If you've ever been in a meeting at a startup when the topic of cybersecurity came up, then you've probably seen the barely concealed eye-rolls, feigned attention, and predictable inaction. The reason for this is often simple: startups just don't see themselves as viable targets and are already under immense financial strain. Far more focused on "lean" development, marketing and financials, startups are famous for their laisse faire attitude towards long-term stability. While this has allowed startups to produce disruption and innovation across countless industries, it also comes at a price. Fortunately, recent high-profile breaches have convinced many that cybersecurity is simply non-negotiable. Here are the five most common cybersecurity myths that startups fall for:
1) "We're too small to be a target"
No one would want to hack a barely known startup, right? Wrong. Most cyber-attacks are now run by automated scripts which seek out vulnerable systems and software regardless of size or prestige. Due to their lack of investment in cybersecurity as well as their limited resources, small companies often make the perfect targets. Remember, it is usually not your fame that is most valuable to hackers, but the information you handle. Poorly protected passwords, financial accounts or contact info is valuable no matter where it comes from.
2) Far too trusting
Does your startup allow employees to use their personal computers and smartphones to handle company work? Do you often hand out login credentials to freelancers, interns and advisors? How long after an employee has left can they still access their company email? No need to blush, nearly every startup is to some extent guilty of being far too trusting. The key is to enforce security policies to protect against these enormous risks. Keeping a centralized Permissions Log, performing monthly password changes and creating a comprehensive offboarding procedure for exiting employees are good places to start.
3) Outdated software
Update. Update. Update. One of the easiest vulnerabilities for hackers to exploit are already known flaws that have only recently been patched. It is therefore critical to reduce the time between the patch release and your update as much as possible. We know that these updates always seem to be released just as an important deadline is looming, but each time you hit "remind me later", you help a hacker meet their deadline as well. So, keep your finger off 'ignore', perform regular reviews, and think about investing in a Continuous Monitoring solution.
We get it. Third party auditors are like the dentists of the tech world. They're expensive, frustrating, and rarely deliver positive news. But if a cyber-checkup is as annoying as a good dental exam, they're even more important for your firm's overall health. So, instead of waiting for that inevitable toothache to get too bad to ignore, go out and get yourself an annual (or better, quarterly) vulnerability assessment subscription with a trusted cybersecurity partner. You can thank us later.
5) Our MVP doesn't prioritize security
It's tempting to focus on the M in MVP and release the very leanest product possible. But companies that pay less attention to the V in MVP often realize down the road that their security and privacy never did quite catch up to their core offering. Most (in)famously, Facebook grew iteratively from a handful of freshmen in a college dorm room to one of the most valuable companies on the planet, but their focus on 'being social' never allowed them to seriously think about privacy and security. 15 years later, hardly a month goes by without another Facebook-related privacy scandal. The lesson: incorporate security into the MVP so that it can grow organically and scale alongside the product.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services for Fortune 500 companies. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and Internet of Things (IoT) industries.