https://cyberprices.io/
https://cyberpolicies.io/
https://securemyapps.io/
https://badpass.io/
If you’re a startup founder or stakeholder, read on for a clear actionable guide to implementing effective cybersecurity and compliance measures.
<aside>
⚡ **Data breaches are great for marketing! Except for the most critical of data breaches, brand power and familiarity increase by over a 25% following a data breach. $^1$
Cybersecurity efforts that reduce probability are questionable. Controls that reduce impact should be considered. As Winston Churchill said, “Never waste a good crisis”.**
</aside>
To get started, skim through this guide. If you use Notion, feel free to duplicate this page, and you’ll have the skeleton of your cybersecurity program started. In this guide, there are:
- Template Policies
- Template Data Inventory tables
- Compliance and regulatory descriptions
- Advice from Adversis
Most of the recommendations in this guide can cost little to nothing, of course, with all things, cost can rise depending on your choices. For example, Microsoft Defender is free, but if you need centralized alerting, you need to pay. Or getting your policies in ship shape is free, but having an attorney review it costs money.
What’s in this Guide?
Understanding Your Startup's Needs
<aside>
✅ What you must do
- Cybersecurity Policies
- Technology & security processes
- Unique Passwords
- Multi-factor authentication (MFA)
- Endpoint protection
- Legal and regulatory compliance (e.g., data protection laws)
- Cyber insurance
- Technology safety training
- Business continuity planning
</aside>
<aside>
❇️ What you should do
- Secure software development practices
- Regular security audits and vulnerability assessments
- Following industry best practices, even if not legally required
- Regular risk assessments
- Incident response planning
</aside>
<aside>
❌ What you shouldn’t do
- Overcomplicate security for simple applications
- Ignore compliance due to the perceived low-risk
- Assume "it won't happen to us"
- Allow everyone to grade their own homework
- Assume you have no hidden risks
</aside>
Assessing the Type and Sensitivity of Data Handled
- Data Inventory: Create an inventory of all types of data your startup collects, processes, and stores. Include customer data, employee data, financial information, intellectual property, etc. This will be extremely useful to drive security controls and ROI, and for compliance purposes.
- Data Classification: Categorize data based on sensitivity and importance. Examples include public, internal, confidential, and highly confidential.
- Data Flow Mapping: Document how data moves within your organization and between third parties. Identify points of data collection, transfer, storage, and disposal. This makes future conversations with IT, security, compliance much faster. Put a reminder on the calendar to review and update regularly, say every quarter.
Identifying Regulatory Requirements
Where does your startup operate or do business, including where your customers are, regardless of where you perform the service or create the product?
- [ ] United States
- State Specific Laws
- California
- [ ] Canada
- PIPEDA (Personal Information Protection and Electronic Documents Act) (Canadian Law): Canadian law governing data privacy in the private sector.
- [ ] EU
- GDPR (General Data Protection Regulation) (EU Law)
- [ ] Asia-Pacific