Businesses are vital to the success and growth of our local and national economies. Start up companies (startups) and small and medium-size businesses (SMBs), in particular, play a significant role in the economy. According to the U.S. Small Business Administration (SBA), small businesses represent 99.7% of small businesses and employ 48% of all employees in the United States. However, the fact of the matter is that every business — regardless of whether it’s a recent startup or long established — is only as successful as its cyber protections and IT infrastructure security.
August 20-24, we will celebrate Startup Week Across America, formerly known as Startup Day Across America. The holiday serves as an opportunity for startup business owners to help generate awareness of their startups with the senators and representatives of their districts and states. This includes understanding the cyber threats that exist and the forms of cybersecurity protection that can be put in place to strengthen their defenses.
In honor of this holiday, and as cybersecurity professionals in the Los Angeles area, we thought it would be beneficial to share some key talking points that you can discuss with local and state legislators and representatives here in California.
3 Things to Keep in Mind about Cyber Security for Startups
Generally speaking, there are two main types of startups and SMBs: Those that are proactive or reactive when it comes to cyber security for startups. Some people do everything within their power to increase their cybersecurity protections, whereas others do nothing and seem surprised when something happens. As a managed security service provider (MSSP), we place the appropriate protections in place to protect our clients and do what we can to inform prospective clients about what they need to do to prepare their network and related systems.
With all of this in mind, there are several crucial facts that every startup professional needs to know about cybersecurity for their organization to be successful.
1. Cyber Threats Are Increasing at Record Levels
During each of the past several years, the levels of cyber threats have been record setting — and not in a good way — with each new year’s numbers topping the last. According to McAfee and the Center for Strategic and International Studies (CSIS), the global cost of cyber crime rose to record levels in 2017, with cyber crime estimated to cost between $445 and $608 billion globally in 2017 alone.
2. Data Breaches Can Happy to Any Business Regardless of Size
The truth of the matter is that startup companies and other businesses, no matter how big or small, are never 100% safe from cyber threats and attacks. In fact, it is reported that SMBs face greater threats than their big business counterparts — and the resulting damage is frequently devastating. Citing statistics from the U.S. Securities and Exchange Council (SEC), CSO reports that “60% of SMBs who were victims of cyber attacks did not recover and shut down within 6 months.”
3. People Are the Greatest Threat to Your Business
IBM’s Security Intelligence blog cites statistics calling out the fact that “security breach research showed that nearly three-quarters of incidents are due to insider threats.” The same article states that, according to another survey, “84 percent of cyberattacks reported had been due to human error… this could include failing to apply a patch, using easy-to-guess passwords or leaving physical devices in an unsafe area.”
This is where cybersecurity training can help significantly. When businesses engage in cybersecurity training, or what is frequently known as cyber awareness training, they arm their employees with the knowledge they need to be cyber aware and understand how to identify and combat cyber threats, such as phishing scams, malware, and CEO fraud. This is just one way you can create a “human firewall” within your organization. Others include:
- Implementing employee password protection methods,
- Setting user access limitations, and
- Setting use policies concerning employee and customer access to your technologies and systems.
Other cybersecurity prevention tools at your disposal include the use of network penetration testing and vulnerability assessments. There are white-box, black-box, and grey-box versions of penetration tests — each of which enables you to test the defenses of your network security and devices. Vulnerability scans, on the other hand, help you to discover the potential scope of damage that would occur in the event of an attack on your systems. Together, these tools are highly beneficial to improving the security of your network.
Policies & Laws to Know When Speaking with Legislators
If you decide to embrace the holiday and reach out to your legislators, you’ll need to be equipped with cybersecurity knowledge. This will help you to have an informed discussion about the applicable laws, regulations, and policies concerning cyber security for startups and small businesses.
The U.S. Computer Emergency Readiness Team (US-CERT) website is an incredible resource that will help you understand cybersecurity for startups and established small businesses. The Critical Infrastructure Cyber Community (C3) Voluntary Program provides a wealth of helpful information that helps start up companies face the unique personnel and financial challenges and relies heavily on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which helps businesses identify, protect, detect, respond to, and recover from cybersecurity risks to their assets, data, capabilities, and general systems.
The Congressional U.S. NIST Small Business Cybersecurity Act (H.R. 2105) mandates NIST to “provide small businesses with guidance to help them identify, assess, manage, and reduce their cybersecurity risks.” However, it leaves it up to the businesses to choose to participate voluntarily.
Depending on your type of small business startup and industry, there are a variety of other potential industry-related regulations that you may have to abide by that are outlined by the following organizations:
- Federal Deposit Insurance Corporation (FDIC): The FDIC provides resources that can help you educate your employees and customers about cyber threats.
- Financial Industry Regulatory Authority (FINRA): This organization reviews how organizations approach cybersecurity risk management and compliance with existing SEC regulations.
- Health Insurance Portability and Accountability Act (HIPAA): Organizations that handle sensitive and private health or medical information must ensure they are compliant and up-to-date on new standards concerning the processing and storage of health-related documentation and records. This will help to protect patients’ confidential information from being stolen in data breaches and cyber crimes.
- Payment Card Industry Data Security Standard (PCI-DSS): Businesses that handle payment card data are expected to uphold the privacy of their customers’ personally identifiable information (PII) and card data to prevent identity theft and other forms of fraud.
- U.S. Securities and Exchange Commission: SEC regulations and guidelines help financial and investment industry professionals and organizations protect their clients from cyber threats and disclose attacks when they occur.
There are many things to know about cyber threats and cyber security for startups. We hope that you have found this information both informative and useful.
FPA is an MSSP that has worked with small and medium-sized businesses in a variety of vertical markets for more than 25 years. As such, we have a unique and intimate understanding of your specific business needs and are available to serve as a trusted advisor.
To determine how prepared your startup is to face existing and future cybersecurity threats, check out our free Cybersecurity Report Card by clicking on the link below.
What other things should the small business owners and leaders keep in mind regarding cyber security for startups? Share your thoughts and experiences in the comments section below, or send me an email to discuss this topic more in depth.