the progress you’re making.

You may also want to implement a security policy which governs the rules and security practices employees must follow.

You will also need to have backup processes and recovery plans in place, as well as incident response plans in the event of a cyber-attack or other security issue.

There’s also the technological aspect of cyber security.

Things like anti-virus and malware protection, firewalls, password protection including multi-factor authentication all offer some level of protection from hostiles on the internet while security monitoring will help alert you when an incident may be happening.

4. Revisit and review your cyber-security

Keeping up with your cyber-security will be an ongoing process.

As things improve and develop, ensure you always keep an eye on the latest cyber breaches in your industry and make sure you’re protected against them.

Also be aware of changing infrastructure, for example the uptick in people working from home have meant businesses have had to quickly embrace remote access technologies.

But new trends and technologies are always emerging.

Finally, your cyber security has to be commensurate with where you are as a business.

Your security spend should be somewhat linked to the type of business you’re in and the risks that you’re facing and this needs to be refined over time as your business evolves and grows.

Where can a business go to get help or find the right tools for cyber security?

The best place to start would be to look at the various different security standards. Ireland’s National Cyber Security Centre (NCSC’s) 12 steps to cyber security is an excellent place to start and goes through the most common measures and technologies that companies should have in place.

There’s also a really practical standard from the Center for Internet Security (CIS) called the CIS Benchmarks.

These cover 20 security controls which, if implemented, deal with 80% of your cyber-risk.

By using these checklists and these approaches, businesses can really get a head start.

Another way to deal with cyber security is by using partners and outsourcing security.

A lot of this technology is becoming more user friendly and cost effective for people to adopt.

There are also ‘plug-in and play’ options so you don’t have to try to do everything yourself.

Although it might cost slightly more, businesses can leave the more esoteric elements of security for the experts, leaving them free to focus on what’s really important to them.

What resources, solutions and tools are recommended to stay cyber safe?

There’s a whole host of tools out there…

1. The NCSC has great material to help businesses accelerate their security programmes and benchmark them against common standards, including the Top 12 steps to cyber security.

2. NIST.gov The US government National Institute of Standards and Technology (NIST) have also produced some really good material which starts from a very high level. The NIST security framework provides more information for businesses to benchmark their cyber-security against.

3. CIS top 20 controls: 20 key security controls which aim to help address and reduce at least 80% of your risk.

For companies who want to delve into more detail…

1. ISO 2701 standard

For some more heavy lifting with regard to security controls there’s the ISO 2701 standard.

This is a security management standard known around the world as a really good set of practices for companies that want to get ahead and demonstrate a very effective security compliance.

2. Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is a very specific control set for those people handling credit cards and credit card processors, retailers and e-commerce providers.

This control set is very prescriptive, meaning if you want to know what specific length of password you should be using, how often you should be doing penetration tests or what type of intrusion detection you should be implementing, they offer very strict guidelines and rules one must apply.

3. Data Protection Commission (DPC)

The DPC provides lots of good resources for data protection which includes some standards, guidelines and checklists.

4. ENISA (EU agency for cyber security)

ENISA provide good security controls and standards we can use as a reference point.

Looking for more detailed guidance?

The cyber security vendor landscape is huge, and each vendor will be able to provide details on why their product or solution is the best.

Meanwhile, many of the technologies that companies are embracing nowadays, such as cloud services provided by Amazon, Microsoft and Google have security solutions built in.

When using these products and services though, it’s important to know where your responsibility begins, and the providers ends.

You may have to buy it, turn it on and know how to use it, but ultimately, using these tools means you don’t have to start from scratch and solve these problems yourself.

For things like securing websites, protecting data, sharing data securely and sharing emails, there are already solutions out there.

How should we review and adapt our cyber-security over time?

As we’ve mentioned, cyber-risk and your security needs will evolve over time.

For startups, it’s often not cost effective to implement full blown cyber security measures before the business has actually taken off.

Cyber security experts use ‘maturity models’ to assess the maturity of an initial or ad-hoc process and ultimately get it to a place where it becomes optimised and fully managed.

For example, most businesses when they’re starting out will have staff coming on board, so they’ll need to have a minimum set of security requirements such as a basic security policy.

But this is only a starting point and you will need to flesh this out over time to include other basic security controls such as anti-virus software, firewalls or VPN’s for example.

Similarly, when setting up your business systems such as e-mail, providers will usually offer various packages and different licences that you can then scale-up over time.

Making sure you have the right package that fits within budget and security requirements is really important and should be reviewed regularly.

Think about where you want your business to be in the next 3 months, 6 months, 12 months and make a note of all the big events which could trigger a step-up in security.

If you’re not processing or handling customer data today, then it might not actually be necessary to implement protections around that, but you should make a note to do so when you reach that point in the business.

If you’re in a regulated industry such as financial services or fintech, at some point you’ll need to apply for regulatory approval and if you don’t have the basic levels of security in place that the regulators are mandating, you won’t get your licence.

These are key trigger points to plan for in advance.

When do you want to apply for your licence?

What do you need to do to get it?

Choosing third party providers

Our advice to all businesses is to choose third party providers of products and services very wisely and this is something you use to your own advantage when you’re starting out.

For example, by working with a hosting provider who has ISO 2701 security compliance, you’ll know you’re also complying with that standard.

Because the third party has invested in the security of their product, you can leverage this island of security and use it as a springboard towards your own cyber-security regime.

The business ecosystem

It’s also important to look at the whole ecosystem and to consider the security expectations of your customers, third parties and peers.

Think about what they expect of you and when, because if you don’t match these expectations at the right time, you won’t be able to connect with them and they won’t want to do business with you.

So, it’s important to work out the points at which you’ll need to step-up and prepare before you engage with stakeholders.

The environment the business is in will help to dictate how much security is needed – and at what stage – depending on what’s happening in the wider world.

It’s a marathon…

As discussed, your security and improvements are an ongoing journey, more like a marathon (or multiple marathons) than a sprint.

So, establishing a reasonable cadence for reviewing the security policy, risks and your responses to them is something that that should form part of your overall business strategy.

Who should be responsible for cyber security in your business?

Everyone inside the business at some point needs to be responsible and accountable for security, but it’s up to the owners of the business to be the driving force for a strong culture of security that goes to the heart of the organisation.

All too often, responsibility for cyber-security ends up in the hands of the IT organisation.

This might appear to be the obvious place to start when it comes to making your technology secure; in reality, it extends much wider than that.

This is why it’s important that there’s a strong link between the senior management, the board and the technology to make sure that security is adequately covered.