Cybersecurity for startups: What do as a founder to secure your firm: Part 2 - Identify (ID)
Updated: Nov 27, 2020
With plenty of data providing the evidence that attacks are getting more commonplace, and the impacts are also increasing, it's only logical for us to lead from our experience of dealing with startups but also large enterprises.
With technology being the bedrock (or platform if you will) of pretty much any startup we feel it's only fair that cybersecurity best practices are available to access for startups as well.
That way, any startup can make use of a set of best practices to provide protection today and not until they have secured substantial funding when the organization has grown extensively.
That way, we can positively impact more companies and hopefully, positively impact one million people as part of our mission.
We are aware that VC's don't necessarily always see the value of investing in security while building your startup.
However, it can increase the value of your startup at acquisition or IPO event as you can demonstrate due diligence and due care when it comes to the security of your company.
Not to mention it can help you protect your reputation as it can easily be destroyed in the early stages of a company, especially if there is more competition to deal with in your area of the market.
That doesn't mean you have to dedicate a lot of time to cyber security initially.
It does mean focusing on the low hanging fruit to address the top risks to your startup.
With the dependency on technology, it's not a great idea to bet against the possibility of a breach happening.
With detection times averaging 200 days or well over six months, it's a matter of using your time and intelligence wisely.
That's where external experts/advisors can help you accelerate these improvements.
Doing so doesn't mean compliance-based security but pragmatic steps to improve risk mitigations outcomes for your customers, partners and investors.
So you might have only raised 100K dollars of investment, but there are plenty of steps that you could perform using existing solutions like open-source tools.
Does it matter if your estate is in the cloud such as AWS, Azure or GCP or on-premise?
Thankfully much of the same principles apply whether your assets are in the cloud or some data centre even if that data centre might be your garage in the early stages.
It doesn't matter at which stage your startup is as there are appropriate steps whether you founded this year or you have already raised a few rounds of investments, and you are on a stable path to an IPO or acquisition event.
Every situation being unique requires a different solution, but the best practices remain the same.
Attackers, in the end, don't target a single type of organization as data on breaches show.
So improving the cybersecurity maturity might mean that a hacker instead of picking your startup decides to hit a competitor.
In this blog, we continue our coverage of the NIST Cyber Security Framework.
A quick recap: NIST Cybersecurity Framework Part 1
In the previous blog, we covered the NIST CSF from a high level discussing the following elements:
Deep dive: Identify (ID)
In this blog, we will be covering the Identify section of the NIST CSF encompassing the following components:
- Asset Management (ID.AM)
- Business Environment (ID.BE)
- Governance (ID.GV)
- Risk Assessment (ID.RA)
- Risk Management Strategy (ID.RM)
Asset management from a high level is creating understanding about the cyber security risks each part of the company is facing.
Overview of where assets are whether on-premise or in the cloud. Understand what assets you have and where they are.
Create an overview of software usage and where. Have a reasonable inventory of your tech stack.
Create clarity on how information flows between the various parts of the organization. Describe and visualize how information flows between the multiple systems.
Map the links of external systems to the organization. In case of usage of any external systems, ensure to allocate where these would interact with your organization's operations.
Resource prioritization is done based on their classification, criticality, and it's value to the business. Create clarity on which systems matter the most.
Create definitions for roles and responsibilities for both internal and third-party stakeholders. Create a matrix of which part each stakeholder plays in the overall system.
The organization's mission, objectives, stakeholders and its activities are clear to inform roles and responsibilities and risk management decisions.
Identification of the organization's role in the supply chain is performed and communicated. Does the organization create and sell the product, or does it deliver a specific duty in the overall product lifecycle?
Identification of the organization's place in critical infrastructure and its industry sector is performed and communicated. In what area is your startup operating, e.g. finance, automotive etcetera
Priorities for organizational mission, objectives and activities are established and communicated. Have clarity on what priorities drive decisions.
Establishment of dependencies and critical functions for the delivery of essential services is performed and communicated. Describe and document the dependencies between various systems, processes and procedures.
To support the delivery of critical services define the matching resilience requirements. Create clarity on how resilient systems need to be and plan accordingly.
Governance helps a company establish policies, processes and procedures that will help them operate within set boundaries whether legal, regulatory or internal.
Creation of an organizational information security policy. A Development of an information security policy to function as an "anchor."
Information security roles and responsibilities are coordinated and aligned with internal and external resources. Clarity is created by ensuring internal and external parties know to set an expectation for them.
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties litigation, are understood and managed—alignment of activities with legal and regulatory requirements.
Governance and risk management processes address cybersecurity risks. For startups, a more agile way of governance will ensure that risks taken are right-sized inline with the risk appetite of the startup.
Risk assessment is vital to establish what's at stake when it comes to threats and vulnerabilities and the link to the company's assets.
Identification of asset vulnerabilities and documentation. Assets are regularly scanning of assets is performed to find vulnerabilities, and when seen the creation of documentation for these vulnerabilities.
Ingest threat and vulnerability information from information sharing forums and sources. Threat information is collected from open source and closed source intelligence.
Threats, both internal and external, are identified and documented. Achieve clarity on which threats exist.
Identification of potential business impacts and likelihoods. The business impacts of the documented threats are quantified to prioritize, which threats to focus on first.
Threats, vulnerabilities, likelihoods, and impacts inform the risk determination. The four factors of T, V, L and I express risks consistently.
Identification of risk responses and prioritization. Usage of risks to inform and decide on risk responses, whether it is acceptance, mitigation, transfer, or avoid.
Risk management strategy
Risk management helps provide the guardrails that risks can be managed within.
Risk management processes are established, managed, and agreed to by organizational stakeholders. Tracking of Risk to gain a better understanding of past, present and future risks.
Organizational risk tolerance is determined and clearly expressed. Risk tolerance acceptance helps inform spent on risk management activities.
Informing the organization's determination of risk tolerance by its role in critical infrastructure and sector-specific risk analysis. Depending on the part of the organization in overall critical infrastructure, it helps decide risk tolerance more accurately.
In the next blog, we will cover the Protect components of the NIST CSF.
Other resources I wanted to highlight are some of the following:
NIST Small business Cybersecurity corner
The NIST small business cybersecurity corner with various resources to help small business owners to start their journey to greater cyber security resilience.
OWASP top 10
Open Web Application Security Project is a non-profit organization which performs research and provides free guidance.
The top 10 highlights the vulnerabilities often seen in web applications. Most of these, unfortunately, are recurring types of vulnerabilities and therefore not new. With it based on the consensus of many businesses and users providing data on what vulnerabilities are prevalent.
It's an excellent resource for learning how to prevent some of these vulnerabilities so you may reduce the chances of a successful attack.
Is there anything else you have questions about?
E.g. Ransomware, machine learning, digital transformation, networks, architecture, endpoint protection, malware, penetration testing, container security, API security etcetera?
Then leave a response below.
We aim to create a growing library of various resources for the startup community.
Of course, we can't provide a total picture as each startup is unique in itself, but we will cover topics from essential to advanced levels.
Last but not least, regarding the type of delivery.
What works better for you?: