Co-authored with Cyrius, a collaborative platform against internal threats. Promotion EDHEC Entrepreneurs S21 - Future 40 Station F (2022)
What is at stake?
Why is it important?
Startups enjoy significant media exposure (...) with press articles, constant communication, and extensively covered fundraising activities. Speaking of fundraising, it involves financial resources, which could attract potential ransoms or means of blackmail. If I were a hacker, Crunchbase would be my CRM !
Achille Morin Lemoine, CEO of Cyrius
Cybersecurity is a crucial concern for startups, offering the following benefits:
➡️ Mitigating Increasing Risks: Cyber attacks are on the rise each year, and these threats can jeopardise a startup's survival.
In practice, a startup's most valuable asset is its data, and accessing this data has become easier. The leakage of such data can have dramatic consequences for stakeholders and the startup's operations, as seen in the sudden halt of operations for myNurse (Techcrunch, 2022).
➡️ Gaining Competitive Advantage: A strong security posture can be a competitive edge, and VC funds are increasingly evaluating the cybersecurity maturity of their investments.
3 key steps to take action
1️⃣ Educate Yourself and Raise Team Awareness about these Challenges
The risk is very real: more than half of the companies (60%) go bankrupt within 18 months following an attack (source).
To minimise human risk, training the team on security issues is crucial. In particular, teams should be regularly tested through phishing simulations: 91% of attacks start with an email.
2️⃣ Implementing "Best Practices" to Mitigate Risks
A password manager (such as Dashlane or 1Password) ensures the strength of passwords and facilitates sharing credentials among team members (to eliminate identical passwords stored on documents or Slack...)
This is the well-known "Sign in with Google" (or other platforms) button. It significantly simplifies the login process as users don't need to create a new set of credentials.
However, the central account through which the entire team connects each time becomes even more sensitive, as it consolidates access to other services. This is why the use of a password manager remains essential.
This reduces the risks of unauthorised access by 99%. This is the system utilised by banking services, which send a notification through an alternate channel (SMS, app, etc.) to validate an operation.
It is occasionally perceived as restrictive by teams, so if not set up for all services, it is advisable to enable it for the most critical accounts (for instance, messaging tools). It's worth noting that the majority of tools we use on a daily basis have a Multi-Factor Authentication (MFA) system that can be activated in the settings.
3️⃣ Formalising these best practices in an IT charter
⚖️ The IT charter is a legal document that outlines the specific usage guidelines for internal IT resources (information systems) within a company.
It specifies the tools that employees must use and details the proper usage of these tools.
The charter is provided to every employee upon their entry to the company and is attached to the internal regulations. It serves to establish a culture of security internally from the moment employees join the company.
📚 Resources and further reading
📖 The Startup Security 101: 10 Key Actions (Cyrius)
📝 Data Security Policy Template (Apiday)
Data Security Policy Template (Apiday) - English 🇬🇧
📝 IT Charter Template (Coover)
✍️ They contributed to the writing of this document
Cyrius specialises in human risk management in cybersecurity through a platform that ensures the security of employees from their entry into the company until their departure.