As your business grows, your security strategy must scale with it. Unfortunately, with competing priorities and limited resources in a startup environment, cybersecurity often doesn’t receive the attention it needs. In this Elevate panel, we heard from leading practitioners on how fast-growing companies should approach cybersecurity. Moderator Jennifer Gold, Chief Technology Officer of Sigma7, was joined by:
- Amit Bareket, CEO & Co-Founder, Perimeter81
- Taylor Hersom, CEO & Co-Founder, Eden Data
- William Pigeon, Co-founder & CTO, Tablet Command
- Alec Zopf, CTO & Co-Founder, Wellth
Find out what they had to say in the video below, or keep reading for the session highlights!
What is the current state of cybersecurity in small businesses?
“While we are seeing more security resources for small to medium sized businesses, we have also seen an increase in ransomware and other malicious attacks,” says Jennifer. Given this escalation, she asked the panelists to share their perspective on the current state of cybersecurity.
“I think cybersecurity is like speed limit signs,” says Taylor. “Speed limit signs are great, but if you knew law enforcement wasn’t monitoring you and there were no repercussions, you would never follow the speed limit signs.”
“It’s the same with cybersecurity regulation. We’ve been so laggard in how security is enforced, and there hasn’t been a lot of repercussions. We’re starting to see other nation states bringing in better data privacy regulations, and the U.S. is catching up, so I think that’s going to help us along. But until SMBs feel the pain of a data breach, they will see security as a cost center rather than a benefit to their organization.”
What are the most common gaps you’ve seen in the security management of growing businesses?
“Some of the simplest things are just access control and MFA,” says Alec. “There is such a proliferation of SaaS tools, we use 40+ SaaS tools in our company along with all of our different cloud systems. Are we implementing proper access controls around that? Can we do it at scale when we’re hiring across different departments? Having great access control, good endpoint management, making sure things are encrypted, and making sure you have the right antivirus, anti-malware tools, data loss prevention – all of these things are easy to overlook but they are critical to security.”
Taylor says one of the main challenges for founders and business leaders is determining the level of staffing and resources they should dedicate to cybersecurity. “Any company should follow the rule of thumb that 1% of your staff are dedicated to security. If you’re in a highly regulated industry, it should go higher than that… There’s also compliance and data privacy, which are technically separate buckets, yet most of the time the onus falls on the security team.”
“I’ve seen established organizations with 400-500 people not really focusing on security,” says William. “They think they’re secure, but they just have antivirus installed on their desktop machines. At the same time, they’re sharing an administrative password on all of their servers.”
“It’s much easier as a small company with two co-founders to be secure and compliant from that point forward, versus having 100 employees and trying to implement compliance. It’s much easier to define those policies, enable MFA, and have that culture from the very beginning so that posture scales with you, as opposed to trying to implement it because a customer requires it from you… The biggest mistake is not doing it sooner.”
How can businesses keep up with evolving threats?
William says it’s all about instilling good practices from the very beginning. “Small businesses are bootstrapped. As a developer, when I’m trying to build something, security is the last thing I’ll build. Startups have that mentality of worrying about security later. While you shouldn’t make security the focus, it should come immediately after the product so that it scales with you.”
Taylor is an advocate of the 80-20 rule when it comes to cybersecurity, which states that roughly 80% of consequences come from 20% of causes. “If you look at the data breaches that are out there, a lot of those compromises tie back to three key areas: cloud misconfiguration, identity and access management, and human error. If you have limited budget, resources, or time, then I would focus on those areas knowing that will greatly expand your security posture.”
What is the greatest threat to small business security in 2023?
Remote and hybrid models have completely changed the way we work, which Amit says is one of the greatest threats to small business security. “Before, security was mainly around the office, and the question was how to provide site-centric security. When you work from anywhere, when you work from a computer at home that your kids have been playing with, if you download a malicious program and connect to the company’s resources, it opens up an attack.”
“There are advantages to companies like Electric that have the expertise and best practices in place to adapt your security posture from a site-centric security policy, to a user-centric security policy that activates itself no matter the device or location. That’s a shift that companies need to make sooner rather than later. That’s where I would start, finding a partner that has the expertise to implement a modern security posture that fits with that model of working,” says Amit.
Alec says his organization regularly tests employees for their ability to identify phishing attempts, with training provided to those who fail. “Thinking about agile cloud deployments, it’s critical to have all of our engineers use security best practices – both so they can configure the systems correctly, but also when they’re communicating with each other, they know to use secure channels and verify who they’re speaking to.”
Where should businesses start if they want to improve their security?
Taylor advises leaders to pick a north star framework to start with. “Align it with your business strategy. If you’re a SaaS company selling to enterprises, you’re going to want to align with SOC 2. If you don’t fall into that camp and you don’t necessarily need certification, focus on something that’s more security-driven, like CIS 20 or the NIST Cybersecurity Framework. These are all fundamental principles that can be applied no matter what tech stack you have.”
William reiterated Taylor’s points. “A lot of these frameworks have very similar principles, they have core things you should do with the cloud, endpoints, or access control. As long as you’re covering those bases and building that security posture from the beginning, it’s going to make it a lot easier when you get to the things that are really high bar.”