Harvard Business Review author Michael Daniel and cybersecurity professional recently asked, “After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity?”
Generally speaking, cybersercurity is the protection of hardware, software or information from theft or damage.
Daniel notes the three main reasons why cybersecurity issues are getting worse, not better, include that it’s not just a technical problem, the rules of cyberspace are different from the physical world’s, and cybersecurity law, policy, and practice and not yet fully developed.
Cybersecurity can be especially hard on startups with typically smaller budgets. The following list has been provided by Bill O’Connor and David Rieveschl of Baker Donelson, the country’s 60th largest law firm covering more than 30 practice areas. The firm also runs a cybersecurity accelerator based in Atlanta to support the growth of domestic and international companies by providing mentorship, talent, customers, and capital.
Here are the top eight ways startups can enhance cybersecurity:
Inventory all information assets
If a startup doesn’t know what all of its information assets are and where they’re located, it can’t adequately perform any of the other tasks on this list.
Perform a risk assessment
If a startup has performed a risk assessment to determine threats and vulnerabilities, the likelihood of exploitation, and the impact if a threat is realized, such efforts will go a long way in allowing a startup to show that it has taken reasonable steps to determine how to protect its information assets.
Develop an incident response plan
The recent WannaCry outbreak should serve as a serious reminder as to why all startups should have a plan for responding to various types of cybersecurity incidents, such as a ransomware attack or a data breach.
All startups should implement a patch management program to ensure that critical patches for all of its computer systems and other devices are tested and installed on a timely basis. The recent WannaCry ransomware outbreak exploited a vulnerability in Microsoft Windows for which a patch was available. Fortunately, many companies were not affected by WannaCry because they were up-to-date with their patches.
Perform offline backups
Many startups rely solely on cloud data storage and online (cloud) backups of their data. Current variations of malicious software, especially ransomware, specifically target online (network and cloud) data files and online backup files. As a result, it may be difficult, if not impossible, to recover from certain cybersecurity attacks using online backups. Therefore, startups should also perform offline backups (disk, tape, etc.) that can be used when their online backups are not available.
Conduct cybersecurity training with employees
This may be the most important action a startup can take to protect itself against cyberattacks. Many cyberattacks are the result of human error. So, training employees about cybersecurity awareness and how to respond to cybersecurity incidents can mitigate the biggest cybersecurity weakness for many companies.
Act now and do not procrastinate
Management, legal and information technology security can no longer keep “kicking the can down the road” when it comes to information security. Whether the systems include information on trade secrets or personal information of individuals (including employees), or the systems just keep the machinery up and running, computer systems and programs are the lifeblood of almost any organization. Knowing your compliance and contractual obligations before an event is critical. It is also important to revisit prior decisions. For example, many organizations continue to delay implementing multi-factor authentication for a variety of reasons, including employee morale. However, this tool is widely becoming one of the most important information security protocols.
Develop a relationship with a trained cybersecurity lawyer
Startups should work with experienced and credentialed professionals when addressing cybersecurity. Because of the legal and regulatory nature of most cybersecurity issues, startups would best serve themselves by working with attorneys who have obtained certifications related to cybersecurity, such as CIPP/US and CISSP certifications (among others), and are recognized as being strong cybersecurity performers. Baker Donelson works extensively in this emerging area with several members of the team having these certifications.