Securing a startup in the GDPR age

Without the vast budgets of corporations, startups need to be savvy with security spending

Data breaches have become a common occurrence for businesses worldwide. In fact, crooks stole around 1.9 billion data records in the first half of 2017, while the number of incidents between 2016 and 2017 grew by 13% - costing companies millions.

Cyber attacks are thought to cost the global economy around $400 billion (291 billion) annually, according to the Center for Strategic and International Studies, while a study from security firm Bitdefender puts the individual cost of breaches to companies at $1 million.

Advertisement - Article continues below

Then there's a company's reputation to consider. When large firms such as Equifax are hit by breaches, they often have sizeable budgets and sophisticated crisis management systems to mitigate the fallout. But for small and medium-sized enterprises, being targeted by attackers can easily put them out of business.

Start-ups tend to be the most vulnerable in this regard. They often don't have the financial resources to invest in fancy cyber security systems, and rarely have the luxury of a loyal customer base. This, coupled with the added pressure of the General Data Protection Regulations, which have overhauled a company's responsibilities towards data retention, means startups face harsh challenges when it comes to improving their security.

Advertisement
Advertisement - Article continues below

The question is, how can startups do this effectively?

Teamwork is essential

GDPR aims to tighten up data protection practices, effectively handing back control of personal information to the data subject. For large companies that have dedicated security teams, adhering to the regulation is relatively easy.

Advertisement - Article continues below

However, Jason Hill, executive partner of business development agency Reply Group, says the changes present an "overwhelming challenge" for smaller companies, particularly startups, given the complexity of the regulations and the need for specialised knowledge.

When it comes to implementing systems to comply with the ruling, Hill says firms should "assess all relevant parties and ensure they are involved in the process. From legal representatives to IT managers, everyone should be responsible for improving data protections."

"The next step is to evaluate your current privacy organisational model and assess which parts need to be changed," says Hill. "Develop a framework based on this and apply it to all the relevant countries and legal entities of the enterprise.

"Make sure you can show accountability for all the processing activities and that the cross-border data flows are compliant with GDPR. Once this has been achieved, it's critical you give your employees the time and resources they need to be trained and become familiar with the changes."

Rushing doesn't help

Andy Barratt, who heads up the UK operations of cyber security firm Coalfire, believes that startups don't need to spend huge amounts of cash to comply with GDPR. In fact, he argues that rushing to adhere to the regulation can be more expensive.

Advertisement - Article continues below

"Lots of people are talking about the price of not complying being high, but so could the cost of rushing in. One of GDPR's requirements is that firms assign a dedicated data protection officer (for those processing customer data on a large scale)."

"In the case of most startups, that won't mean hiring an extra member of staff and, for many others, it's a requirement they don't need to meet. However, the confusion and haste can sometimes lead to poor decisions," says Barratt.

Advertisement
Advertisement - Article continues below

Instead, he believes GDPR should act as a "catalyst for some good data governance", particularly as the Information Commissioner's Office has gone to lengths to position the regulations as an opportunity to garner trust from customers.

"Start-ups should take time to work with the ICO, using the assistance it offers and seeking external advice where needed, rather than rush in and make mistakes they may come to regret," says Barratt.

Importance of good data practice

There's no denying the fact that consumers are becoming increasingly aware of their data privacy rights. While users may be happy to share personal information with companies in return for a valuable service, there's always an opportunity for firms to abuse their position.

Advertisement - Article continues below

The revelation that some 87 million Facebook users may have had their data improperly shared through analytics firm Cambridge Analytica was cause for alarm for many. Trust in the social media giant has waned, and it's unclear whether senior management will emerge unscathed. Yet, it's likely to survive an incident that would otherwise prove fatal for a startup.

"(There's) an increasing awareness of the power of consumer data and the nefarious or even destructive uses to which it can be applied," says Sheryl Kingstone, an analyst at 451 Research.

This has proven particularly problematic for fledgeling businesses, as she believes "everything from selecting and implementing technology vendors, customer engagement strategies, data partnerships and advertising campaigns" will be affected by the need for increased transparency.

Embracing the cultural shift

Dan Vartanov, chief technology officer of Swansea-based e-commerce start-up Veeqo, agrees, arguing that SMEs need to be paying close attention to their new responsibilities under GDPR, because even "a single data breach could see them going out of the business".

Advertisement - Article continues below

If there's one thing that's certain, it's that companies - no matter how big or small - cannot shy away from GDPR - even if smaller firms aren't lucky enough to have large security budgets.

The biggest change, however, is a cultural one, as many smaller firms are now being forced to prioritise the expense of data security over maximising profits. As Vartanov posits, "smart and responsible startups should make sure they exercise information security best practices, even without regulations forcing them to do so."

Image: Shutterstock

  • startups
  • General Data Protection Regulation (GDPR)
Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/security/cyber-security/355200/spacex-bans-the-use-of-zoom
cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020