In the race for growth, many startup founders see cybersecurity as a blocker rather than an enabler. That can be a dangerous assumption, if it ends up exposing the organization to elevated business risk. Remember, the majority of ransomware victims today are still SMBs rather than large enterprises, and two-fifths of these SMBs are companies with fewer than 100 employees.

All of which begs the question: what can generalist IT managers with limited resources do to mitigate potentially existential cyber risks? AccessOwl asked some professionals at the top of their game for their thoughts.

Startups in the crosshairs

Startups are a popular target for threat actors, for good reason. Attackers know that such companies often devote fewer resources to cybersecurity — and may not even employ a dedicated IT security specialist. They know that these companies’ security awareness training programs may not be well developed, which can create a large human-shaped attack surface. And they know that IT teams may lack the visibility into and control over assets, data flows, and SaaS use — which are the bedrock of effective cyber risk management. At the same time, startups may handle a trove of sensitive customer and employee data, which can be sold on the dark web or used to extort the company.

These are some of the reasons we’ve seen so many startups suffer at the hands of third-party hackers. At the larger end of the startup sector, companies like Houzz, EatStreet, and Canva have experienced breaches exposing millions of records. The question is how to avoid a similar fate.

Keep things simple

For many businesses, their number one risk comes from employees. The “human element” was a factor in 68% of breaches last year, according to Verizon. So, for XTB IT Asset Manager Jakub Łączak-Król, the most important thing is not to overwhelm those employees with information they won’t be able to retain.

“I found that writing long emails to employees is not very effective. Most people won't read them. So I’m a strong believer in sharing only the essentials,” he says. “If they're going to have 10-15 bullet points, and they're going to follow them, that's better than being overwhelmed by too much information and not remembering any of it.”

Łączak-Król says he starts with those essential bullet items and then, a few weeks later, follows up with more detail on each. He also runs phishing simulation exercises — of no more than five minutes per session — and then runs campaigns to test the knowledge these employees should have learned.

Be honest with the C-suite

There’s no such thing as 100% security. And no two organizations have the same risk appetite. That means the job of the startup IT manager is often an advisory one, according to Grant Bordelon, IT Operations Specialist & System Network Administrator at Rep Data. It means consulting with leadership about potential threats to their business and allowing them to decide where the balance of security versus convenience should lie.

“It’s about talking to the C-suite people and making them aware of where the risk is, estimating the chance of it being a problem, and then making a decision,” he says. “If we had unlimited money, we’d buy everybody their own access VPN that they plug into. But that’s not the reality of the situation.”

A quick checklist

Airtower Networks IT Manager Derek McGee was brought into his current role after a prospective insurer demanded the organization improve baseline security. Both the carrier’s list of suggestions and his own provide a useful place for startup IT leaders to begin their cybersecurity journey.

• EDR in place for all devices

• MDM to cover management of all devices

• SSO where possible, backed by multi-factor authentication (MFA)

• A comprehensive cybersecurity policy to share with employees

• Encryption of sensitive data

• An end-user training and awareness program

• A business continuity/disaster recovery plan

• Regular security audits by a trusted third-party vendor

McGee also suggests a way to enhance employee awareness in the early days of a cybersecurity program.

“I created a secondary Slack channel just for security alerts, until we got everything up and running,” he says. “That had things like phishing emails someone had just received, or immediate ‘911 alerts’ that we all needed to look out for, until we got those other solutions in place to help.”

Security as an enabler

Ultimately, when done right, cybersecurity should never be a block on innovation. Rather, it should provide the peace of mind the business needs to pursue growth — empowering staff to be productive while avoiding practices that could lead to a serious breach.

At a certain stage, all fast-growing companies will be forced — either by customers and partners, or regulators — to improve their cybersecurity, in line with industry regulations or best practice standards (e.g. SOC 2/ISO 27001). The IT leader’s job is to ensure they have the people, processes, and technology in place to get there.