Being a founder is overwhelming. The pressures arrive from all directions: raising capital, attracting customers, recruiting employees, nurturing company culture, and more. An especially unwelcome pressure comes in the form of the evolving challenge of achieving strong cybersecurity. Unfortunately, it’s an area where very few founders happen to have prior experience, and also an area where virtually no startups choose to make a dedicated hire. In this post, we’ll talk about how to navigate cybersecurity challenges like a pro, even without the experience or the staff.
Setting the Stage
Security is a team sport. Founders should assume that every member of their team will (at one point or another) be on the receiving end of phishing emails. Every team member will also (at some point) find out that an account they have on a 3rd party site is part of a data breach. And every team member will find themselves doing at least some work from a less-than-professional home or vacation network connection with questionable router settings. These are just a few of the realities that founders need to come to terms with to set the stage for involving the team positively in cybersecurity efforts.
So, how should founders set the stage for involving the team? It’s easier than it sounds: tell them — in your own words that are in your authentic voice — that security is a team sport and that you’ll be asking for their help. Bonus points if you open up about the last couple times you’ve been worried about a cybersecurity challenge that had the potential to be a big problem for the company. Extra bonus points if you open up about how you worried that a simple cybersecurity mistake could put at risk all the great work the team has done together. Your authentic voice is crucial here; employees at founder-led businesses can sniff out corporate-speak from a mile away.
The Opening Act
We know many founders that are so obsessive about advancing their business, that it’s very difficult to pour anything less than 110% into overcoming a challenge at hand. However, if there is one thing more important than getting started on a path to stronger cybersecurity, it’s that it needs to be treated as a marathon. Not a sprint. Because of the evolving nature of cyberattacks, the protective measures will evolve. You’ll need your team’s involvement from time-to-time over the duration of your company. So, you can’t “wear them out” in week #1 by doling out a hundred-and-one action items. Here’s what we’ve found works well for most founders, as their opening act towards involving their team:
- Implement Online / On-Demand Security Training: whatever you do, please don’t ask your team to gather for a powerpoint presentation with a guest speaker or an internal presenter. That feels just as fun as a “mandatory” makeup session for poor attendance in a calculus class. Your team deserves a link to 10-20 minute modern online training taking them through some believable, relevant examples of cybersecurity risks and mitigations.
- Launch Phishing Simulations: you’ll love this one. Your team’s action item is… to do exactly nothing. Literally. When you arrange for a phishing simulation (preferably one that is contextually relevant to your team), you are evaluating the extent to which employees are misled into clicking an illegitimate link. Measure your team’s clickthrough rate, and you’ll have a good sense for how savvy they are at identifying and avoiding phishing emails.
- Get a Business-Grade Password Manager: startup life is hard, and employees and contractors come and go as their interests and abilities (and the company’s focus) evolves. One of the most nerve-racking moments for founders is when an employee departs and the remaining team is left picking up the pieces trying to figure out what systems and tools the employee had access to and relied on for business-critical processes. A password manager (with vault transfer rights upon employee termination) is a great way to bring order to the chaos of what shadow IT systems each employee relies on. And back-end usage metrics can give a founder a clue about which employees are or aren’t “really using” the password manager, in case a friendly nudge is in order.
It’d be hard for an employee of any organization to argue against these three tasks — we all conceptually know that we benefit from training. We can’t complain about being a passive recipient of a phishing simulation. And where else are we going to store our passwords… on a post-it note? We find that these three activities are a great way to set the tone that security is a team sport, in a way that isn’t overbearing or time consuming.
The Main Act
How can founders move on to involving the team in more advanced cybersecurity efforts? An approach that we’ve seen work very well involves establishing a mission towards a business-relevant destination. It might be a need to fulfill an enterprise security questionnaire that arrived from a prospect. It might be a desire to achieve SOC 2 Type II as a signal of business maturity. It might be a regulatory obligation to demonstrate compliance with HIPAA, FTC Safeguard, or GDPR.
Whatever it is, make your first “main act” one that has a very explainable destination. Share with the team what it would mean to the future of the company to land that big customer, or to achieve regulatory compliance, or to be able to tout SOC 2 Type II compliance in marketing materials.
The content of your main act depends on, well, what the main act is. However, here are some common threads that we see in many “main acts” where founder-led businesses have wisely chosen a mission that the team can relate to.
- Realistic Policies: brief, readable policies. Ones that employees actually believe they can follow. Not ones that immediately scream “this is just for show” — ones that pass the sniff test of an employee wanting to participate but not wanting to disrupt their entire worklife. Pay special attention to the topic of BYOD (bring your own device) and make sure that the policy squares with reality — if you’d like to keep your credibility with your team.
- Endpoint Protection: some level of business-grade endpoint protection with backend reporting. Preferably a package that includes malicious traffic filtering, now that many employees are browsing the web through consumer-grade routers.
- Web Vulnerability Scans: recurring scans that identify vulnerabilities in the company’s web properties, and contain some advice about remediation.
- Device Management: it’s important to be able to answer the question “what if an employee’s laptop gets lost” without having to simply “hope” for the best. A good start is having an ability to enforce full-disk encryption and preferably a way to remotely lock a laptop if that’s ever needed. That particular combination provides tremendous comfort in most “lost laptop” scenarios.
Gathering Feedback about Policies and Tools
Here’s where founders have an exceptional ability to “get real” in a way that some larger organizations repeatedly fail to do. Because founders often know every employee and don’t tend to have an org chart that is ten levels deep, founders have the ability to directly reach out to an individual contributor to ask for feedback.
Guess what: we’ve got some very specific opinions about what type of feedback to ask for. Ask if the policies that you rolled out came with the tools that the employee would need in order to conveniently follow the policy. Asking this one question is absolutely crucial. It comes at a fork in the road where employees will either believe that the company’s security policies are real, or that the policies are only there for show. Make it safe to answer. Reiterate that you want unvarnished feedback. And then act on it, if the policies and tools are misaligned.
When founders take on the pressures of cybersecurity by involving their team, having a time-efficient opening act, and expressing a relatable mission for their main act, they build a culture of security. And that culture is reinforced by a feedback process that genuinely seeks to resolve any mismatch between policies and tools. Need a hand with any of the above? Havoc Shield specializes in small business cybersecurity, and as a friend of the TechNexus community, is available for anything from casual advice to full security program implementation.