While often an afterthought, entrepreneurs need to start taking cyber security more seriously. 60% of small businesses close within six months of a cyberattack, and such incidents are more common than you might think. 43% of all organized attacks targeted small firms, making them the single biggest target of any business cohort.
Here are five steps any entrepreneur can use to upgrade their company’s defenses and reduce the odds of losing their startup to a cyberattack.
1. Put a data security policy in effect from day one
One of the reasons that startups are an appealing target for bad actors is because most don’t address cybersecurity until it’s too late. This is an issue that grows more dangerous as a startup scales, which makes having a data security policy in place on day one the best way for a startup to protect itself.
The purpose of a data security policy is twofold. The first is to create transparency. A good data security policy should clearly identify what data the startup will collect and how it is stored. The second purpose is to spell out every employee’s relationship with that data. It should include policies surrounding data access, procedures to control that access, and list each employee’s responsibilities to protect it.
Attackers often target insiders to get past perimeter network defenses. Making every employee aware of their responsibility to remain vigilant is crucial. When it comes to cybersecurity, the human element is always the weakest link, and simple awareness goes further than you think.
2. Set IT hardware standards
Many startups spend the first years of their existence trying to save money every way they can. From an IT perspective, this can lead to a reliance on a bring-your-own-device (BYOD) model to keep hardware costs low. However, this can rob the startup of a crucial defensive element: hardware standardization.
When every employee is using a personal device, a single employee downloading a malicious app or visiting a dangerous webpage can endanger company data. To have a secure BYOD model, set hardware standards for all employee-owned devices and enforce them.
To start, require updated hardware only. This means no aging smartphones or laptops. You can also set minimum operating system updates and requirements to make sure no vulnerable software is in use.
Security software should also be a requirement on all devices that will access company networks and data. Consider business-grade protection software from companies like Broadcom or ESET, or MacKeeper if you run primarily Apple products.
3. Eliminate passwords wherever possible
Bad actors use stolen or compromised credentials in the overwhelming majority of successful attacks. According to Verizon’s latest Data Breach Investigation Report, compromised passwords played a part in 61% of all attacks in 2020.
While it’s useful to set strong password policies for all company-related software and services, startups have a better option: get rid of passwords entirely. Wherever possible, startups should make use of hardware security keys or biometrics to protect their data and related assets.
If you can’t get rid of passwords, enabling two-factor authentication is a must. It decreases the odds of a successful attack. Additionally, extend this policy to any contractors or freelancers that have access to company data as it’s very common for attackers to use third-party credentials in an attack.
In those situations, the damage can vary greatly. For example, if guest posts are part of your marketing strategy, an attacker who gets access to your content management system can manipulate your articles. If an attacker gets hold of an account used by an IT vendor, that damage could be worse.
4. Make regular backups of critical systems
Ransomware attacks have exploded in the past year, increasing by a staggering 171%. Startups can decrease the threat of ransomware by developing a response plan that includes regular, updated, offsite backups of critical systems and data.
Identify your critical IT assets and deploy a backup method that allows for a complete restore of the data. You can do this using online backup providers, or by using removable hard drives that get stored offsite after each new backup.
It’s important to draft a complete, step-by-step recovery plan that details which systems get restored first, who will do the work, and how long it should take. With these in place, a startup can reduce a ransomware attack’s impact down to just a few days of downtime.
5. Consider cyber insurance as a financial shield
Even if a startup manages to recover from an attack or a data breach, there’s still no guarantee it will survive for the long term. The financial fallout from such attacks is often more than a small company can handle, especially if the breach includes sensitive information.
That’s why it’s important to consider purchasing a cyber insurance policy as a last line of defense. Such policies may cover many of the expenses a startup incurs during its recovery from an attack, reducing financial losses and ensuring continuity.
The secure startup
These preventative steps address common weak points that make small businesses an attractive target, and can help you recover from a worst-case scenario. While often not a priority to many business owners, don’t wait until it’s too late.