When Cyber-Risk Becomes A Legal Nightmare

Startups start up with, to quote an old salesman, a bit of shoeshine and a smile. And killer apps, perhaps. But risk lurks in all corners – especially security risks, which can sink a firm’s prospects in one fell hack.

In an interview with PYMNTS, two Crowe Horwath executives, Lucas Morris, senior manager, and Mike Neal, HCISPP, CRISC, a risk consulting manager with the Crowe Horwath cybersecurity consulting group, delved into the ways a startup (and even a well-established firm) should look at cybersecurity. Baselines are important, and growing beyond that baseline with speed and thoughtfulness are even more important.

Addressing the concept of “rules of thumb” that address budgeting for cybersecurity, Neal said baseline cybersecurity concerns are different for more established firms than for companies that are just getting off the ground. In the case of the latter, younger companies, Neal said, “don’t have legacy applications” or vulnerabilities that have been in place for a decade. But regardless of the size of the firm, he continued, there are similar starting points, namely compliance requirements handed down from various regulatory bodies.

Compliance mandates, Neal said, can help shape a framework that can develop with the firm as it begins to mature operationally. Some determining factors can affect the framework, including the organization’s vertical and how fast the company is growing, “but the end goal is the same,” he said.

Neal said Crowe Horwath often sees a few bad habits, as clients grapple with the challenges of legacy systems.  He said they may have “no full understanding of where their most sensitive data lives” beyond their most mission-critical systems. “In today’s world, you are talking about mobile devices where data is everywhere, and [firms] may not know where it is. A startup can catalog and inventory that stuff up front,” and then track that over time, but a legacy organization may not have the same capabilities or insight. “There are too many people with administrative credentials, elevated privileges” and no real way to see who is doing what, he told PYMNTS.

In an age where data live everywhere and across all manner of hardware and software, cybersecurity demands different mindsets in the BYOD (bring your own device) age. Said Morris, “One of the things that we see, especially in the startup space … is that we see people using personal apps, personal equipment, personal hardware, just by the nature of funding and the passion that they have for these projects. One of the absolute critical things,” he said, is to make sure that “data is appropriately retained by the organization and that it is appropriately owned.”

Thus, succession planning is key, as a firm may not own a piece of hardware when someone leaves and may not be able to get a piece of data back without rules in place governing that data’s placement and storage. The cloud is a benefit here, said Morris, as it allows for a centralized, safe repository of data easily accessible to the firm, which can also control who can interact with that data.

Levels of protection should be geared toward the operational state of the startup as well, Morris said. If the firm is still testing products and services before they go live, that requires a different level of security-mindfulness than would a firm that is out in the field taking payments, where PCI compliance would be critically important.

But most startups do not hire cyber expertise right off the bat, said Neal. Instead, “They try to find good business partners who have that expertise already” and who can help those smaller, newer firms embrace cybersecurity processes in “digestible points.” The competition for security talent is difficult enough, he said, and in the midst of that competitive hustling, startups must be careful about how they allocate their funding, so partnerships in a tight budgetary environment make sense. The concentration on getting products ready to ship is so intense that, “I’ve actually heard some say, ‘We’ll worry about cybersecurity later,’ and that consistently gets pushed back and kicked that can down the road.”

Right off the bat as a firm starts operations, one of the biggest risks and red flags in cybersecurity – even unwittingly – said Neal, lies with people. Education is important, he told PYMNTS, as employees “need to be schooled in what phishing attacks look like,” as for example, many of the ransomware attacks that have dominated recent headlines were tied to phishing. “That kind of education, even to a small group, and one that hasn’t formed bad habits,” he said, “is a valuable tool” in warding off fraud. As Morris elaborated, a single “person wears many hats in the startup space. From there, what we need to make sure of is that someone is configuring Amazon Web Services, they have security in back of their mind. If someone is writing code, they have security in the back of their mind … it becomes more of situation of continual improvement.” So in the end, education is a first step, but it is also a continuous process.

Along with education, consistent documentation of security practice, with focus on security of data and the location of data remains a best practice, Neal said. Policies and procedures help guide the organization regardless of staffing turnover or expansions, governing such issues as hardware, passwords, which data reside on which devices and testing protocols.

Testing can be of special interest to technology-oriented firms as they seek to ensure that not only are their security protocols robust internally, but their own wares also have strong security measures in place. Testing can embrace static code analysis, said Morris, and “a software development lifecycle needs to include security” in the mix.

“The regulatory space doesn’t really care if you are a startup or if you are a company that has been well established for 150 years,” Neal says. Regulators, he said, consider it imperative for all entities to demonstrate that they are operating in good faith with the spirit and letter of compliance dictums. Against that backdrop, firms must be careful not to overcommit themselves with compliance efforts. Neal said that he has worked with firms that commit to policies and procedures, go through an audit and then are found lacking in compliance follow through. “That opens up a can of worms … that states, ‘OK, if you were misstating your controls in this particular area, then where else are you misstating controls?’ And then [regulators] get a lot deeper into your business.”

Cyber insurance may be gaining more attention from professionals and certainly in the press, as the Crowe Horwath duo stated, with interest as Morris noted coming from “very small to very large organizations.” But the premium/coverage tradeoff, as it comes in a wide range, is one that needs to be considered, he said. “It’s certainly worth it for people to keep [cyber-insurance] in their toolbelt,” said Morris, “as they approach the various risks that they see.”

Think security remains solely an internal issue? Think again, and think supply chain. As Morris said, when stepping back and looking across “third and fourth and fifth parties, I think there are a couple of things to consider. First, it is going to be absolutely critical that you have policies and procedures in place so that you have a baseline that you can share [and measure partners against]. You’ve got to make sure you hold yourself accountable before holding others accountable. From there more mature organizations will look at doing entire management programs.” For a startup, proactivity is going to be much more about what data they are sending, who they are sending it to and how that data is being used. Cloud technology makes it possible to be proactive, he said, if a firm is unfamiliar with a vendor – the company sending data can choose to encrypt it, which can help take care of any vulnerabilities not readily apparent at the other end.

That robust data security becomes important once firms start sending and accepting payment information, Morris said. “The absolute critical first piece is looking at PCI compliance.” In the absence of stringent compliance here, he noted, there are strong chances for fines to be levied even as firms place themselves in harm’s way operationally … there is also a lot of reputational risk.”

Summed Neal, “Don’t fall into the trap in thinking … ’I’ve met compliance [requirements] now because I have these controls’ and then getting too focused on other parts of the business.” Cybersecurity, he said. “is a continuous process that has to be living within the organization, and it is not something that belongs only to one person. You’ve got to create that culture of security, of compliance.”