Very few weeks go by without headlines circulating about cybercrime. It could be a large data breach or a ransomware attack. Yet, somehow this regular drumbeat of news manages to obscure just how huge a problem we face and the large number of sophisticated bad actors out there.
This problem is not going away. Cybercrime is a business. It’s based on opportunity, the same way that a car thief will test the door handle of every car in a neighborhood to find the one that’s open. It doesn’t matter if it’s a Mercedes-Benz or a Chevrolet. They strike when they find an opportunity, an asset that is undefended.
Everyone is at risk. In this blog, I want to focus on a couple unique risks the threat landscape presents for fast-growing startups.
Inflating a risky balloon
The first security risk for entrepreneurs is a complacency rooted in the belief that larger companies provide such richer targets that startups have some innate immunity. You can’t assume you’re too small to attract attention from bad actors. To them, you’re just another car door. And a startup does not have the financial wherewithal to survive a devastating security breach that an established company might have. Imagine telling your venture capital backers that you had to spend a large portion of their money to ransom your own data from the bad guys. That would not inspire confidence that you’re a potential unicorn in the making.
The second unique issue is the rapid expansion of a startup’s attack surface. A fast-growing startup tends to adopt new technologies as it scales and is likely growing connections with customers, employees, partners and other stakeholders at an equal rate. The amount of data being gathered is also growing, likely at a rate faster than revenue growth. You might also be reconfiguring your IT needs because an architecture and application set that serve you at $5 million of revenue may constrain growth at $15 million, and then again at $50 million and on and on.
All of these factors combine to increase the attack surface a bad actor can target. Every bit of business growth – more data, more applications, more velocity of activity – is like inflating a balloon; every breath creates more surface area making it easier to pop with a pin. And when you’re moving that fast, it can be easy to overlook the changing security needs as that balloon inflates.
Three steps to improve your security
So, what do you do? I’ll offer three pieces of advice here, with the caveat that this is just a starting point – short of a full security assessment which our people do all the time. In no particular order:
- Don’t collect data you don’t need. I know there is a philosophy out there that says you should collect as much data as possible, even if you don’t have an immediate use for it because it might be valuable some day. I respectfully disagree. Any data you collect must be stored somewhere, and it has to be secured. That’s money you’re spending with no clear purpose, and you’re inflating your risk balloon much faster than you need to. Imagine telling your customers that their data was stolen from you and trying to explain why you collected data useless to you.
- Create different security postures for different assets. Your security budget should be as large as possible, but you should still spend it wisely. Different assets have different risk profiles. Critical business data, or customer data is highly valuable and should be highly secured. A community forum where users swap advice needs to be monitored, but might not need the same security investment. And there are probably assets that fall in between these two ends of the spectrum in your business. Spend your security dollars wisely.
- Get help. Security is a full-time job and everyone in your organization already has a job. You could piece the solution together yourself, but then you have to manage it and all those vendors and hope all the pieces actually work together. Or you could partner with a provider who can take care of it all and be responsible for helping you see when you need to make changes.
You don’t want to be in the next round of headlines over security breaches and ransomware attacks. Entrepreneurs work hard to establish a winning culture. Make security part of that culture.
Are you secure? Let’s talk.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. ©2022 Lumen Technologies. All Rights Reserved.
