Security Response Plans for Startups

Some of you may remember 2017’s WannaCry and NotPetya cyber attacks. I was working with one of WPP’s many subsidiary companies at the time. All employees were barred from using their computers for over 48 hours.

Now, imagine you are a startup who gets hit by any kind of cyber attack or security breach. WPP had teams of people ready to address issues like these, yet WPP still ended up suffering major productivity and financial losses. Security is important, however, when your company is on the leaner side, security can often be at the back of a long to do list.

Breaches and other cyber attacks on your company will reduce your customer count, revenue, reputation, and perhaps even the value of your intellectual property. For a big firm like WPP that is ready, this is just a bump in the road. For a startup, not having a proper plan in place can mean going out of business. The following is an introduction to how startups and early-stage companies can protect themselves without massive amounts of resources. Having a proper plan in place with a protocol to follow when ‘shit hits the fan’ will make the difference in keeping your company afloat. Furthermore, it will reduce the likelihood of a breach in the first place while allowing you to articulate to your clients that they should trust you over your competition.

1. The right security for early-stage companies: a protocol.

Although it’s very normal that startups spend little time thinking about data breach responses, developing a plan can make all the difference. Even if you put the necessary protection in place to secure your infrastructure, having a response ready for when that protection fails is the first key to surviving such an incident. The main problem with not having a preset protocol is a matter of timeliness. When a breach happens, you don’t have the luxury of time. Therefore, you will not have the time needed to craft a response from scratch or to get the necessary actors in place before it is too late.

2. The right protocol extends beyond run-of-the-mill security incidents.

If you have enough valuable intellectual property, a growing customer base, and therefore accruing amounts of customer data, chances are that you have already started dealing with security hazards on a regular basis. For smaller breaches without large repercussions, in-house remedies are probably enough. That said, what do you do when you are not dealing with a minor security incident, but an actual breach where all of your users’ data has been compromised? Or you can’t fulfill any of your functions because all your systems are down? Don’t assume that because you are a startup you have little to lose. On the contrary, you stand to lose your entire business.

3. Planning for the worst.

Do you know your legal requirements when a breach occurs? Do you need to report the breach to authorities? How quickly must you act? The first step is knowing what data you have on hand and what consequences your users may face if such data were to be compromised.

Your response will depend on how many users were impacted, what country they reside in, the type of data, etc. However, in order to make the proper judgement without delay you need to understand your data and the consequences if a data breach occurred.

The first major piece of advice is to ask for help. It would not be practical for a lean company to have everything it needs to deal with such a situation in-house. You want the following in place before anything happens:

Cyber Liability Insurance Legal Council A PR (Public Relations) firm An IR (Incident Response) firm

Getting these vendors under contract before an incident occurs means you have instant access to them should the need arise. You will quickly realize you need their expertise once a data breach happens, however, getting access to their services means negotiating contracts and this can be timely. This is why we highly recommend getting these in place as soon as possible – we promise you, it’s worth it!

4. Let’s talk costs

Lawyers are expensive, but that’s the way it is. Build a relationship with one who has experience with security breaches. You’ll want to sign a contract to keep the lawyer on retainer. If shit doesn’t hit the fan, great, than just think of it as insurance. Furthermore, it should cost little upfront considering the lawyer only has to work if an incident actually occurs.

You want a PR firm that can specifically deal with data breaches and has experience doing so. When the data breach occurs, you want to know what to say and what not to say to the public without any fear of needing to make corrections. The right PR firm will go the distance in mitigating any potential damage to your company’s reputation. Here again, get them on retainer. This allows you to pay little to no upfront costs but guarantees you have access to their expertise if something actually does occur.

The IR team is necessary because you need to guarantee you can solve the the problem that led to the breach. This entails having access to technical expertise in digital forensics. You need to be 100% sure you solved the issue, and having the necessary in-house expertise to guarantee that is rare (and expensive!). Furthermore, having experts with proven track records when dealing with the problem lets you demonstrate to your customers that you are dealing with the problem correctly. This can go a long way to maintaining trust between you and the customer despite their data being breached. Again, you want a firm on retainer.

It may be worth looking into a larger firm when it comes to IR or PR firms since they are more likely to have a greater number of people on staff ready to help. The other advantage is that they are more likely to have international experience, which could easily come into play if you have users situated in foreign countries.

With regards to insurance, this is just a matter of being covered for any liabilities. You want to find the right policy that makes sense for your company, its risks, and its future potential. I recommend first finding a knowledgeable broker and asking around to see which companies are considered appropriate for your kind of business. Insurance should be one of your first steps since your insurance may cover the other vendors you need to hire in the event of an incident. These insurance companies are likely to have a list of approved vendors, and getting a vendor who will be covered by your insurance is the first step to making sure an incident costs you significantly less than it could.

5. The Breakdown

A quick review of the steps you should go through:

1. Think about security and understand what a breach or cyber attack could mean for your business.
2. Come up with a response plan. Run through a couple of hypothetical scenarios for potential breaches.
3. Get insurance.
4. Get a lawyer on retainer.
5. Get a PR firm on retainer.
6. Get an IR firm on retainer.
7. As your business grows, make sure to review your contracts and insurance plans to keep them up to date.

Have your data breach response plan in place? About to put one in place? Reach out and let us know your thoughts or if you have any questions – <hello@oauth.io> or message us on our live chat 🙂