Security is not something thought of at most startups, sadly – it is an afterthought, the old school way of thinking it can be tacked on later is overly prevalent.
Studies have been done – the more up front you are in getting the security conversation going, becoming proactive – the longer you will survive – and that really is what startups are shooting for – survival.
A lot of hackers will go after startups who have high value data, because it is widely known that security is not a priority and likely non-existent. No reason trying to penetrate the big security vault’s front door when the windows are open and no one is watching.
Start with the basics from day 1. Understand what threats exist for your business, talk about what data you are collecting, who has access, where logs are stored, what is your responsibility to your users, your customers.
You have a very direct obligation to think about security the second you take someone’s money, but especially when you start to gather, process and store user or customer data. You have to be in the shoes of those people whose data they expect you will protect. The trust you build with your customers is easily lost when security is an afterthought.
Today, startups are already ahead of many large companies out there, many popular products and tech comes with strong security on by default – like iPhones, Chromebooks, AWS Cloud, Azure Cloud, Windows 10. You are already nimbler and have an advantage over more than 80% of the large companies out there. You don’t have the dead weight of legacy infrastructure holding you back.
What gets you in trouble are OpEd blogs on the internet and letting them lead your decisions. The basics are still key – firewalls, antivirus, good passwords and multi-factor authentication. Don’t let the stories fool you.
The sooner you start thinking about security – your company’s vision and risk – the more money you save. It’s more cost-effective to get security right the first time without having to fill in gaps later – it gives you an edge over competitors who tack it on after a breach.
I know it is hard to funnel money into something where you don’t actively see the financial returns – you need to think of it as an investment into your future survival. Spend a little money now, have those conversations and be proactive – save yourself from an incident that will cost you brand tarnishing headlines, lost customer trust, fines, sanctions – and likely future challenges in fundraising negotiations in the future.