Building good security habits in a business that doesn’t start out with them is incredibly difficult to do. As a startup, however, you have a unique opportunity to build basic cybersecurity measures into the very foundation of your company.
Trust us when we tell you, you’ll be much better off learning the ropes at the beginning than attempting to implement complex cybersecurity policies into a mature business, or worse yet, while you’re experiencing an incident. Getting on top of security from the start will lead to a more secure organization as you grow, and translate to far fewer bad habits to break down the road.
1. Remove Local Admin Rights
Did you know that 1,268 Microsoft vulnerabilities were discovered in 2020? While that statistic is cause for concern, the news isn’t all bad: 56% of those vulnerabilities could be eliminated simply by removing local admin rights from users.
Enforcing least privilege i.e. removing any control that the user doesn’t need, and removing local admin rights is something we put a lot of importance on at FRSecure for this very reason. In an environment where admin privileges are not controlled, attackers can far too easily gain access to networks and sensitive info.
Employees also have the ability to authorize changes to organizational protections like antivirus, firewall, encryption, etc. as well. Even when there are no bad intentions, it’s always best to leave those configurations to the IT department, and ensure that they remain in place throughout the life of each employee device.
If there’s anything a business should do from day one, it’s disable admin rights and adopt a least privilege approach to security.
2. Asset Management
Speaking of basic cybersecurity measures that every business can and should implement, asset management is critical to building a strong cybersecurity foundation.
Establishing control of all hardware, software, applications, and information used by an organization is key. After all, you can’t secure what you don’t know you have. Keeping an accurate inventory of everything that has access to your business network or information, and what exactly is on those devices is very important in controlling a company’s level of risk, as well as identifying what went wrong and where in the event of a breach.
To put it simply: You don’t want to be finding out about a mystery device on your network AFTER a security event has already taken place.
The best way to manage the assets accessing your information is to implement an asset management policy. You can use our free template as a jumping-off point or draft your own. Regardless of the policy or plan you implement, the important thing is coming up with a solution where you know what’s going on and which devices need to be secured.
3. Get in the Habit of Classifying Documents
Classifying your business’s documents may not seem like a high-priority task, but it’s very important to understand what data needs to be protected. Keeping paperwork organized helps prevent sensitive items from being compromised along with things that are generally kept less secure.
Legal companies are doing this well already because they must. Document management with cases is mandatory due to legal reasons like client confidentiality. However, no one gets a pass on organizing documents correctly regardless of the industry you’re in!
Think about all of the documents your business has on hand and try and imagine what harm they could do to the organization, clients, or employees in the event they might be leaked to the public. While securing every bit of data is of course the ultimate goal, you can break your documents into classes to prioritize your most sensitive data.
The documents you’ll be dealing with should fall into three distinct categories.
These documents are things like HR paperwork, financial information, or contract details that could do serious harm to your organization if they were to get out. They will be the first thing that you’ll want to safeguard.
Internal items are things like your employee directory—information that could be disclosed with approval, but not necessarily critical items in the bigger picture. If this kind of information was released, it may be embarrassing but not wholly damaging.
Information that is public knowledge should go without saying, but these items belong at the bottom of the priority list when it comes to protecting your company’s data. Public documents tend to be things like job listings, or general business info that does not include any sensitive material whatsoever.
4. Double Check Compliance Requirements
Compliance is more of a necessity than a basic cybersecurity measure, but it is something that startups should absolutely keep in mind. Depending on the industry that your company is a part of, there may be security compliance requirements such as HIPPA/OCR for healthcare companies, SOC2, etc, that you can’t- or at the very least shouldn’t- proceed without.
One case that FRSecure witnessed involved a support claims service company that needed to have SOC2 type two compliance in place but had not implemented it yet. The company in question had not kept up with the proper documentation that was required, and as a result, could not achieve the required compliance in time. This resulted in 20 employees being laid off, and the company missing out on a $600k contract.
Another similar instance our team has seen was a nursing home software that needed to show that requirements were met through a risk assessment before the contract would be signed.
The moral of the story is: Clients can and will suspend contracts if proper documentation is not in place or security compliance is not met.
Here’s what you need to do as a startup to avoid any compliance issues down the line:
- Be aware of any mandatory compliance regulations for your company and industry.
- Keep security requirements in mind from the ground up as you’re building a company.
- Know your target market and what the best practices are.
- Do your research, and plan on costs for things like penetration testing, risk assessments, etc. —especially for software-based and contract-based service providers.
5. Detailed Change Logging and Management
Documenting all adjustments being made to applications during the development process is another crucial practice in any startup’s development—especially for tech, software, or biomed companies. Having clear, well-documented changelogs help identify anomalies that can indicate what the problem is when something falls apart, as well as when a security risk or bug was introduced.
Having detailed change management is a critical part of any software development lifecycle and should be implemented from the very beginning for companies creating any kind of commercial application.
6. Adopt an Incident Response Plan
While preparedness and best practices can dramatically reduce an organization’s level of risk, threats in the cybersecurity landscape are constantly changing and evolving. So, while some basic cybersecurity measures will drastically decrease the chances of needing to respond to a cybersecurity incident, you still need to know what to do if one occurs.
There are a lot of key details that need to be included in an incident response plan, for instance building out an IHT (Incident Handling Team) consisting of legal experts, risk managers, and other department managers who can advise on IR activities relevant to their area of expertise. It’s also a good idea to have a few playbooks on hand for the most common incidents your company might face like business email compromise, a lost or stolen device, or even a ransomware attack.
It can seem like a daunting task, but there are some great resources out there to assist you in the beginning. Templates can aid you in understanding what you need to do even if your organization must grow into a fully-fledged response plan over time. Unless you’re working closely with a security expert, we highly recommend taking advantage of the resources available to you, whether created by FRSecure or another expert in the field.
As part of FRSecure’s mission to fix the broken cybersecurity industry, we have several goodwill resources available to help guide in the event of a breach or attack. One of our most popular free resources is our Incident Response Plan Template, which is an excellent starting point for any company’s incident response plan.
Some other resources we have available include cybersecurity cheat sheets, checklists, policy templates, workbooks, and more. See our resources page for the full list of public resources that we have available.
It takes time, effort, and lots of energy to build out an effective cybersecurity plan, but putting in the work now as a growing business will pay off in spades over time. Not only will you avoid having to break any bad habits, but you’ll also have basic cybersecurity measures woven into the fabric of everything you do.
As you grow your business, you’ll be able to grow your cybersecurity policies along with it and ensure that they remain robust in the coming years so you can rest assured that your company is as safe as it can be.
Have any questions about securing a new business? Don’t hesitate to reach out to us for help using our contact form.