Is your startup protected from the many, many threats to its continued existence? The answer probably lies somewhere on the spectrum from “yes” to “no,” but it’s unlikely to be a declarative version of either. That’s because most startups take some steps to protect their enterprises from well-known cyberthreats while leaving themselves vulnerable to others. And, of course, few startups are so careless as to make no effort at cyberthreat protection at all.
Regardless of where your startup lies on the protection spectrum, the start of a new year is an ideal time to take stock of its position and begin thinking about measures to take over the coming 12 months. There’s no time like the present, after all, especially when the present hears the clock striking midnight on New Year’s eve.
This is no small task, to be sure. The threats that your startup almost certainly faces in the year ahead take a variety of scary digital forms that most of us can scarcely comprehend: worms, trojans, ransomware, and all the rest. Other electronic threats loom as well, including “insider threats” posed by disgruntled employees and email-based attacks by which faceless criminals steal your login credentials.
There’s more. Your startup faces financial risks, both acute (such as theft and bank security failures) and secular (such as unanticipated risks posed by a worsening business climate), as well as legal and even physical risks. All demand your attention in some way or another, even if achieving total and complete protection is not possible.
Because your time is valuable, we won’t waste it exploring every possible threat to your startup in the coming year. We’ll cut straight to the chase with a list of nearly 20 cyberthreat protection measures that you and your team should take in 2021 to protect your business, its secrets, its employees, and all who entrust it with their personal information.
- Invest in Hybrid Cloud Storage Solutions
Your top priority this year should be to invest in a hybrid cloud storage solution that’s both economical enough for a smaller enterprise and flexible enough to accommodate a growing startup.
This solution should ideally be part of a hybrid cloud services that utilizes established relationships with trusted incumbents like Google Cloud Platform, Microsoft Azure, and Amazon Web Services (AWS) to provide the optimal balance of quick-restore capabilities and economical store of noncritical data. Before making your choice, be sure to compare each finalist against the others; solutions that appear excellent in isolation often fail to hold up when compared against other best-in-class options.
- Put a Disaster Recovery Plan in Place
Your hybrid cloud storage solution is likely to be just one piece of a broader disaster recovery plan for your business. This disaster recovery plan needs to anticipate a range of potential threats and situations, from relatively likely eventualities to lower-likelihood events that could nevertheless pose an existential threat to your business. These might include:
- Natural disasters, such as windstorms and earthquakes
- Manmade or hybrid disasters such as fire or water damage
- Physical breaches of company property (including theft of company devices)
- Extended power failures that compromise your access to data
- Malware attacks, such as ransomware, which renders your data inaccessible or corrupted
- Long-duration disasters that threaten business continuity, such as a pandemic (which you no doubt have recent experience with)
The details of your disaster recovery plan might vary from situation to situation, but the core “recovery” aspects shouldn’t. Commit those cyberthreat protection details to writing now before it’s too late.
- Identify Your Company’s Physical Vulnerabilities
A “bad thing” doesn’t necessarily have to rise to the level of “disaster” to cause serious problems for your business and possibly threaten its long-term survival. Some of these “bad things,” in turn, may involve your company’s physical assets or property. For example, a poorly secured cubicle, hub, or locker in a coworking space used by you or your contractors could be vulnerable to theft. The implications of this sort of threat are clear enough, as should the importance of implementing policies or mitigation strategies to reduce their potential impact.
- Invest in Physical Data Protection and Storage
Although your hybrid cloud storage solution should provide a significant degree of redundant data storage and disaster protection, your day-to-day operations will no doubt require localized data storage and access. That, in turn, requires adequate security for the devices and accessories used to achieve it: external hard drives, thumb drives, laptops, mobile devices, and more.
- Upgrade Your Anti-Malware Solution
Can you be sure that the anti-malware program that came pre-installed on your laptop is up to the task of protecting your company’s crown jewels?
Let’s be frank: It’s probably not. That’s why it came pre-installed, free of charge.
Your company deserves a better solution, and one of your top priorities in the coming year should be to procure it. It’s no secret that there’s a great deal of competition and choice in the world of anti-malware solutions, so you should commit a significant amount of time and resources (possibly more than just you alone can bring to bear) to getting this decision right.
- Use a Virtual Private Network or Other Proxy Solution That Actually Defends Your System
Another crucial layer of digital protection is a virtual private network, or VPN, that encrypts your company’s digital data traffic and (if desired) obscures its precise or general location. A VPN is an effective means of deterring “man in the middle” (MITM) attacks over insecure networks, such as open or public ones you might connect to in a hotel or coffee shop. This protection isn’t perfect or total, but it’s much better than doing nothing.
- Get a Secure Password Manager
Sound password practices demand unique, frequently changed credentials for every single account you use, with no exceptions. Remembering all those passwords is virtually impossible for the average person or team, and storing them in such a way that enables access to all creates obvious security risks.
The solution is often a secure password manager that holds credentials in encrypted form for safe access at will. Be aware that the browser-based password security solutions you may already use are not as effective as higher-grade password managers; choose accordingly.
- Use a Secure Email Suite (Preferably Encrypted) for Sensitive Communications
Email is notoriously insecure — convenient, but insecure. When you absolutely must keep conversations private, use a secure (encrypted if at all possible) suite that does better than the Gmails of the world to keep data on the downlow.
- Learn How to Encrypt Files Whether They’re Sent Via Secure Email or Not
This is a sort of “digital survival skill” that every accomplished entrepreneur should have, regardless of their field or level of technical expertise. You’ll feel more capable once you have it under your belt, too.
- Adopt Strict Email Hygiene Standards
Email hygiene is the set of practices that reduces your startup’s vulnerability to email-based attack as well as non-malicious (read: accidental) data loss. It’s absolutely essential that you hold yourself, your employees, your contractors, and any third-party contacts to the same high standards, as all it takes is a single slip-up to cause serious headaches (and perhaps worse) for your organization.
- Never Give Out Your Passwords, Ever
This sounds obvious enough, but you’d be surprised. Even if you’d trust the person with whom you’d like to share a password with your life, you should refrain from giving away your credentials. After all, while their intentions might be pure, they represent another vector of attack — a weak point — that could compromise your organization. As with any bit of sensitive information, fewer people in the know is usually better.
- Run Background Checks on Potential Employees and Contractors
Don’t apologize for this — you’re only doing your due diligence. Anyway, you have to wonder if a would-be employee or contractor who refuses to consent to a background check has something to hide. Be sure to mind the laws in your home jurisdiction, of course.
- Use Cryptocurrency for Transactions You Don’t Want to Be Traced
There’s an entire universe of legitimate reasons you might not want the source or destination of a financial transaction to be known to the wider world. Business confidentiality is your right, as it were. When secrecy (or, more accurately, non-traceability) is of the utmost importance, cryptocurrency is the preferred mode of exchange.
- Procure Business Liability Insurance and Similar Protections As Needed
All it takes to cripple a business financially and potentially destroy its reputation is a single well-targeted, competently executed lawsuit. The longer you do business, the more likely it is that you’ll inadvertently expose yourself to such an eventuality through no fault of your own. If and when this occurs, you’ll want the cyberthreat protection afforded by business liability insurance and any other similar protections used by competing organizations in your field of trade.
- Get a Broader Liability Shield (Such As a Corporate Structure)
On the matter of liability, it’s never too early to invest in a formal corporate structure (such as a limited liability corporation or its equivalent in your home jurisdiction) that provides some separation between your personal or business affairs. Yes, even if your startup is a one-person operation and you have no immediate plans to expand.
- Have a Lawyer or Legal Resource on Call
It’s also never too early to find a competent lawyer to whom you can direct questions of compliance and liability. This person or firm will prove invaluable as more serious or consequential matters arise — matters that your own considerable expertise does not prepare you to address.
- Have an Accountant on Speed Dial Too
The same goes for questions of a financial nature. A bookkeeping software solution is fine for day-to-day use, but you’ll value the chance to speak with a human expert as your finances become more complicated and you expand into jurisdictions with conflicting compliance requirements.
- Avoid “Handshake Agreements” With Contractors, Vendors, and Employees
Finally, get it in writing — always. Even, or perhaps especially, if you trust the counterparty. Your contractors, vendors, employees, and anyone else entering into a relationship with your business should be bound by contractual obligations. That way, in the unfortunate event that the relationship sours, you’ll both be protected.
Is Your Business Protected From the Unknown?
Taking these steps in the coming year will reduce your startup’s exposure to a number of risks that most every business (large or small) faces. Together, they will put your company in a stronger position than competitors who choose, for whatever reason, not to move ahead with this agenda.
It’s important to be realistic about what taking these steps will do for your business, however. None of them is a magic bullet that will by itself reduce your risk to zero. Even if you were to make it a priority to get all 18 done by the end of the year, your startup would still face significant risks from threats that you haven’t yet addressed.
And what if you were to address those threats? Unfortunately, that’s simply not possible.
Not because it’s impossible to address known threats, mind you. That’s what this exercise is about. Rather it’s because the business community and individual entrepreneurs alike simply do not have perfect knowledge about the threat landscape that awaits them in the real world. That threat landscape changes constantly, by the day if not by the hour. We might be able to make educated guesses about the unknown threats that await us, but we can’t truly protect against what we don’t know. Often, we can’t even anticipate it.
This should serve as a sobering reminder, but not a deflating one. It is not cause for giving up all hope. A well-protected business is still a well-protected business, one that’s in far better shape than a business that does not make any cyberthreat protection efforts (or makes an inadequate effort) to protect itself. Smart leaders know this. Further, they know that the responsibility lies with them to take protective measures that address the risks they can anticipate and mitigate.
Do you want to be like them? You should. And if you’ve read this far, you have a good idea of what types of cyberthreat protection need to happen for that to be so. Now, it’s time to get to work. The year ahead will be a busy one, and no doubt full of risks as well.