While there were many memes born from the inauguration of US President Joe Biden on 20 January, none have proven as prolific as Bernie…
Security is an ever-present constant for any business, and in spite of the fact that it is often underrated, it has the capacity to present a relentless danger to an organisation whether the threats are from within, or external to the business. So how should startups go about managing this vital component of their business?
Security should permeate the entire environment embracing the people, processes and systems
There is no conclusive answer to managing security but one thing is certain –- it is not an isolated issue, but rather something that affects a company’s people, processes and systems. Any security policy therefore needs to integrate each of these elements and undergo regular review to ensure absolute relevance in relation to industry trends and compliance alike.
According to Gartner, “enterprises should consider the overall set of security functions and controls that permeate the entire environment that will be running trusted transactions.” The analyst firm contends that “vulnerabilities can be exploited, mostly by insiders to create business threats at the transaction level.” Security goes beyond the bits and bytes of network traffic, requiring a new way of thinking about those transactions that can cause anything from financial losses, to HR breaches, to compliance failures. Today, with increasingly integrated systems and a growing number of authorised users, and entry points beyond the traditional IT security boundary, companies are required to trust not only their own staff, but also the employees and perimeter security of their supply chain partners.
For many startups, business necessities (e.g. cash flow) dominate their concerns, and only basic business practices remain the core focus; with limited resources, the need to comply with any required standards is often managed in a reactive manner. The bare minimum focus is placed on planning around security, and issues such as who has access to which information, and what is acceptable when it comes to sharing this within the business, are rarely considered –- let alone justifying the need for policies or seemingly excessive costs for systems to control these.
Managing data for better security
As a startup evolves into a more mature state, so do the complexities associated with running and securing it. Teams develop with assigned responsibilities and accountability. Technology begins to support the business processes and is not just there for the ‘sake of it.’ More sophisticated business processes develop, and data becomes an integral tool in the evaluation and improvements of these processes.
Data collection becomes less ad hoc and through a more managed approach it is systematically shared across all projects. As the relationship between people, processes and technology becomes more predictable and systems consolidate, data is then utilised to analyse and stabilise processes within the company.
Security systems need to address both the higher strategic level as well as the operational ground level
There is no doubt that the growth and maturity of a business definitely brings with it a myriad of issues spanning regulatory governance and risk to name a few, and a startup is required to react and plan for these complexities.
Knowing where the data is, which server it is on, who is storing information on what devices, and who has access to this data is imperative, along with policies that are in place to manage data and infrastructure security. Knowing if access is restricted to certain individuals or tiered according to levels within the business is of equal importance. Then again, some companies err on the ‘over complicated’ side of the continuum when it comes to securing data –- providing limited views of customer information, which may result in hampering an employee’s ability to perform in their role.
At the operational level, a startup needs to address the impact specific issues such as the rapidly growing BYOD (bring your own device) policies, the segregation of duties, and employee exit policies has on security.
When considering BYOD –- there is no definitive approach to managing this, but a startup should be focused on securing its data, playing a fine balancing act that does not see people obstructed from doing their jobs to maximum effect.
Looking at the issue of SoD (segregation of duties) –- are there systems in place to ensure seamless monitoring of who does what, ensuring the auditing process is as straightforward as possible? Considering the role of an Accounts Payable Clerk for example –- is this individual able to perform his or her role without limitations? Being able to process a PO is one thing, but does someone else need to authorise the payment, or do electronic signatures suffice?
When an employee leaves a startup, what effect will this have on application knowledge? Will there be a loss or erosion of this? Is the transition for a new employee as smooth as possible? Are business processes mapped and key responsibilities allocated?
There are many things a startup needs to keep in mind when considering security –- one thing for certain is that it varies, there is no silver bullet -– and particular emphasis should be placed on the fact that it is something which affects a startup’s people, processes and systems.