The Biggest Security Lie Sold To Startups
Building a startup is one of the most challenging things anyone can ever undertake in today's world. For African startup founders, it is more challenging.
Many startup founders, as a result, compromise and merge on a lot of things… while that, to a significant extent, shows their drive for success, a trait most investors are on the lookout for, it is a blurry line that, when not handled properly, can cause you a lot of pain and damage.
Stay with me while I unpack.
The average startup founder doubles as the full-stack developer, documentation guy, UI guy, and marketing ninja. This they do until they can find capable hands to delegate to, in exchange for small payments, the promise of future pay, and possibly stock options.
But when it comes to cybersecurity, a very fundamental issue, many startup founders brush this aside. No, not until they can delegate as other roles do. They simply brush that issue off.
The reason is simple: Many developer-turned-founders believe that security is unnecessary. “I wrote the code, yeah? So why bother?” When they are not towing that idea, they simply push it aside. If they don’t cite cost, it’s that they are too small to be hacked.
I get you, but I’ll tell you why you're sitting on a bomb.
Being small doesn’t equal immunity: why you are not too small to be hacked
“ Nobody knows us" isn’t a defense strategy. You know why? Bots don’t care, and they don’t need to know you. The average startup breach is often less about being meticulously targeted and more about a voluminous opportunity.
Many startups are similar in infrastructure. When you are not using AWS, you are on GCP or Azure. For most threat actors, that’s plenty already. They set up automated tools, ready to scan for vulnerable and leaking secrets. They brute-force en masse because they understand your ideal structure even without knowing you.
And when that opportunity presents itself to them? They follow up aggressively like someone looking to land a role, except that this time, that role is with you, negatively.
Startups are often low-hanging fruit: rushed deployments, exposed keys, weak configs, no monitoring. I said this sometime last year. Many threat actors will prefer to spend a week successfully breaching 10 startups, rather than spend a month monitoring a large technology company. Does that mean that large tech companies are more secure? Absolutely not. They, too, have to deal with the likes of ShinyHunters.
My point here is this: the very thing that makes startup founders believe the lie that they are untouchable by hackers is the very thing drawing those hackers to them.
If you allocate cybersecurity for later, your startup is sitting on a letter bomb
While starting, most founders shift security for when they are seeking funding, expanding, or, oddly, when a breach happens. Unfortunately, the right time may never come. What began as a simple MVP quickly grows into production later… then, you forget.
Investors are increasingly looking for security-conscious startups. Investors in fintechs, AI, and health-focused companies will be less forgiving of security lapses.
It’s easier to fix security now and grow with it than to try to plug it later, like you are doing a feature upgrade. Even your best devs won’t save you when your security debts begin to compound.
What then is the way forward?
I believe at this point, you have seen my point: the biggest lie sold to startups is that cybersecurity can wait. It simply and just can't.
I don’t know who sold you that lie, but I can bet that your future self, your investors, and experienced entrepreneurs won’t agree with you on that.
Your next steps are outlined below:
Make a thorough inventory of your assets: you can’t secure what you don’t know.
Get an incident response plan in place
Set up continuous monitoring for your cloud assets and connected systems
These three, while simple and basic, are to get you started. Keep growing.
Till I come next, stay safe and stay tuned for more.