ONE PLANS ON THEIR START-UP not making it past a year of business, so you should also plan for your investment and planning in cybersecurity to scale into the future. While selecting the bare minimum may seem and feel counterintuitive and is certainly against the opinion of many cybersecurity professionals, it will ensure the continuation of the business.
Just as the heart is the first organ to receive oxygenated blood from the lungs, the continued operation of your start-up should be the number one priority. Security must enable the business to operate and find a balance as a requirement for the business. Cybersecurity is now a priority business function and no longer solely an IT issue.
When discussing cybersecurity many thoughts come to mind, all culminating with three important categories: people, processes, and technology. As a start-up, you won't always have the option of deploying all three. And even many mature organizations do not. This is why when we discuss cybersecurity we must also discuss risk and managing risk. The goal of your cybersecurity strategy should be to reduce, mitigate, and accept risk. No two organizations are the same, even within the same industry vertical. The risk of not being Payment Card Industry Data Security Standard (PCI DSS) certified could mean the loss of revenue for one organization and absolutely nothing to another.
Cybersecurity must be included in your enterprise risk management along with things like compliance, financial reporting, business continuity, etc. It should be all-encompassing and avoid siloing each off into its own risk management vertical. Cybersecurity is a huge part of all of these pieces. All of the following compliance and regulatory requirements require a varying level of cybersecurity practice and maturity (and we'll review these in more detail in Chapter 10):
Payment Card Industry (PCI)
Sarbanes–Oxley Act (SOX)
North American Electric Reliability Corporation (NERC)
Health Insurance Portability and Accountability Act (HIPAA)
HITRUST
The credibility of your business is important to protect. This is why you seek professional advice from lawyers and accountants. A start-up with three founders and without capital cannot afford to hire a full-time world-class lawyer (also referred to as general counsel) or accountant, let alone a chief finance officer (CFO). There are, however, many services that offer those capabilities that can meet a start-up's needs at every phase of the scaling life cycle. You shouldn't feel concerned by the fact that you can't afford a full-time chief information security officer (CISO) or world-class cybersecurity team; alternatives exist that are appropriate for your start-up life cycle stage.
Regardless of the type of business you are starting or industry you plan to sell into, cybersecurity can scale with your idea. From a next-generation weapons system for the military or taking credit card transactions with some new smart device, security can be adequately included. Protecting your intellectual property (IP) and business doesn't require you to have decades of cybersecurity experience; it only requires a willingness and drive to learn. Not everything I discuss will be easy or “point and click,” but I will show you the steps along the way to scale your security, along with your business, from seed funding to initial public offering (IPO) or whatever your exit strategy might be.
There is a common phrase when describing old-school cybersecurity approaches where it is like an M&M – crunchy outside and soft inside. When cybersecurity is applied with a hardened perimeter, the thing you want to protect most may actually be more vulnerable from the false sense of security that is created.
When approaching cybersecurity for your new start-up you should focus on the following:
The data or capabilities you want to protect
The systems with that data or capabilities you want to protect
The people with access to those systems you want to protect
COMMUNICATING YOUR CYBERSECURITY
Communication is a critical part of our lives. It is also critical to the success of your business. Communicating with your fellow founders, potential or existing customers, vendors, or investors is vital. In cybersecurity, there is a common philosophy called CIA: confidentiality, integrity, and availability. To better understand this, we can apply this methodology and framework to email. In the case of the sender and intended recipients of that email, only those individuals can access the communications; the information being communicated is unmolested and it is accessible when required respectively. This philosophy is applied across cybersecurity, not just to communicate, but for this discussion we will refer to it as such. It should also be noted that each are not always equal in every situation. There may be times when availability is favored over confidentiality.
You as well as your founders will want to know your start-up is defensible, at a minimum, from the most common threats today. Your customers will want to know their data and, in turn, they are safe with you. Investors will want to know their investment is not put at unnecessary risk. Once you've addressed the topics we will cover in this book, they will all apply equally to these different audiences. Your message may vary but the standards remain the same.
EMAIL SECURITY
Email has become a digital repository for nearly everything in our lives. From communicating with our children's teachers at school, to our doctors, to our accountant when filing our taxes, it is a literal treasure trove. On top of just the sensitive data in one year of sent and received emails, our email accounts are now the key to accessing nearly all of our other accounts in other systems. Think back to the last time you reset a password. You most likely received a password reset link to your “email address on file.”
Email is not secure. This is a bold statement, so let me explain. While you may log in to your email provider that uses HTTPS – S stands for secure – in their web address, when you click to send, that email will be transmitted unencrypted across the Internet. For example, if someone was able to intercept that email when it leaves your email provider's servers they could read the entire contents. For many start-ups, it is not feasible to build and maintain their own email server, so they rely on services like Google Workspace (formally G Suite)1 or Microsoft O365.
It is important to establish an enterprise-level email account once you register your company domain name. Operating from your personal Gmail, Live, Hotmail, or iCloud email limits the security controls you can place around your account, and does not lend to the credibility of your start-up.
Both Google Workspace and O3652 are referred to as software-as-a-service (SaaS), which means you don't own any software that you install on your desktop but pay a monthly or yearly service fee. However, there are services such as Virtru3 that are compatible with those services, both on your desktop and mobile devices, and that allow you to encrypt your emails and control if they can be forwarded and even set an expiration date. This does not prevent someone from copying and pasting the contents or taking a screenshot but would prevent a malicious person from eavesdropping.
For many entrepreneurs, email is not the only means of communication. Surprisingly, many companies operate by text message. Shorter messages that usually get a faster response than lengthy emails can keep start-ups agile but can also pose a risk. Short message system (SMS), also commonly known as text messaging, is insecure like email.
