Cybercrime is a growing threat in today's digital age, and while large companies often grab the headlines, early-stage businesses are just as vulnerable. Small to medium-sized businesses are often seen as easier targets by cybercriminals, who believe they may have weaker cybersecurity measures in place. Data breach or cyber-attack can be devastating for start-ups working with limited resources. According to studies, 43% of small businesses experience a cyber-attack, and 60% of small businesses that experience a cyber-attack go out of business within six months. Additionally, a study by Kaspersky found that the average cost of a data breach for a small business is $108,000. These statistics make it clear that early-stage businesses need to prioritize cybersecurity if they want to protect their sensitive data, systems, and customers.
In a recent webinar hosted by the Purdue Foundry, the Director of Security and Compliance at Blackink IT, John “Boomer” Boomershine, shared his most important cybersecurity controls for businesses, and then specifically discussed the ways in which they relate to early-stage organizations. Below, we discuss these controls and why they matter for early-stage businesses.
Most of us are familiar with MFA – we use it in our daily lives to access bank accounts, work email, and numerous other accounts. Although logging in using MFA may sometimes seem like an inconvenience, this control is one of the most important steps we can take in preventing unauthorized access to our sensitive data. It is especially important for early-stage businesses, because start-ups often have limited resources, and a data breach can be catastrophic when resources are already limited. According to a recent study, organizations that use multi-factor authentication experience a 99% reduction in successful cyber-attacks, proving that the implementation of multi-factor authentication is a simple, but effective way to protect against cyber threats.
Regular backups of data are essential for early-stage businesses. In the event of a cyber-attack or data loss, having encrypted and tested backups can mean the difference between quickly recovering and permanently losing critical data. As previously mentioned, 43% of small businesses experience a cyber-attack, and 60% of small businesses that experience a cyber-attack go out of business within six months. Often, this is due to the loss of critical data, which could have been mitigated through regular, encrypted, and proven backups. Boomer notes that there are a few important questions you should be asking regarding backups: “If systems went down or data was lost, how long would it take you to restore operations? When was the last time your data was backed up, was it successful, and can you prove it? Are your backups encrypted?”
As an early-stage business, you're likely relying on technology to help you grow. You’re using a wide array of applications, software, and devices to find efficiencies and scale. Have you considered if you keep these systems to date? Regularly updating software and systems is essential to preventing cyberattacks and data breaches.The Department of Homeland Security estimates that 85% of successful cyber-attacks occur on unpatched systems.
Strong password management practices can help prevent unauthorized access to sensitive data. According to Verizon's 2020 Data Breach Investigations Report, 81% of data breaches are caused by weak, stolen, or reused passwords. As a start-up, implementing password management best practices is one of the most simple, yet effective steps in protecting your data. Boomer recommends complex passwords that include numbers, lowercase and uppercase letters, and symbols. He also recommends passwords be at least 10 characters long, and that they are updated every 90 days. Boomer admits that these recommendations can be tricky to upkeep, but he says that there are several great password managers on the market, like 1Password, to help create and securely store strong passwords.
Phishing scams and malware are two of the most common ways that cybercriminals target businesses. By implementing email and web filters, early-stage businesses can protect themselves against these threats and keep their data secure. Email filters work to keep malicious emails out of employee mailboxes, while web filtering protects employees from unintentionally visiting malicious sites. There are several programs that filter email and web, and depending on which email provider your organization uses, there may be strong filtering settings built-in and ready to be enabled.
If your organization is experiencing growth, you may be hiring new employees often, and in turn, introducing new devices to the company. But are those new devices safe? Organizations should strongly consider “hardening” devices, or making them more secure by removing unnecessary applications, controlling privileges, encrypting drives, and more.
Equally important to securing devices is securing endpoints, which can be done with the help of an Endpoint Detection and Response (EDR) tool like SentinelOne. EDRs use AI and real-time human review to identify anomalies and at-risk behavior on your devices. This is important because, after they gain access, it is common for threat-actors to “lay and wait” in an organization’s network, collecting information before they attack. As an early-stage business, you likely have limited resources and staff, making it challenging to detect and respond to cyber threats. EDR technology can help bridge that gap and ensure that your business is protected.
Security frameworks provide a roadmap for businesses to follow to ensure their cybersecurity is up to date, while incident response plans (IRPs) help to ensure that businesses are prepared to respond quickly and effectively in the event of a cyber-attack. For early-stage businesses, having these plans in place can be especially critical, as a data breach or cyber-attack can have devastating consequences. A study by IBM determined that having an incident response plan can save 35% of the cost of an incident. With average data breach costs in the millions, 35% amounts to a significant amount.
Building a cybersecurity culture is an important aspect of protecting your early-stage business from cyber threats. By prioritizing cybersecurity and making it a part of your business strategy, you can ensure that all employees are aware of the risks and understand how to protect sensitive data and systems. This starts with implementing security awareness training, like KnowBe4, that empowers employees to make smart security decisions. Boomer emphasizes the fact that a positive cybersecurity culture is vitally important , because employees must feel comfortable speaking up if they see, or do, something that is at-risk. If an employee clicks a dangerous link, they need to feel comfortable enough to speak up, as it is too dangerous to go unreported.
As your business continues to grow, so will the number of vendors and third-party resources your organization partners alongside. As you work with these outside vendors – take accountants and lawyers, for example – you will begin sharing a great deal of data and information with them. Boomer poses the question, “What are these outside vendors doing to protect their systems? Because if they are holding onto our data, shouldn’t we be concerned about their security posture? If investors, insurance providers, and others are asking what security measures our companies have in place, isn’t it fair for us to ask those same questions to our vendors?” It is important to keep in mind who you are sharing data with, and it is equally important to ask how they plan to protect the data we’ve shared. “It may be an uncomfortable question to ask, but a valid and important one, nonetheless.”
Organizations of all sizes, including start-ups and early-stage businesses, need to prioritize cybersecurity if they want to protect their sensitive data, systems, and customers. At Blackink IT, we understand the importance of cybersecurity for early-stage businesses, which is why we're here to help. From security assessments to incident response planning, we offer a wide range of cybersecurity services designed to help protect your business.
If you're ready to take the next step in securing your organization, contact us, and let’s work together to keep your organization safe and productive.