chevron_leftBack to Blog

The Ultimate Guide to Navigating Cybersecurity for Startups

jonathan engle

Jonathan Engle

Read Time: 9 minutes

 

Summary

 

This cybersecurity webinar delves into the critical importance of cybersecurity for startup founders. Industry experts Ian Garrett from Phalanx.io and Corey White from Cyvatar are our experts for this discussion. Don't overthink cybersecurity anymore. We cover the essentials every startup founder needs to understand through real-life examples and insights from real world experience among startups. This isn't something to ignore. Whether it's understanding attack vectors or navigating cybersecurity insurance, startup founders need to fortify their businesses against cyber threats and position themselves for growth.

The Startup Stack negotiates millions of dollars in deals exclusive for startups to access. Explore all of our deals here.

Cyvatar is your outsourced cybersecurity team that's stage appropriate for any startup. Sign up here to get one month free on your first year's subscription, worth up to $10,000 in savings..

Phalanx.io is like your first cybersecurity hire. Make your future CISO proud. Sign up here to get 20% off your first two years with Phalanx, worth up to $1,152 in savings.

 

Key Takeaways and Links

 

  • Connect with Jonathan, Corey, and Ian.
  • Enable multi-factor authentication on all devices and logins. Assume someone already has your passwords. Phalanx recently wrote about cybersecurity essentials here.
  • All passwords should be generated by and stored in a trustworthy password management application. Use the most complex password setting possible (random generation with special characters, numbers, letters, varied cases, etc.). However, don't trust your password manager perfectly. They've all been breached at some point.
  • Never use the same password twice.
  • You cannot have cyber insurance without a cyber policy in place. If you lie on your cyber insurance application, you will be audited whenever making a claim on your policy. If you fail that audit, your policy won't pay out.
  • Know what your business's specific cyber needs are and build an appropriate cyber policy from day one. For example, healthcare companies have their own unique requirements (read more here). Finance and accounting related businesses have their own needs too (Phalanx wrote about this recently).
  • At the latest, look to outsource your cybersecurity team to a company like Cyvatar by the time you have 10 employees. This is a good rule of thumb for when you'll outgrow your ability to manage your own cyber needs.
  • Build your cybersecurity appropriate to the stage of your business. For example, don't get SOC 2 compliance unless someone's asking you for it.
  • Compliance certifications are not the same as security. Security should be built for every stage of your business, while compliance is only a snapshot of your business's security at a certain point in time. It's a verification of practices you're already engaged in. If you don't have any security practices in place, then getting any compliance certifications will be even more difficult and expensive. Click here for more information on security questionnaires on the Startup Stack blog.
  • Outsourcing cybersecurity help is almost always the best way to go. For example, the same sophistication of cyber attacks used on enterprises are hitting small businesses. Enterprise level protection is often cost-prohibitive for early-stage companies, so working with third-party cybersecurity companies can reduce the cost of accessing the kinds of tools you need. Cyvatar helps with this (read more here).
  • Remote working is especially important to secure, which Phalanx wrote about here.

 

Webinar Transcript

 

Disclaimer

PLEASE NOTE LEGAL CONDITIONS:

The Startup Stack owns the copyright in and to all content in and transcripts of The Startup Stack's podcast and webinars, with all rights reserved, as well as his right of publicity.

WHAT YOU’RE WELCOME TO DO: You are welcome to share the below transcript (up to 500 words but not more) in media articles (e.g., The New York TimesLA TimesThe Guardian), on your personal website, in a non-commercial article or blog post (e.g., Medium), and/or on a personal social media account for non-commercial purposes, provided that you include attribution to “The Startup Stack” and link back to this page's URL. For the sake of clarity, media outlets with advertising models are permitted to use excerpts from the transcript per the above.

WHAT IS NOT ALLOWED: No one is authorized to copy any portion of the podcast content or use anyone’ name, image or likeness for any commercial purpose or use, including without limitation inclusion in any books, e-books, book summaries or synopses, or on a commercial website or social media site (e.g., Facebook, Twitter, Instagram, etc.) that offers or promotes your or another’s products or services.

 

Transcript Start

Jonathan Engle | Startup Stack: Kind of a funny situation that came up for me. The startup stack is unique, cause we're a startup that helps startups. And so we. you know, as founders ourselves. We also relate to a lot of the challenges that you run into as you build your businesses. And you know. Recently I was setting up a client portal, and in my personal life I was also applying for something online, and I had to prove my identity for it. So I had my driver's license in my downloads folder. And as I was working in this client case. Instead of uploading their logo, I uploaded my driver's license. Then I hop on a demo with this client, and as I'm talking through and explaining things, and I just see my driver’s licenses on an image carousel, and it just floated by, and I just about had a heart attack. I was like that is not a logo that is not their company logo, that is, my driver’s license, and that is really bad for me. That was a bit of a wakeup call of like, Hey, I know that I'm not doing enough for cyber security.

Now imagine this… I think many of us as founders have this nagging feeling of like, Okay, I know I'm not doing enough. I want to do more. I have no idea where to start. And that's really the premise for this discussion today is that we all have this kind of feeling as founders. But there's a lot that can be done, and it's all about what should be done. And so that's what we want to cover.

We’ll give you kind of the central pieces of information that you need, and then kind of go from a high level understanding and break it down to here's, you know, a few concrete action items that you can take to improve your cyber security.

So with that, I do want to give Ian and Corey a chance to introduce yourselves and share a bit about your background and why we're why you're doing what you do. So do you want to start, Ian, and then Corey.

Ian Garrett | Phalanx.io: Yeah, yeah, so really appreciate you putting this together. Super excited about this topic. Obviously, I'm the co-founder and CEO of phalanx. And we're a cyber security startup that's really focused and removing the human risk associated with dealing with business files.

This seems like a simple premise, but at the end of the day, as you may know, there's a lot out there, and it's hard to wrangle. After college, I was commissioned in the Army as an Army Cyber Officer focused mostly on offensive cyber security. 

So a lot of interesting tidbits of knowledge out of that less active duty went into a Phd program focused around cyber. In this case, also AI, and then really solid 2020, as you know, we all went remote. There was a massive skyrocket in breaches. And you know it's not because people are spending more money developing more complex exploits, because we as humans were just trying to do what was best for our productivity, and honestly that always opens up more vulnerability.

It’s one of the software that, and particularly for startups, SMBs people that really don't have the kind of the staff to do it themselves.

Jonathan Engle | Startup Stack: Oh, that's awesome. Thank you. And it is fun that Ian and I both serve in the Army reserves, which is kind of fun to connect over. So yeah, left that out. I also went into the reserves. And I’m still a reservist and am happily doing that. 

That's right. See, I did my PT test yesterday. He's doing his tomorrow. So we all get a workout at our job. It’s funny, I actually wanted to enlist as a cyber security like a cyber warfare specialist when I joined the military. But they don't let brand new enlisted do that. So there's a long backlog of people who would love to do that. I did not get that. Thank you so much Ian. Corey, please introduce yourself.

 

Corey White | Cyvatar: Hi, Cory White, CEO founder Cyvatar. I've been in the industry for 29 years now. Kind of been there done that seen a live where there be instant response penetration, testing, running global teams, doing those types of engagements on top of that installation and configuration. What I saw in 2019, after I left my last company, a company call silence we got acquired by Blackberry for as a Unicorn. And then, after that, I realized there's a big gap: small to medium sized businesses have no way to really implement and to maintain a security program. And I say, well, we just make it all into subscriptions. You just subscribe, and we'll take care of it and fix your compliance and your insurance needs and also get you secure. So that's that's what I do. And that's what's Cyvatar is about.

 

Jonathan Engle | Startup Stack: That's fantastic. And yeah, that's a lot of experience, and I'm sure the field has evolved a lot since you entered the space.

 

Corey White | Cyvatar: Yeah.

 

Jonathan Engle | Startup Stack: Well, fantastic! Well, thank you so much. And as I mentioned earlier. You know what's unique about webinars that we do at the startup stack is that we want to make sure that you have the ability to get these kinds of unique startup discounts. So for those who don't know us like that, I'm Jonathan Engle | Startup Stack, CEO and Co. Founder of the Startup Stack. And we have negotiated startup deals worth millions of dollars in savings unique to startups. Our vision is that from idea to exit. You're able to build your software and services stack and be able to extend your runway and hopefully use services earlier in your business life cycle than you thought would have been possible.

These startup deals come from amazing companies that want to work with you because you have a big dream. And with that big dream is something that everyone wants to join in together. I'll be putting this in the chat about the special deals from everyone here today. So it'll be kind of a long message, but it has everything you need if you decide to work with Phalanx or Cyvatar, or my deal today is you can schedule a free consultation and discuss the software and services that you would need. We'll touch on that again later in the discussion as well. So going straight into our topic today. Ian and Corey, help walk us through this. Assume there are people on this webinar who have no idea or just a vague notion of what cyber security is. Help us contextualize that. What is cyber security? And why is this relevant?

 

Ian Garrett | Phalanx.io: Yeah, I'll start. And then Corey, I'm sure he has got a different definition. But I like to really think about it from the operations perspective of a business. If you think about IT and cyber security, a lot of people like to jam those 2 things together. But in a way, they're kind of 2 opposite sides of the same point. So IT’s whole focus is, how do we get access? Give access to people so they can do work and be productive. Cybersecurity is actually kind of the opposite where it's how little access can we give someone?

And that's because at the end of day, you want to make sure that people only see what they're supposed to see, touching only what they're supposed to touch in the same way as a physical building, right? So oftentimes cyber security can extend into the physical world.

In terms of roles and responsibilities, physical security often falls into that cyber security role. And that's because it's all the same stuff. You know, whether it's someone walking into a building, into your office, accessing various filing cabinets, or whether it's doing that in the digital world, it's all cyber at the end of the day. Cyber is all about stopping people or reducing the amount of access possible. And again, in contrast to it, how do we let people have as much as possible to get work done?

 

Corey White | Cyvatar: Yeah, I'll chime in cyber security to give a slightly different answer. Cyber security is simply a business enabler, especially if you're a startup. So if you're a startup, you shouldn't have much cyber security when you may not be making any money and not growing your business. Cyber security should be what you use to enable your business to grow and get to that next level. You want to have the right level of security and not spend too much money on cyber security. So you want to right size it and get the right things so that you don't get hacked and go out of business but at the same time not spend too much where all your money is spent on cyber security.

 

Jonathan Engle | Startup Stack: Yeah, I think that's a great point since you hear kind of similar comments within things like tax mitigation or insurance or anything related to risk management. There's risk, and you want to mitigate it. But if that's all you do in your day to day, like you don't even have a successful business right? You don't wake up saying I'm going to build the most cyber secure business in the world. But you also don't want to do nothing right? So help walk us through this. What are the consequences of this like? Why is this relevant? and why? Why should startups care about this cause to your point like a lot of founders are so busy selling. They're building their product. They're in the trenches tackling those key drivers that are gonna help them to raise their next round, or to bootstrap their business. And so why should they dedicate time to this?

 

Ian Garrett | Phalanx.io: Well, as Corey mentioned, it's a business enabler, right? So what are the drivers behind security at the end of the day? Being secure is nice. But is it a need to have? Or is it a nice-to-have? 

And if you think about your business, especially for a startup, certain parts of it are need-to-have and certain parts of it are nice-to-have. So one of the need-to-haves from the business side of the house is; how does your cyber security affect your company, your clients, and your customers? Because if you yourself are secure and handling a lot of sensitive data of theirs that can be a deal breaker right? So if you don't have any kind of processes in-house, then they might not want to close that deal with you. Once you work and start going to larger scale enterprises, that becomes a mandatory thing. So in addition to various certifications you need, you need to have a process in place if you want to close a deal. And if you're starting that process. When you're trying to close that deal, it's already too late.

 

Corey White | Cyvatar: Yes, I agree. I think the other point I'll just addis when you think about cyber security and closing deals, cyber security should help you get compliant. It should prevent you from getting attacks, and if you need to get cyber insurance, you should be able to get that and get it affordable. Now I'll talk about a case, you know an example here, Jonathan.

I know of a startup that didn't have good cyber security at all, and their venture capitalists did not either. And so in this scenario one both of them got their emails hacked and their accounts were compromised. When it came time for them to get funding, that funding was transferred into the hackers’ account through a business email compromise as opposed to the startups account. That startup did not succeed. They didn't get their funding.

So that's why, when I talk about right sizing cyber security, you need to have multi-factor authentication in place. You need help with email security. You need to have good DNS security. Make sure you're not entering your credentials on some fake domain. And you need to probably have some level of security awareness, again depending on if you're a tech startup, you may not need some of those pieces, but if you're not in a tech space at all, then you're gonna be vulnerable to that type of attack all day long.

 

Jonathan Engle | Startup Stack: Yeah, that sounds like pretty much the worst thing you could ever imagine. You actually are executing on your business. You're succeeding. Someone decides to write you a check, and you don't even get the check. That's heartbreaking.

Maybe less drastic but still kind of relatable. It sounds like there's kind of 2 elements. There's the offensive element of doing sales. The more you sell, the more you need this in place as you have these customer conversations. You're gonna get security questionnaires and other things that come up. And 2, you need to defensively make sure that if you are targeted that you don't fail and fall victim to their attack.

 

Ian Garrett | Phalanx.io: Yeah, I mean, if I think about also on that defense side of the house a lot of what we do as startups is about our brand, right? So it’s a big part of your brand identity. I can't imagine anyone who's brand identity isn’t important. Yeah, we're fast and loose with your personal information. Regardless of that if that's what's happening. But you know it's oftentimes can be devastating to a brand to have a breach. If you're a large enough organization, even if you withstand it, you know you have at least the resources to try to come out of it. If you're a startup, even if you withstand the financial implications of the breach, your brand might be just completely destroyed. I mean, you're even seeing this at the high levels of business. People have rebranded their large organizations purely because of a breach.

 

Jonathan Engle | Startup Stack: Yeah, yeah, I think that's probably why it's top of mind, because people have seen headlines when you see big businesses that get breached. And at some point you're like, “Oh, wait a second like, even though I'm not a big business, could this happen to me?” I've heard of local companies that have had ransomware attacks and their entire system gets locked down and they're shut down for maybe a month, because they didn't backup their data or do other things that they should be doing.

 

Ian Garrett | Phalanx.io: Yeah, I think that's probably right. But about like half of Cyvatar’s clients are SMBs, so Corey may have better data than I do on this. But definitely, let us know.

 

Corey White | Cyvatar: Yeah, what it comes down to is, these attacks are more and more targeted at these small and medium sized businesses, because the hackers know they have nothing in place. So why would I wanna attack some large organization that may have a security team and a lot in place when I can attack this small business that has nothing in place. They're gonna fall for the phishing email. They're gonna click on the link to put in their credentials into my fake website. You know they won't notice it is not the actual domain. I'm gonna take their credentials. I'm gonna get those credentials and now move onto Microsoft, or whatever login, and they won't know the difference.

But then I can go in. Take over that account, start forwarding emails back to myself, and they won't see them do a business email compromise. Once I see that every single month this customer pays $50,000. Okay, next month. I'm gonna tell them I just switched Banks, and have them send it to me. That's the easiest attack, because this small business has nothing in place.

You're also gonna see the business email compromise. They do ransomware attacks and they would do what we started to see now is the combination of the 2 which you know ultimately leads to extortion. We've taken over your company literally. I know of a bunch of companies that this happened to. This happens a lot now where the hackers came in and they took over their Microsoft, their domain, and their email. They have full control.

And then they were extorting them for money. Now some companies they'll pay the money, others like alright, well, we just lost access to that. Let's rebuild it, and they literally are rebuilding it. I've seen both scenarios. So that happens every single day. Literally, you know, dozens of times a day. So that's what's happening out there that these small in size businesses are not talking about. Who wants to share what happened to them?

 

Jonathan Engle | Startup Stack: Yeah, because it ties back to the brand reputation risk and just speaking to you know that I hope that for those listening to this that you understand this. This is important and it’s easy to neglect this. Some people think they can just buy insurance and not worry about it, but that's not enough. You have to take more action than that. I think that's a common misconception. So I'd love to hear your thoughts on that.

 

Corey White | Cyvatar: So we're gonna go back at least 10 years. So 10 years ago you would go sign up for cyber insurance and you fill out the questionnaire. They'll ask you generic, open-ended questions. Do you have a security program in place? Do you apply patches? And you just click yes, to all of it. Boom, you got insurance.

Well, unfortunately, that didn't work out well for the insurance companies. And so now it's been the last 3 or 4 years or so they've been really locking down. Because I've heard, you know, claim rates being as high as 90 to 100% over a couple of years for them. If you know the way their actuarial formula works, that didn't compute for the insurance.

So now you'll hear them say, “Well, okay, we know our customers that have insurance and ensure they don't have breaches.” Well, what they've done is the high risk ones. If you have a breach, it's gonna be hard for you to get cyber insurance again. They ask that question and then on top of that, if you are at risk and don't have the proper controls in place like vulnerability management. You know the endpoint protection, multi-factor security awareness training. All those are really basic easy things to do. If you don't have them in place you will not get insurance.

But if you do say you have them in place and then you get a breach, guess what? The insurance companies have an incident response team to come out. They're gonna look. And they're gonna say, “Hey, you, Jonathan said, that you had, you know, patching done every single week, or whatever, and this vulnerability was exploited, and it was 3 months old. We're not going to pay.”

So not only did you get hacked. You had your data stolen. You had to pay and thought you had backup from insurance. But you've been paying an insurance policy for the last, you know, 7 years, or whatever. And then when you really need that you're not getting paid. The statistic ultimately is that 1 in 4 claims are paid, or some are partially paid. So that's the stat. So you actually have to build a security program. Get it right, do it continuously, and then your insurance company will actually pay if you get hit by some 0 day breach.

But the last point I'll make is around this. Think about the real world. If you buy a new car, you take it to your insurance company and say I want insurance. But then you look at your car. You don't have any brakes. You don't have seat belts. You don't have airbags. You have nothing in place. Do you think they're gonna give you insurance? Absolutely not.

 

Jonathan Engle | Startup Stack: Yeah, that's a great analogy. And I think it's very relatable. I do want to transition into the more hopeful part of this.So if you're listening, this is relevant and important. You can't neglect it, and you can't lie on your insurance applications, which I never heard about. So that's a really good point.

Here’s one question from the chat: Are there startups that don't have cyber security because they solely do services on premise? Are people out there who have used this thought to work around having to pay for cyber security.

 

Ian Garrett | Phalanx.io: Yeah, so I’ll combine that question with another one about website vulnerabilities and how best to secure your website. It honestly is all kind of the same starting point.

I think people often see cyber security as this big black box where hackers are gonna come after me. What do I need to do? Is an antivirus good enough? Do I need to add all these random plugins? What is actually the problem here? And do I need to even pay for anything, or how do I get around it? I think, where to start with all of that is, just think about is: What do you have that needs protection? There's a number of frameworks out there. You know, we help people and organizations to piece together what they need to. But essentially, just think about what? What do you have? Do you have people? Do you have credit card information? Do you have any business documents? Do you have physical offices? Do you have any physical networks in your office? What are all the different assets that you have? And then think about how you tie security to those things?

People think that hacking is just having stuff, and then hackers get in, but there's always a way in. And then so if you think about all the different ways in. For example, do you have a login page? Is it connected to the Internet? If it's not connected to the Internet, there are still ways to get in, but it's not gonna be through the internet.

 

So again, just kinda just to sum it all up, if you're doing on prem services, such as a window cleaner, do you need to have cyber security as a window cleaner? The question is do you have on-prem services. Do you need it? Probably not because unless you're dealing with receiving payment via credit card on site, then maybe you do, but if you're just clearing it in cash, then you probably don't need cyber security for that instance. But when you come back and file your taxes as you're handling all that information, you probably do wanna have something.

 

Jonathan Engle | Startup Stack: Well, that's a good point, like kind of contextual. I don't know if this is the same thing. But actually this last weekend I went to clean up a mess in another business's office, and there were huge warning labels all over their supply closet, and I was like, “There's bleach in here like why is this such a big deal?” I went in and saw all their servers were mounted on the walls in their supply closet. So even your cleaner could have access to something sensitive, and I think that's another example of even on premise could be the same at the core.

 

Corey White | Cyvatar: Yeah, here’s what we've seen. And this is an evolution. So we're rolling out a new solution called mobile threat defense. So if you look at tackling what we'll call micro businesses. The hacks have moved away from just your computer. It's moved to your phone or your iPad, or whatever mobile device you may have. And so you take these on Prem type businesses for example. Say you're a barbershop. Say, you know your salon or spot, or whatever. You don't have a lot of computers. You don't have a server. You don't have anything within the cloud. You may have a website, but that's hosted somewhere, hopefully, securely. So your attack vector is your mobile device.

And if you think about it for the folks that are attending, how many of us know someone who's had their social media accounts, you know, compromised or their personal email compromised? A lot of these compromises just use their phone. So they've either logged into the wrong site or they've gotten their data password. So they but most of the people don't have multi factor, 2 factor on social media or their emails and for their Gmail support whatever. So those are attacks that need to be secured against. If you think we all get to phishing links in text messages, and if you click on those, your phone could easily be compromised.

It used to be for us Iphone snobs out there, myself included. You're like, okay, I'm on iphone. And I use a mag as a closed system. Well, if you haven't noticed just for the last 3, 4 months, every single few weeks, there's a new apple update. Literally I just updated mine last night. If you look at them, they all say, security vulnerabilities are being remediated.

So even back in December there was an attack that if someone just sent you a text message with a picture attached to it, then it would automatically exploit your phone and they would get access onto your phone. And that was on the iphone.

So the attacks have really moved really from computers to mobile devices. And so that's really that next frontier. And then I'm not even gonna get into the E-Sim attacks and SIM swapping attacks that are happening nowadays.

It's a whole new world out there. So if you're on prem and the computer doesn't have servers. This is still a major concern, and these attacks nowadays are on top of automated AI enabled attacks that can be launched in any type of device.

Jonathan Engle | Startup Stack: Oh, that's a great point. So let's step it back a bit. I'm at an early stage startup. I'm just getting started. Maybe pre-product, early revenue just getting going. What should I do on day 0, just out the gate? What should I be doing from a cyber standpoint? And then from here let's kind of build your startup, cybersecurity roadmap. I know this could probably be a 3 hour webinar, with everything we're touching on.

 

Corey White | Cyvatar: So day one you really need the basics right? You need to have a multi factor/2 factor on everything. So say, if you're using Microsoft or G suite, you need to have the 2 factor set up for that. An authenticator app is used for that. So you gotta have that, it’s table stakes. The reason why is that the hackers have your password.

They have my passwords right? I mean, I go back, you know, 20 something years. I used to use rainbow tables to crack passwords. We usually have password cracking servers.

That stuff has gone away, because what happened to computing power in the last 20 years, the usage we take out, it'd be a year before we'll crack this password, so it's a good password now. It'll be cracked in literally minutes, so your password can easily be cracked or compromised or guessed.

And if anybody knows what credential stuffing is, this is an attack vector that you can Google the 23AndMe hack so credential stuffing is, if you think, okay, I'm gonna just use the same password for all these other accounts. It's not like my email is not my bank. Of all this other stuff, I'm just using the same password. Well, those companies get compromised. The hackers have a database of all these usernames and passwords. And so they can literally use those credentials and try to log into various websites. And so that's exactly what happened to 23andMe. So passwords are very important. You know it controls using multi factor because they've already been compromised. 

The second piece you want to do is that you wanna look at your business and figure out, okay for my type of business, what am I trying to protect? And what am I trying to protect against? So if you're an early stage startup and you're building some proprietary, amazing code, where do you keep that code, and how are you securing that code? You wanna make sure that those systems are secure. The last thing I'll say is just so everybody understands how attacks actually happen today. 

Number one, they're financially driven. I am going back 25 years. Nobody is defacing websites anymore. The last time you heard that happened right, those days are gone. Right? So now they're hacking in for a purpose to make money. That means running somewhere, distorting business, email, commas, etc., and so that is the main goal and driver. And so you need to think, okay, well, I'm building this new AI tool that takes healthcare data and automates securing or something, whatever it may be. If you have access to PII (Personally Identifying Information) or PHI (Personal Health INformation, you need to have a strategy to protect that.

And what is PII or PHI protected health information? Easy electronics, you know, protect the health information recorded. But HIPAA needs you to have a way to protect your confidential data, or PII personal identifying information. So you need to have both of that secure.

And so that's why you guys think about what is right for your business. Don't overkill it. But do those basics. Now I could go on, but I'll stop there.

 

Jonathan Engle | Startup Stack: Just one follow up before you jump in for a multi-factor that makes sense like it's kind of a setting usually just turn on and use like, okay, my Google authenticator, I type in the code, and then you log in and gain access. But is a password manager, I mean, is it safe to say that you should have something like that? Or is that the cause? I think a lot of people it's like, oh, I use OnePassword, LastPass, or something like that. My passwords are okay. Is that accurate?

 

Corey White | Cyvatar: yes? A couple of things. I'll talk about one. When you think about configuring your multi-factor authentication that a lot of companies will configure; there's a time out for the second factor. You could say don't pop me again for that second factor and people were putting like 8 hours. So you log in in the morning and then authenticate. And then you don't get re prompted for another 8 hours. But 4 hours into work, you get a phishing email. You click on that phishing email. And it says, “Hey, you need to log back in and re-authenticate.” And you know you’re authenticated all day. So you type in your credentials again. And then, you know, yeah, it just got all of your credentials.

And so that happens a lot with people misconfiguring multi factor 2 factor and adapt configurations to where, if there's an anomaly or whatever, that's one piece. The other thing is, I'm a proponent of password managers because there's no way in hell you can memorize all these different passwords. Just not possible. But you have to keep in mind that you look up all the password managers.

All of them have been compromised at some point or another. So be careful what you're putting into the password manager and every single site you log in. Try your best to have that second factor, even if it's just the text messages going back to your phone. If that's what they support, then use that to try to house something else, because the passwords will compromise period.

 

Jonathan Engle | Startup Stack: Thank you for that. That's been on my mind. So it's good to hear that. So Ian, same question.

 

Ian Garrett | Phalanx.io: With cyber there’s a lot of tools. That's what I'm trying to figure out. I don't know if that's what I'm trying to do. I don't know if that's what I'm going to do. It's just like, I don't know if that's what I'm going to do. You'll find the capabilities that you're using and solutions. That's your exposure right? And then all of them have configurations that can make it more secure. So that's where your multi factor authentication comes into play. That's also just choosing what passwords you're using.

You know pretty much what everyone said I would recommend like using a password manager. Because if you're not gonna remember, if you're doing the right thing for your passwords. You're not gonna be able to remember them all. In fact, I don't even bother. Did a lot of them have a password generation component, just crank that to like 20 characters with special characters, numbers, all of it. There's gonna be some garbage in there, and you like every time you need to make a new password hit generate and pick a random thing. Use that, save it, and just ideally you rotate your master password numerous times throughout the year. But don't use any any of the stuff that we used to try to remember. Don't even bother and that makes it easier for your life, but also makes it harder. Because if you think about like all like, it's tying back to what is a good cyber strategy in general. It's something called defense in depth. And what that really just means is trying to make it hard for somebody who's not you or somebody who's not supposed to have access to get access. 

So what that looks like for a SaaS application. Or you know your email to speak with, it's starting with a solid password. And then it's making sure that you have a multi factor on. So whether that's a Google Authenticator, Microsoft Authenticator, Duo, or whether that's even using SMS. I would recommend using an authenticator tool over SMS. But if SMS is easier than some authentication, that’s better than no authentication. That way if they crack the password then they have to stay on your phone and crack the passwords to your login. And that's why we can go way deeper into how to further protect even a remote environment, for example, but there are ways to essentially geo-locate the team or make sure that only certain IP addresses can access certain things. If you have AWS infrastructure, for example, you can make it so that only if you're going through a couple of different ways that you can access those resources versus just someone, random on the Internet.

But yeah, I'll start with the free stuff and with configurations. That's the easy stuff. And again, we're both happy to help anyone that needs ideas on how to configure what. What configurations exist are multi-factor, for sure. Do a strong password, and then from there enumerate all your stuff. Just make sure that you know what your exposure is, because you can't protect what you don't know. Start with understanding what your exposure is, and then work to protect it from there.

 

Corey White | Cyvatar: One more point, Jonathan, just to add on, because the world has evolved so much over the last few years. I literally have an example from a customer of ours. This is a 5 person company. But they can't get that big deal that that contract with the DoD or large global company unless they're SOC 2 or at least fill out a security questionnaire.

So literally, they come to us and get subscribed to our vulnerability management import multi factor those basic things from us. And we implemented literally within a few weeks. Then they were done. But that world has changed where you can't just do the minimum anymore, because it’s the only way a startup can grow and and and have insurance. You gotta have compliance and you gotta answer security questionnaires. You gotta have these things in place. So that's the only other caveat. You need this to grow your business.

 

Jonathan Engle | Startup Stack: I kind of chuckle with that example, because I think that the second client that we ever sold to… You know, we just had our first product going, and it was a Fortune 500 company starting an accelerator. And I was like, “I have no idea if we can sell to you.” And sure enough, their cyber team sent us a questionnaire, and my eyes glossed over. I was like “crap this is a huge deal. It'd be worth a lot.” And I just leveled with their security team. I'm like, “Look, here's some basic information. But like I've never filled one of these out before. You tell me, do I need to go hire someone to help me fill this out? Or is this good enough?” 

That almost killed the deal. I mean thankfully we were able to make it work. But to your point, that would have altered the course of the Startup Stack if we hadn't handled that well. So that's a very real thing. If you are selling seriously, and most startups, they'll start SMB and go enterprise at some point right? And so that becomes even more prevalent. That's a very common practice. This is a great segue. 

So what are the other milestones that a startup should be aware of? It sounds like there's a foundation. And there's some basic things like configurations. Then there's kind of security questionnaires and practices and things like that, what else should people be aware of?

 

Ian Garrett | Phalanx.io: I think it really starts with again going back to what are your assets? So in the beginning, it's probably you, your co-founder, and one or two other people. A lot of SaaS applications you got like you're using, maybe Google Workspace, Google drive as your core kind of office.

But then you're gonna get more employees. And then you're gonna get maybe client data. And then maybe you're gonna get an office with a network, or you're gonna start buying employee laptops. 

Every time you add in new assets, it opens you up for more exposure, which means you want to get something on top of that. That could include vulnerability scanning per device, whether or not you have some sort of network application, or you have a network. And you know, obviously you want to have a firewall. But you probably want some sort of network monitoring solution as well. It's about how you start adding complexity. Start looking for things to protect each one of those. And I recommend once you are around the 10 employee mark is where it becomes too cumbersome for the business owners to do it themselves, because of the complexity of how to do it right. It gets a little bit too much to do. You have a business to run and you’re not a cyber security expert. So usually around that 10 employee mark is when I recommend you either go do some outsource stuff or at least get some easy tools that are a little bit more comprehensive than an anti-virus or a password manager.

 

Corey White | Cyvatar: Yeah, to answer the same question. It is really interesting. Just over the last 4 or 5 years I think the landscape has significantly changed. And so you take my previous point of that small company that needed to be compliant. They're having the same small businesses get the same requirements that a larger company is getting, but they don't have those capabilities.

So the few core tenets that I focus on for our customers as we talk to them are the following. Number one, they've learned the hard way that compliance does not equal security. And so what does that mean? Here’s a real world case from a startup. They had been in business about a year and were just starting to grow. Then someone threw SOC 2 at them, and so they called me about putting in these controls and they can get there faster, but they also went to one of those SOC 2 companies that says, “Hey, we can get you SOC 2 in 2 weeks,” or whatever they say. And so they went to them and signed up and went through the process. And then they say, “Well, you still have to implement a vulnerability master program, multi-factor security, this training, IT assets, etc.” And they're like, “Well, anybody can do that.” And then they came back to me to implement all these things. And so a 10 person company to your point is different from my 10 person company. But they could not sell and grow to the next level till they got there.

Now, you know, I have another customer with a similar thing. They had this big contract, and they said, “We need you to add us to your cyber policy,” and they're worried. They say they’ll have a cyber policy. And so when they went to try to get one, the cyber security insurance company came back and said what things they needed to have. But they didn’t have them in place. So then they came back to us and said, “Hey, can you put this in place?” And then we introduced them to our cyber partner for insurance, and so they got, you know, an amazing rate at it.

And then last point I'll make is on the tools themselves. You used to be able to just go and kinda get a tool to check the boxes. But the types of attacks being levied against small to me in size businesses today are similar attack methods that are being used and automated, especially with AI, against larger companies. And so they are looking for the low hanging fruit that has nothing in place. So if you go out and you choose the cheapest, freest tools that don't have the best capabilities, then you're gonna probably be compromised, and so it is important to do your best to get enterprise level tools that actually can stop some of these attacks. And so that's one of the pieces that we've built into our model is you want to have the best tools and the best expertise because you're being targeted by sophisticated hackers that have automated their techniques against you. And so it's just they're looking for the lowest hanging fruit with the best methodologies. The game has significantly changed over the last 4 or 5 years.

 

Ian Garrett | Phalanx.io: Really quick to jump off that, I want to highlight that security and compliance are not necessarily the same thing. A lot of times we hear, “Oh, but I have SOC 2, I'm good.” Or the business told me who I need to talk to if I get stuck. That's the only part of it. What SOC 2 is really doing is taking a snapshot of your existing business. It's saying that you took the snapshot of your existing business controls, and you put that into a report. Essentially, it doesn't say how secure you are or how good you are at security. It just says that you have the snapshot that you can hand over. It helps with security questionnaires when you're selling. But it doesn't actually say you're secure and getting it doesn't mean you're secure because a lot of organizations get SOC 2 because they check certain boxes, but you don't need a vulnerability manager. You don't need to have any kind of protection or encryption. It's just saying what it looks like today, and that meets this kind of minimum threshold. But it doesn't actually provide security to us. I always like to say it's good to have if somebody's asking for it, and I guess on the flip side of that, don't get it unless somebody is asking for it because it's not actually protecting you. And you're gonna spend like $10,000 at least. So if it's gonna make you revenue, then do it. Focus on putting good controls in and SOC 2 comes easily later, but don't spend the money on it unless you need it.

 

Jonathan Engle | Startup Stack: That's a good point. So basically, if you invest in just being secure along the way then when you need to get those compliance checks like something like SOC 2  then it's gonna be a lot easier to get. It sounds like starting from scratch the moment you try to get your SOC 2 will be harder than if you start with security in every step of your growth.

 

Ian Garrett | Phalanx.io: It'll make the whole thing easier if you start halfway down the line as a reactive kind of thing. Then you're gonna have a bad time. It's gonna be expensive.

 

Jonathan Engle | Startup Stack: This is cool. We talk a lot about technical debt of coding one way and then fixing it later. It sounds like there's a similar concept with security. It's best to build it with security in mind all along the way rather than just 3 years later trying to fix it. So I know we're getting close on time. We got about 7 minutes left. I'd love to hit two things before we end. I would love to hear from both of you  about how your company addresses cyber security. How do they fit into this narrative? And then after that, we'll hit Q&A and wrap up.

Do you want to start, Corey? How does Cyvatar fit into a founder’s journey? When should they be thinking about your service and having a conversation with you about whether that makes sense to incorporate into their cyber strategy.

 

Corey White | Cyvatar: Yeah, absolutely. What I did is start this business after being in the industry for about 24 years. I realized that I just knew too damn much about too many different things, and I wasn't able to share it with startups or SMBs.

And so I'm like, “I can build this.” And I can make it simpler. I have relationships with global cyber security companies. If you want to go and buy the best products right now for your 10 person company… try to go to their website at these big companies that do cyber security and try to buy it. They won't sell to you. I truly believe you gotta have the best of breed enterprise. Great products implement, manage, and maintain continuously in a subscription.

And then, you look at the fact that the reason why an SMB buys cyber security, it isn't secured 9 times out of 10. They're buying cyber security so that their business can grow because somebody told me to get SOC 2 or fill out a questionnaire or they need insurance. And the only way to fill those gaps is to actually have those controls in place. And to Ian's point, if you're gonna put those controls in place, put them in place properly. 

And then the last point that we had to solve here is, how do you make it affordable for small to medium sized businesses. So we simply price based upon the number of employees or number of seats. So if you had 2 employees, then that's your price. And so now, all of a sudden it's affordable. And as you go to 10 and 50 and 100, it’s still affordable. And it's predictable based upon the number of employees that you're using. So we had to solve all that and put it into a subscription. And really in my mind, we just design the future of cyber security. And that's our trademark. And so that's our approach. So that's how we solve it.

 

Ian Garrett | Phalanx.io: Oh, thank you. That totally makes sense. Thank you, Corey. Yeah, I mean, we like to say that Phalanx is your first security employee. So we want to be foundational. We can grow and scale with your organization. So in the very beginning, we're all about how do we work alongside the employees so that you don't have to do anything different. We extend into the existing workspaces. If you're dealing with files on your desktop, we're securing those files. If you're dealing with Google Google drive or securing that and then you're ready to start bringing on more security talent and getting more advanced security tools. We actually then pipe all that data into those other tools. So again, we like to say we're the first employee security employee you should have.

It’s like how Brex says buy their product to make your future CFO proud. We said, make your future CISO proud, because we have all that data there. But at the end of the day, people don't need the data. They need to protect their own personal data. And that's what we do. So anytime you're dealing with business documents, whether it's storing them locally, whether it's storing them in a cloud, or whether it's transferring to and from your client, we secure that whole process.

 

Jonathan Engle | Startup Stack: This is awesome. Thank you, both of you. So time management is tricky with these webinars. There's so much more that we could dive into. So I do wanna kind of rapid fire through some of these questions in the chat.

I'll jump to the first one. How is Wordpress versus HTML or CSS for making a secure website? What are some tips on plugins to make the website and mobile apps more secure? 

 

Ian Garrett | Phalanx.io: I would combine that one with a question that's a little bit lower about static websites and websites in general. So pretty much again, think about, you know, how are people getting in? So anytime there's an input to a website, including a login for your admin like a WordPress admin, for example, that's exposure. But if you just have a static page that doesn't have the ability to take any inputs, then you're actually pretty good. So if it's just a landing page that doesn't take any input then you're actually not gonna have a hard time securing that case. There's no real easy way to attack it. But if you take in a lot of data, or if you have a SQL database that receives data from the Internet and it goes into your database. That is an attack factor. So really, just think about anytime, someone can input something, that's where exposure is. And that's where you want to get a plugin to sanitize your inputs. You want to have extra securities on inputs. But if it's just displaying information, then you're actually pretty good.

 

Jonathan Engle | Startup Stack: Awesome. Thank you for that. Next question. If someone uses your company (Cyvatar) for cyber security does all the compliance certs you list on your site become something your customers can claim.

 

Ian Garrett | Phalanx.io: I don't fully understand the context of that. I believe that's for Corey.

 

Corey White | Cyvatar: I'll jump in. So no, it's not transferable. Right? You can't say, okay, Cyvatar is SOC 2 and GDPR compliant, and that makes your company that same. No, there's different data and different access.

 

Ian Garrett | Phalanx.io: Okay? Yeah, that's a great point. Yeah, you can't borrow someone else's cyber security right? Because it's still your own business that you're securing. That extends also for when you're using Google Drive or OneDrive or AWS. Just because the organizations are securing their servers and having high secure security on their end, doesn't mean it's necessarily securing your data in their infrastructure. Most attacks and most exposure happens because of employees making accidents, or you yourself making an accident on your side. And there's no amount of Microsoft server encryption that's gonna stop that from happening.

 

Jonathan Engle | Startup Stack: Yeah, awesome. I know it's a rapid fire. I hope that covers what people are looking for. I hope that everyone got something out of this. I know we could probably go a lot longer, and maybe we need to do a part 2 in a month or so. And this is awesome. Thank you, Ian and Corey, this is fantastic. I love the work you do.

I feel like a cyber security fanboy - like I don't know enough to actually do the job. But I just think it's really fascinating the world that we live in.

Just as we wrap up, here’s a reminder to everyone that Cyvatar is offering a month free on their first year subscription, which could be worth up to $10,000. So that's a really awesome deal to take advantage of to get started with them. And Phalanx is offering 20% off 2 years off of Phalanx's product, which is another amazing deal.

And then, from the Startup Stack, we're offering free founder consultations to anyone who schedules with this meeting Link. You'll notice I don't have a lot of availability. So that's just a matter of timing. So if you wanna find a time soon, I'd love to chat.

We'll take everything that we've covered in this, and turn it into some great follow up materials. You'll get a link with the recording, and we plan on making some blog posts that kind of summarize these things.

Any closing thoughts Ian or Corey? Otherwise, just thank you both for your time today. 

 

Ian Garrett | Phalanx.io: If anyone has any follow up questions definitely reach out on our website and would love to answer any questions related to obviously file encryption. But beyond that, just cyber security for SMBs and startups as well.

 

Corey White | Cyvatar: Yeah, the same thing hit me up on Linkedin or go to our website Cyvatar.ai or you can even shoot me an email corey@cyvatar.ai, either way.

 

Jonathan Engle | Startup Stack: Awesome. And we'll put that in the follow up as well. So people can take you up on that. So thank you, gentlemen, this has been awesome, and thank you everyone for attending. I hope you have an awesome weekend.

 

Ian Garrett | Phalanx.io: Really appreciate it. Thanks for having us.


Jonathan Engle | Startup Stack: Thanks everyone. Bye-bye.

Transcript End

Ready to start saving on the solutions you need?

Explore Discounts