Startup cyber security requirements

Wednesday, 17 May, 2023

image description

As a startup, it can be overwhelming to know where to start when it comes to cyber security, and the approaches adopted by larger organisations are often not suitable to be applied on a smaller scale as they are both costly and resource intensive.

More and more organisations are evaluating supply chain risk as part of their cyber security risk management, and rightly so. Security questionnaires are now a routine part of onboarding new suppliers, and expectations are increasing. However, startups often do not have the resources or the budget to meet the requirements of large established organisations. So as a startup, what should you be doing to demonstrate to prospective clients that you consider cyber security within your organisations?

We’ve had the opportunity to work with new businesses that are considering cyber security for the first time, either through self-awareness or because they want to attract clients. We’ve helped these organisations set up the foundations for an effective cyber security approach that is both pragmatic and allows for organic growth.

One size does not fit all

As a startup, your risk profile and exposure levels are not the same as a large established organisation, which holds large amounts of personal information, intellectual property, sensitive data, etc. Most startups have a larger risk appetite, including in cyber security, where risks around protection of IP, protection of personal information, and availability of key services are yet to fully materialise, with both the probability and impact of those risks being lower initially. It’s important to recognise this, as it should drive your approach to cyber security, and put your security controls into context. This, however, is no reason to not start laying the foundations for good cyber hygiene.

We start most of our engagements with a simple question: What are you defending?
Thinking of security in this way ensures that you put in place the controls that are required to defend your ‘crown jewels’. Below are the building blocks that set the foundation for good cyber security posture management, but beyond these will depend on the nature and quantity of information you’re defending, as each organisation is different.

Basic policies

Cover the bases; ensure you have the basic policies in place for your organisation to set out its expectations for employees and communicate the information security objectives to them. Part of building your cyber security posture is developing a security culture in your organisation, and policies help achieve this. Some of these may include:

  • Information Security Policy - this is a document that both you and your employees agree to adhere to, setting out the objectives and commitments of the organisation, and the expectations of your employees
  • Privacy Policy - this is a statement that informs your website visitors and clients of how their data is handled
  • Incident Response Policy - set out the procedure in the event of an incident, including who to contact, how, and how incidents will be dealt with at a high level. We have an Incident Response template here that can be used as a starting point
  • Business Continuity Policy - Similarly to the IR plan, this should detail the procedure for how the business will continue to operate in the event of a severe incident. As a small business you will be more agile and the policy should remain high level

A critical part of governance is that you follow your own policies and processes. As a startup, you have the opportunity to set up your own policies and processes, review them periodically, and grow them organically to fit your business. This is why downloading a raft of policy templates online is not advisable; you can easily end up with a load of policies that are not suitable to your business! For example, if you’re a remote-first business then a clear desk policy is going to be nigh-on impossible to enforce.

Once you have a basic subset of policies then you can review them and add any as is required, growing your cyber security culture organically. This will also help demonstrate that you consider information security in day to day operations and have the necessary processes in place to govern your approach to cyber security.

Cyber Essentials / IASME

Having a formal cyber certification gives assurances to prospective clients/investors that you consider information security within your organisation and that you have appropriate controls and processes in place to manage your cyber security posture.

Cyber Essentials certification is a UK-based government scheme designed for small to medium sized businesses. It covers some technical areas around boundary protection, device configuration and account management and access rights, but also the basic governance processes required to manage your policies and controls.

If you’re operating outside of the UK you may consider Information Assurance for Small and Medium Enterprises (IASME) certification instead, as Cyber Essentials is not consistently internationally recognised.

Cyber Essentials costs between £300-£500, and IASME ranges from £300-£1,000, both depending on the size of your organisation. The questionnaire takes approximately 60 to 90 minutes to complete depending on how much you need to go away and look up, such as the name and version of the malware protection solution you’re running, or your OS version.

It’s not resource intensive but you may need to implement some controls/processes before submitting your questionnaire. There’s no limit on the number of times you can submit the questionnaire for review, nor is there any extra cost for doing so.

Minimal Viable Security Product

If your organisation conducts development activities for a platform, software, or product, we’d recommend you look at the MVSP checklist. With contributions from the likes of Google, Okta, Salesforce and more, it sets out a list of good practices that should be expected of any service or product.

Meeting the items on this checklist will provide a good foundation to illustrate the design features and controls in place to ensure your development is secure.

Security should be proportional to what you’re defending

Startups should consider their cyber security needs and have in place the people, processes and technologies required to defend their crown jewels as deemed necessary by the business. Take control of your cyber security posture, starting with the simple question: “What are we defending?”. As you grow, a greater focus should be placed on risk analysis to maintain a clear view of the organisation’s risk profile, which will in turn inform key decisions on resource and budget allocation.

In summary, ensure you have completed the following steps:

  • Consider the question: “What are we defending?”
  • Implement basic policies to govern the organisation’s cyber security approach
  • Consider Cyber Essentials/IASME
  • If you do software development, consider the MVSP checklist as a foundation for good software development hygiene
  • Review the above regularly (quarterly/annually depending on the speed of growth)

Crucially, however, don’t be afraid to justify your posture. Your risk tolerance and risk exposure will not be the same as large organisations, and as long as you have followed the steps above you should feel confident that you are in control of your risk profile and are taking the necessary steps to adequately protect your organisation and its crown jewels.

Photo by Clemens van Lay on Unsplash