Early-stage fintech startups have a lot of things they’re trying to figure out. Cybersecurity may not be high among their priorities, but they’ll have to address it eventually. And the sooner the better, said Orus Dearman and Jake Johnson, business consultants with the accounting firm of Grant Thornton, speaking at the most recent Ynext Incubator bootcamp. The risk of a data breach has reached record levels, Dearman told the attendees. Institutions are falling prey to sophisticated schemes like Shellshock, which exploits Unix Bash vulnerabilities to take control of computer systems, or ransomware, in which an attacker steals or blocks access to a victim’s data and demands a payment for its return. (The FBI is advising victims to just pay up, Dearman said.)
With each breach comes a high cost of remediation and a high risk of litigation, in addition to the damage and losses caused by the breach. If your company’s business plan calls for handling sensitive customer information or processing financial transactions, then customers, regulators and even early-stage investors are going to ask what you’re doing to protect your data. And you’ll need to have an answer.
Of course, startups are often cash-strapped and have to pace their spending. Few have the resources for a full-blown security audit. Nonetheless, Dearman said, there are measures young companies can take now that will fit within their budgets, and they can build their defenses out gradually as they grow. A cybersecurity strategy starts with a plan. Dearman and Johnson characterized the following initial approach as a best practice:
- Data mapping/classification: First, figure out which data has to be protected and where it is going to reside.
- Conduct a vendor assessment: You will need to account for data held by business partners, vendors and other third parties. What kinds of controls do they have?
- Create a risk profile: How vulnerable are your systems? The best way to find out is often to hire someone to attempt to hack them. Penetration testing is a basic best practice that shouldn’t break the budget.
- Create an incident response (IR) team and plan of action: Assign responsibilities and determine who does what when an incident occurs. Test your IR response plan at least quarterly.
Other suggestions for entrepreneurs:
- Take advantage of published security frameworks, such as the NIST framework or SANS critical security controls, which can be found online.
- Know which regulations or regulatory bodies affect your business. Organizations such as FINRA will have security guidelines specific to their requirements.
- If your business involves payment card transactions, the Payment Card Institute (PCI) Security Standards Council has a website that includes security guidelines, approved vendors, products and more.
- If you are using a web services or cloud provider to house your data, find out what security measures they are taking.
- Encourage staff to be vigilant for system anomalies. At a more basic level, train staff to look out for suspicious email or IP addresses that may be signals of “phishing” –hackers impersonating someone in authority in an attempt to get staff to divulge access credentials.
Don’t think it could never happen to you, Dearman and Johnson said, or that you may escape notice of hackers because you’re not a big company. “It’s not a question of if, but when.”