Putting Off Cybersecurity Is Putting You at Much Bigger Risk Than You Realize It may seem hard to justify when your company is getting started, but the longer you wait, the more difficult and expensive it gets to protect your business from hackers.
Opinions expressed by Entrepreneur contributors are their own.
Many smaller businesses, especially startups with limited budgets, tend to treat information security as an afterthought, a bell-and-whistle to be added later when funds allow. This attitude may have been justified 20 or 30 years ago, but the modern landscape of cybercrime, data security, and privacy is making that impossible now.
Protecting corporate information, intellectual property, customer data, and physical IT systems is an essential business function for modern companies, small and large. Data breaches are common, expensive, and can harm the reputation of a business for years.
As an entrepreneur in the cybersecurity industry, I know how important it is for young startups to assess their information security situation in the early stages of formation to determine the appropriate proportion of focus and budget to achieve.
Why entrepreneurs put off cybersecurity
The startup world is like the Wild West. It's chaotic, competitive, and often you're doing well just to survive. According to the Kauffman Foundation, about 22 percent of startup companies in the United States fail within their first year. In some states, the first-year failure rate is as high as 37 percent. Whether self-funded or running off venture capital, every penny spent in that first year can be critical to the company's short-term survival.
A startup budget has a different composition than the annual budget of an established company. Often a more significant proportion of a first-year budget goes to initial infrastructure and IT purchases, employee recruiting, advertising campaigns, borrowing costs, and other necessary expenditures. Without a clear sense of when or how much profit will start coming in, budgets are tight, and little is wasted on anything extraneous.
Many entrepreneurs don't view information security as a high priority in their initial startup budget. If it's not considered as an immediate threat or expense, it's easy to address further down the road. A small, unknown company with a limited customer base may not feel like it needs much protection from the hackers lurking in the shadows. But this narrative can come back to bite a young company.
The new age of digital privacy
The problem is getting worse, not better, and it may continue that way for the foreseeable future. Bad actors are taking advantage of new holes in security created by lockdowns and the increases in remote work that have resulted from the Covid-19 pandemic.
One of the reasons it's so difficult to contain cybercrime is that it evolves quickly and adjusts to security measures in unpredictable ways. When the number of malware attacks goes down due to better security and awareness, phishing schemes go up and take their place. When large corporations and government agencies start beefing up their IT infrastructure, hackers turn their attention to smaller, more vulnerable targets.
Depending on the industry and on the nature of each business, annual cybersecurity budgets can vary from as little as 2 percent to as much as 20 percent of a company's overall IT budget. They typically come in between 5 and 10 percent. These proportions are increasing, though, both in overall dollars and as a proportion of budget, as threats evolve. Consumers who become the victims of data breaches are beginning to demand increased security and privacy from the companies they do business with, making information security more important each year.
The costs and risks of waiting
In addition to the increased costs of shoring up systems against attack, the costs of mitigating the aftermath of an IT security breach are on the rise. The price depends on the nature of the breach and the volume of compromised data, but in the worst cases, it can continue to grow for years. In recent years, some larger entities, public and private, have been forced to spend millions of dollars for incident response activities after major cyber attacks. The costs of responding to an incident or breach, managing the PR fallout, and the opportunity costs associated with having to expend capital for cleaning up a disaster all dwarf the cost of maintaining a sufficient annual budget for information security.
Hackers haven't taken a break for the pandemic – in fact, they're ramping up. Approximately 214 million Facebook, Instagram, and LinkedIn users were exposed in January through a shared Chinese database scraped by hackers. A month later, hackers hijacked T-Mobile SIM cards through social engineering, revealing customer information in the process. The disparity in tactics makes thwarting attacks a constant challenge. Companies can and do survive these incidents and eventually get back to doing business, but not before losing profits, market share, and reputation – some of which they may never recover.
While no information security plan is ironclad, a powerful, up-to-date, and well-managed security posture can thwart most attacks, mitigate the damage of attacks that do occur and significantly reduce future incident response and recovery costs. It also can be much more expensive to retrofit or add security to systems after a business has ramped up its operation.
Letting security in on the ground floor
One of the best ways of maintaining a strong cybersecurity posture is to take a holistic approach. Security should be part of the mentality and culture of a business from the very beginning – particularly for more tech-related companies or those in industries that have to deal with large volumes of customer data. This doesn't mean that security should break the budget of a young startup, but a little planning and some relatively inexpensive measures can make the most of early IT expenditures and save money down the line.
Young businesses should assess the realistic cyber threat landscape for their industry and their particular IT infrastructure before they get underway. Professional cybersecurity consultants can help give a clear picture of what's needed in the short and long term. Make sure to establish a culture of security and best practices among employees and management, emphasizing some of the easy hacker inroads like phishing and other social engineering techniques. Implement regular training and assessments, and set good examples at the highest levels.
If having a dedicated IT security team or individual is not feasible initially, consider an outsourced virtual chief information security officer (vCISO) service. A vCISO is an affordable option for many small businesses and can provide valuable peace of mind as your business grows.
Data breaches are expensive on many levels. Letters and emails from companies informing clients that their information was or may have been compromised are becoming commonplace. These communications often come with offers for a free period of identity theft monitoring or other "olive branches" to soothe the pain. But the damage is already done. Breaches not only hurt a company's reputation with consumers, but future investors may be hesitant to get involved with a company that is perceived to be a data liability. It may seem hard to justify shelling out capital on information security when your company is just getting started, but the longer you wait, the more difficult and expensive it is to build it into your organization when you need it most.