Crashtest Security Blog

Startup Cybersecurity Guidelines: What's needed in your Growth Stage?

May 8, 2020 3:01:01 PM / by Jan Wiederrecht

You are running a startup and want to get started on cybersecurity? You just joined a startup and want to implement the first cybersecurity measures? You are interested what cybersecurity activities should be implemented at a particular growth phase of a startup?

You have come to the right place.

From our experience as a cybersecurity startup ourselves and the countless advice we have given to friends, colleagues, and customers, we have summarized our advice into one blog post. First, we will help you to understand what growth phase is most applicable to you. Second, we cover the four growth phases and the applicable growth phases in detail. Third, we will give you an overview over the cybersecurity measures.

TL;DR

Jump to the overview table of cybersecurity measures by growth phase.

Table Of Contents:

Which growth phase is most applicable to you?

Let us have a look the four growth phases that we will use in this blog post.


Overview over Growth Phases

Needless to say, your startup should develop some kind of software for these measurements to be relevant to your company. However, we also have some organizational measures that apply to all startups.

We will use four phases, which we think make a substantial difference in what cybersecurity measures you should implement:

  • MVP
    You have built your first software prototype, but do not have any customers yet. Still, you should lay the groundwork for your cybersecurity journey.
  • First Customers
    Your software has the first live users and the core functionality. Time to think of the essential cybersecurity measures. 
  • Security-aware Customers
    Your software looks polished, your user base is in the triple digits, and your team has around 10 people. Your customers now expect that your software is secure.
  • Enterprise-grade
    You made it. Your software name is a synonym for the activity, your organization is huge. As are the security expectations of your users. 

Please be aware that depending on your industry or your software, you might need to look ahead one step. Expecially in the health or financial sector, security is a main concern from the get go and your users won't touch your software with a ten feet pole if they don't think their data is secure. A security incident would probably be the end for your company at a young age.

If you want to learn more about what the different funding stages mean and what applies best to you, we found an interesting infographic for that. It outlines the startup growth phases, the likely investment sizes, potential investor groups, and probably startups achievements in the specific stage. Here is the link on Cloudways.

For each startup growth phase, we will suggest cybersecurity measures in the following categories:

  • Infrastructure
  • Software Development
  • Organizational Measures

If you want to have a deep dive into possible cybersecurity measures for your phase, feel free to download our whitepaper on cybersecurity best practices for startups.

Cybersecurity measures in MVP phase

cybersecurity measures in MVP phase

The cybersecurity measures outlined here apply most to startups that have built their first software prototype, but do not have any customers yet. They probably have not yet received funding or have received seed funding. They have only a few test users on their app.

For startups in the MVP-phase, we suggest the following cybersecurity measures:

 

Area Suggested Cybersecurity Measures
Infrastructure
  • Encrypted files and databases
  • No systems without proper access control
  • Transport encryption
Software Development
  • Dependency scanning
  • Peer reviews
  • Never do cryptography yourself
  • Keep secrets away from code
  • Run it unprivileged
Organizational Measures
  • Password manager and complex passwords
  • Two-factor authentication where possible
  • Encrypt laptops & phones
  • On/offboarding checklist

 

Cybersecurity measures in first customer phase

cybersecurity measures in first customers phase

The cybersecurity measures outlined here apply most to startups in the first customer phase. By now, your software has the first live users, maybe some customers, and the core functionality is established. Your startup has received seed or early stage funding and there are between 0 and 10 users on your software. 

Time to think of the following essential cybersecurity measures. 

Area Suggested Cybersecurity Measures
Infrastructure
  • Backup strategy
  • Load balancing
  • Security monitoring
Software Development
  • First automated tests in toolchain (i.e. load- and security- testing)
  • Code quality analysis (i.e. Sonarqube)
  • Docker container scanning
  • Honest & transparent about collected data
Organizational Measures
  • Access rights management – principle of least privilege
  • Security-first culture with employees (have fun with it)
  • Malicious user stories (“what could go wrong?”)

Cybersecurity measures in security-aware customers phase

cybersecurity measures in security-aware customers phase

Congratulations, your startup has passed the first substantial achievements and your software functionality is expanded with multiple features or products by now. Your customer base has passed the 100 customer-mark and your team is scaling up and struggling to keep that startup-organizational feeling intact. Your funding is now mainly invested in growth, because your paying customers could alredy sustain your business on its' own. You are in the early or later stage funding rounds.

Cybersecurity measures have changed from something customers appreciate - to something they will expect is baked into your solution. You should review if your applies standards for the earlier areas are still up-to-date and appropriate for your size. Plus, start thinking about the following topics:

Area Suggested Cybersecurity Measures
Infrastructure
  • Secure company infrastructure (firewalls, intrusion detection systems, mobile device management)
  • Replication
  • Centralized log management
Software Development
  • Security integrated in development
  • Dynamic application security testing
  • Additional manual tests where needed
  • Provide & encourage two-factor authentication
Organizational Measures
  • Regular employee trainings
  • Vulnerability disclosure program
  • Emergency and recovery plan – incident response strategy

Cybersecurity measures in enterprise-grade phase

stage4_2

Are you even a startup anymore? Probably not. Your user base has grown into a five digit figure. You have some really big customers and some people in your organization have never met. You made it. If you still need funding, you are in a later stage funding round. If not, you are probably planning your IPO or are already public.

Similar to your business, your attractiveness as a target for hackers and the security expectations of your users have grown. Consider the below measures in addition to everything you have already in place and your IT security team is continuously enhancing. 

Area Suggested Cybersecurity Measures
Infrastructure
  • Netflix chaos monkey
  • Disaster recovery system
  • Advanced failover infrastructure
  • Asset Inventory
Software Development
Organizational Measures
  • Bug bounty programs
  • Regular recovery exercises
  • Emergency drills
  • ISMS (ISO 27001, etc.)
  • Hire dedicated security engineers

 

Overview over cybersecurity measures by growth phases

cybersecurity measures by growth phase

You really just wanted to get an overview. Here are all the measures by stage and area. For more details, visit the individual sections. If you would like us to dive deeper into one topic, let us know.

If you are in the security-aware customers or enterprise-grade stage, here is a great vulnerability scanning tool for you that will help you to scale, run automated, and all releases will be secure: Crashtest Security Registration.

The good news for startups that haven't gotten that far yet: It is free for 14 days (you don't even need a credit card) and you will have your scan started within 2 minutes. However, there are some other things you should probably consider first (see above). If you have any questions or need advice on a particular topic, send us an email.

Stay secure!

Topics: Startup, Cybersecurity

Jan Wiederrecht

Written by Jan Wiederrecht

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics