It’s not only the Microsofts and Googles of this world that get hacked. Startups are equally at risk of data breaches, ransomware and other forms of cyber crime — sometimes with business-ending consequences.
Yet early-stage startup founders rarely give much thought to cybersecurity. Many of them only realise the importance of having robust cyber infrastructure after they fall victim to an attack.
Sifted asked experts what are the key mistakes that startups make that might compromise their cyber resilience — and how can they fix them before they get spotted by hackers.
1/ Bad password management
Ensure employees are using strong passwords and use third-party services to safely manage system access and password sharing — instead of writing them down in a Google Doc.
Have multi-factor authentication (MFA) deployed company-wide; a sign-in method that requires two or more pieces of identification before granting access (for example, by asking users to confirm their identity through an email or text message notification).
2/ Neglecting to conduct regular risk assessments
Regularly assess where potential threats and vulnerabilities lie and conduct external security testing — hire third-party security experts to try to find ways to compromise your organisation’s systems. They can then identify the flaws that a real attacker could exploit before they do.
3/ No data backups
Follow a “3-2-1” rule. “Ensure that you have three copies of your data (your production data and two backup copies) on two different media (disk and tape) with one copy off-site (meaning offline, using a hard drive) for disaster recovery,” says Simon Hughes, general manager of cyber insurance company Cowbell.
4/ Not having an incident response plan
Have a plan in place for how to behave if an attack is carried out. An incident response plan should go over all the actions to take when companies experience a cyber incident.
“It should be put in place before ever falling victim,” says Hughes, who stresses that having a plan will reduce the time and money it takes to get the business back up and running.
5/ Failing to train your staff
Remember that employees can fall for phishing attacks, use weak passwords or log in to company networks from unsafe personal devices. These are hackers’ privileged routes into company systems. Run regular cybersecurity training for all employees, covering topics ranging from identifying a scam email to handling sensitive data.