top of page
  • andreaciocas

Cybersecurity for startups: What you can do as a founder to secure your firm Part1: NIST CSF

Updated: Nov 27, 2020

Some sobering statistics on small business impacts

A startup like regular smaller companies has competing priorities for the amount of money to spend on cybersecurity. At the same time, it goes through growing pains going from a small team blossoming into the large enterprise of tomorrow. 

This doesn't mean that a startup doesn't encounter any cybersecurity risk.

There is still a need to manage cybersecurity risk, even if the systems are all in the cloud.

Depending on what platforms and software you use and advanced technologies like IoT and artificial intelligence, you are operating.

Doing so doesn't require an extensive program of work with a consultancy providing a team of resources to try to do everything.

It does require the ability for someone to read the scene and point out some easy wins.

That provides the first step to a raised cybersecurity standard.

You, as a founder, can start this today.

It doesn't mean creating lots of extra jobs that take investment away from the main area your startup is aiming to operate in.

Challenges are encountered, but these are there to be solved. 

Due to the nature of startups and other small companies, the environment is quite attractive from the perspective of an attacker when it comes to threats.

With startups making extensive use of best in breed technologies, it makes it easy to find a way in for those same attackers.

With the internet, it gives startups the option to potentially be based anywhere as long as there is internet access. 

The same internet means that attackers can also be based anywhere, which can be in jurisdictions not policed as much as in other more developed nations.

With the internet suitable as such for both well-meaning users and attackers, it can mean that attackers with one well-placed attack can do substantial damage to a small company which has led to the following scary statistics:

- 10% of small companies that got breached shutdown last year.

- 69% of organisations were forced offline for a limited time

- 37% experienced a form of financial loss

- 25% filed for bankruptcy

These numbers can be scary, but there are lots of resources for startups and smaller companies alike for you as a founder to reference.

This article will start with one of those resources.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is free to use resource that gives startups insight into how they can understand, manage and express cyber risk.

It categorises on a high level by:

- Identify (ID)

- Protect (PR)

- Detect (DE)

- Respond (RS)

- Recover (RC)

I will cover each of those components or profiles if you will slightly more in-depth, so it's clear what kind of activities fall under the various segments.

Over time I will do a deep dive for each of those segments to give you as a founder some ideas to take away. 

But for now, I will give you a high-level overview.

NIST CSF as it's known by is not a new framework, but it is updated regularly by practitioners all over the world when new insights are learned and is consensus-based. 

It's based on industry best practices but also referring the various compliance standards that you or your startup might have to comply with to be able to serve your customers.

The top-level categories are meant to give an organisation a core group of protection profiles to help you defend your organisation from attackers.`

Coupling this with cyber insurance for when a breach does hit gives you an excellent chance to survive such an attack.  

Raising funding is of course considered critical for a startup but raising the cybersecurity maturity is also helpful as it's supposed to be much more cost-effective to fix faults early on. At the same time, it becomes much more expensive (or near impossible) to fix things later on.

As a founder, you are working towards an exit event, be it to list at the stock exchange in an IPO or an acquisition event. 

Being able to show the acquiring party you have practised due diligence and due care when it comes to the cybersecurity of your startup means it raises the intrinsic value. 

On the other hand, it can also lead to a decrease in value where the breaches at Yahoo lead to a decreased price (-$350 million ) being paid by the acquiring party being Verizon.

If you are raising a new round of funding

Identify (ID)


- Asset Management: Which assets are where and who is responsible for them.

- Business Environment: The organisation's mission, objectives, stakeholders and activities are understood and prioritised.

- Governance: Policies, procedures and processes to manage risk.

- Risk Assessment: Ensure that the startup has assessed risk

- Risk Management: Ensuring that the startup is clear on how each identified risk is managed.

Protect (PR)

- Access Control: Access to assets and facilities is limited to authorised users, processes and devices for permitted activities and transactions

- Awareness and Training: Ensure that everyone within the startup and working with the startup are provided with some cybersecurity awareness training.

- Data Security: Ensure that information and records such as intellectual IP is managed inline with the startup's risk strategy.

- Information Protection Processes and procedures: Security policies, processes and procedures that address the protection of information.

- Maintenance: Mostly relating to maintenance of industrial control systems

- Protective Technology: Technical cybersecurity solutions to ensure the security and resilience of systems.

Detect (DE)

- Anomalies and Events: Anomalous events detection is in place.

- Security Continuous Monitoring: Systems assets are monitored in set intervals for detection purposes.

- Detection Process: Processes are in place to action any detected events requiring further investigation. 

Respond (RS)

- Response planning: Response processes and procedures maintained and executed to ensure a timely response.

- Communications: Activities are coordinated with internal and external parties.

- Analysis: Analysis is performed to provide an adequate response.

- Mitigation: Activities are implemented to prevent the expansion of an event, mitigate its effects and eradicate the incident/event. 

- Improvements: Lessons learned are used to improve cybersecurity activities.

Recover (RC)

- Recovery Planning Plan is in place to recover from a disruption in a structured matter.

- Improvements: Lessons learned are extracted from recovery plan tests and real events.

- Communications: Restoration activities are coordinated with internal and external parties.

Next Article: Identify (ID)

The upcoming cybersecurity for startups article will be focused on the Identify category/profile, and I will cover the various subcategories further in-depth.

I aim to release a blog twice a week to help guide you 

If there are any other topics, you would like me to cover then feel free to leave a comment below.

For now, I wish you a lot of growth and success.

155 views1 comment

Recent Posts

See All

SOC 2: What is it and how does the process look like

What is SOC2 compliance? In today's digital age, data security is of utmost importance. How can businesses ensure that they are protecting their customers' information? The answer lies in SOC 2 compli

bottom of page