Every day we talk with startup founders about small business cybersecurity. Although we'd love to speak with founders that spontaneously decided to "do more" about cybersecurity, our conversations usually start very differently than that.
Most often, there is a very specific and urgent cybersecurity-related need at hand. And an urgent call to our team for help thinking it through. We're happy to help -- not a problem! However, for the benefit of founders that haven't yet hit one of those moments, here's what folks a few steps ahead of you are running into. We're glad to help with these more proactively if you'd like, to save a hectic scramble later.
We'll try to rank these in approximate order of frequency (half art, half science -- some clients come to us for multiple reasons):
There are a lot of urgency drivers for a founding team to take a closer look at their security posture, and if this article were being written in late 2019, "Office Move" would have been waaaaay higher on the list of triggers. Since that time, it's dropped to #9 on the list as many startups have gone fully remote and had fewer "traditional office" cybersecurity concerns.
However, we're now seeing a wave of startups that previously occupied somewhat-luxurious offices that are deciding to keep some physical presence, but in a new location. Smart founders look at that type of change and see it as an opportunity to rid their offices of just about every type of in-office host that was storing any type of fileshare or other data. To the cloud they go!
We're glad to help with best practices associated with that type of transition.
Coming in at #8 on the list is something that just about all of us have been impacted by (even if we don't realize it). The dark web has become a haven for cyber criminals that trade or buy large databases of usernames, passwords, and other metadata from website breaches. They then use that information either to directly attempt to sign into those sites with the stolen credentials, or to use credential stuffing techniques that prey on users who foolishly use the same password on multiple sites.
Startups are notoriously chaotic in terms of the many websites that they rely on for various aspects of their operation, so it's very easy to get stuck in a spot where one or more employees have usernames/passwords sitting in a dark web database. Often the first hint is when some website sends an alert saying that a failed login has occurred -- and asking if it was indeed "you" trying to log in. Don't ignore those. That's a leading indicator that you may have credentials being traded on the dark web.
We're glad to help with some business-grade password manager policies and tools that make it easy to avoid the risks that happen when a cyber criminal begins a credential stuffing attack.
Remember that client that let you skate by on cybersecurity requirement when the initial "deal" was just a pilot project? When that contract comes back around for renewal, there is a very good chance that a more sophisticated process will unfold that includes a more serious evaluation of your cybersecurity practices. It also may include obligations for you to obtain cybersecurity insurance policies, and maybe even some compliance certifications.
Many times, savvy founders realize that they already have a "cheat sheet" of what to expect those additional requirements to be. We often see situations where a founder's initial attempt to sell services to an enterprise leads to a terrifying set of cybersecurity questions. And, founders often re-position their offering as a "pilot" to position themselves for lighter scrutiny, perhaps leading to a key client win that didn't require the full level of vetting that they would otherwise be subject to.
But, the clock is ticking. When that renewal comes up, you can bet that the full level of vetting will resurface -- and at that point your small business cybersecurity practices will be under the microscope. Save yourself some trouble and see if you have an archive of any security-related questions that arose in the initial attempt to sell the deal?
We're glad to help with any questions that you don't understand, or (worse) that you understand and know that you can't fulfill on your own.
Phishing attacks are getting absolutely brutal. Two of the biggest ones that startup founders encounter, are financial frauds occurring immediately after a publicly-disclosed fundraise, and scams targeting new employees that might not be fully attuned to the norms of the company.
When an employee falls victim to one of these, there is often no great way to recover the lost funds, but we can certainly help you improve your practices going forward to avoid a repeat of the incident. Recurring phishing simulation campaigns can help your team develop a 6th sense for suspicious emails.
Coming in at #5 on our list is one of the hottest small business cybersecurity topics is one that founders have trouble reconciling. If there are employees that are more than glad to use their own personal laptops for work, should the founder save precious capital by letting those employees work from their own laptop instead of a company-issued one?
Maybe. Will the laptops end up having access to restricted customer data? Proprietary code or intellectual property? Will the laptops be used in a hybrid capacity by the employees -- for example by a child who might download/install "weakly vetted" applications? Tread carefully.
If you allow BYOL, use training and policies to agree on what is and isn't acceptable in the context of your company. Many startups eventually decide to provide company-issued laptops -- and we're glad to help you set up device management capabilities to allow you to swiftly handle needs such as enforcing full-disk encryption and lockouts.
Almost all of our clients have been asked about SOC 2 by a client or partner. Initially, most of our clients are not in possession of an SOC 2 report containing a confidence-inducing unmodified opinion. So, they deftly assure their client/partner that they have compensating controls in place to mitigate some of the top small business cybersecurity concerns.
However, eventually most of our clients find themselves entering into agreements where there is either an explicit or implicit expectation that they will move towards a SOC 2 examination sooner than later. Sometimes founders even end up in a spot where they end up needing to make a commitment to provide a SOC 2 report by some specified future date.
Don't "go it alone" on this one -- you'll need help preparing, and you'll find that the examination will reveal some surprises where you'll need to make quick work of implementing a security control that you never imagined. We've got your back.
Is there a faster-growing small business cybersecurity trend than the move towards obtaining cybersecurity insurance? We doubt it. Good news: if you are getting cybersecurity insurance, you are making a smart move that could save your business in case of an incident. Bad news: you are going to be required to answer certain questions (often yes/no questions with no room to elaborate) about your security practices.
If you come up blank on an honest path towards answering "yes" to a question you encounter during the application process, we should definitely talk right away.
This item -- #2 on our list -- is one that will sneak up on you. Imagine that you are a startup founder who sells primarily on a B2C or DTC basis. You've probably avoided having any enterprise customers that require you to complete an elaborate enterprise security questionnaire! Good for you!
Here's where the sticking point happens: are you finding that you have an increasingly elaborate set of partners that are intertwined with your development, fulfillment, or marketing processes? If any of those entities are ones that come from regulated industries or large enterprises, you are very likely to get caught in the same security vetting process that B2B companies routinely encounter when selling to enterprises. Your partnership agreements are likely to (increasingly) come with an appendix or questionnaire or other language that requires you to take a step up in cybersecurity practices.
Here's the biggie. The #1 reason why founders call us in a panic. Imagine this:
A founder -- against all odds -- works tirelessly for months to get to a point where an enterprise client gives a verbal commitment to using their product/service. It's a win. A celebration. The sweet reward that is the culmination of months of effort. Or is it?
Almost every time, a verbal agreement with a decision maker in an enterprise organization is shortly followed by a formalized vendor onboarding process that includes a lengthy enterprise security questionnaire with items that startups are almost never prepared to answer without help.
If that happens to you, please be in touch with us right away. We love helping startups win their big deal by providing opinionated guidance about how to successfully fulfill enterprise security questionnaires.
If you get into any of these types of situations, we're here to help. Please don't hesitate to reach out.