Today, the reality is that Australian start-ups and small business organisations face unprecedented security challenges. According to the 2017 Norton SMB Security Survey, 19% of Australian small businesses have been hit by a cyber attack.
At the same time, Gartner says that in 2016, total external spending on cyber security by Australians and Australian organisations reached A$3.46 billion, and it is estimated that organisations spent a further A$919 million on their internal cyber security functions.
Operating a start-up is already hard enough without having to combat things like ransomware, malware, phishing attacks and more. That’s why it’s so important for start-ups to be prepared to stop or survive the latest threats and vulnerabilities. So where should start-ups focus their attention so they don’t become a statistic? Here are some tips:
Security education is key
While there’s the need to invest in technical security controls, user education plays a critical role in start-up defence. The best educational programs are embedded into a company’s culture. While more established companies may struggle to change the culture and behaviours of existing employees, startups have the benefit of defining it early on. By creating a security awareness program immediately, start-ups can make security best practices a core part of employee culture. For example, training employees to spot phishing attacks or outlining how they can handle data safely could prevent future problems.
Worry about the jewels, not the silverware
Many start-ups don’t have the time or money to conduct an official network security evaluation, which can help when designing security policies and implementing strong network defences. Taking time to focus on protecting the data and infrastructure that matters is vital. In the absence of a full security review, it’s important to ask key questions to teams within the organisation to ensure focus is being applied in the correct areas.
For example, your product management team could be working on creating new software. Collaboration is key to the process. How that server or system is being secured should be a priority. On the other hand, marketing is working on some non-sensitive marketing materials. Perhaps they can just use a cloud service to communicate. If the materials are not sensitive, it’s okay to stay nimble.
Look for solutions that empower your employees
Focus on security solutions that cause the least amount of user friction. The most secure multifactor authentication systems might make you enter strong passwords and use a specialised hardware token that generates a one-time code. While this is very secure, it adds tons of friction to the user experience and could be overkill. Another option could be to use a mobile devices biometric check and the mobile device’s ID together, without having to enter a password (other than the first time). In short, sometimes it’s better to adopt good-enough security that doesn’t slow down your users, instead of making them feel like they’re in the CIA.
Focus on all-in-one solutions to maximise ROI
Antivirus and firewalls are a basic start to security, but in today’s threat-rich environment they’re just not enough. Start-ups should be looking to deploy Unified Threat Management (UTM) solutions that offer a ton of security controls in one simple platform. While these solutions may not always be a perfect fit for massive enterprises with different technology and security owners, they’re perfect for small- and medium-sized organisations or a distributed enterprise. All of the needed security services are consolidated in a single appliance helping start-ups simplify the deployment and ongoing management.
Have a backup plan
Chances are high that a security incident will occur. The best way to ensure minimal impact on the organisation is to be prepared with a plan. As a start-up, security won’t be perfect. In reality, no organisation has perfect security. But, successful companies have disaster recovery/business continuity plans. If a security incident does occur, having a plan is key. For example, maintain up-to-date backups of important data, and keep those backups offline where ransomware can’t reach them. Then, test backups regularly to confirm recovery procedures work. Finally, plan the response in the event of a disaster – like a fire destroying your critical systems. Prior preparation could be the difference between picking up the pieces and shutting your doors
About the Author:
David Higgins was appointed WatchGuard Technologies’ ANZ Country Manager in 2014 and is responsible for managing the company’s market presence in Australia and New Zealand, overseeing new revenue opportunities, and managing local customer and partner relationships. He has more than 30 years’ experience in the IT industry in both direct sales and channel development for organisations including Trend Micro, Sophos, 3Com, ASK Solutions, Tech Pacific Australia and NEC Australia.