The Ultimate Guide to Cyber Risk Management for Startups

Cyber risk management principles are fundamental ideas that should guide all decisions and actions of your cybersecurity risk management approach.

Cybersecurity and information security threats can devastate your startup or mid-market business. Cyber risk management is a systematic way to deal with them as a business and as an organization.

Though cyber risk management may sound daunting to professionals outside the security domain, in this article, we’ll help you understand why you shouldn’t ignore it. We’ll show you why adopting a standard risk management framework can make its implementation easy. Finally, we’ll define a process you can use to implement it effectively in your startup. 

What Is Cyber Risk Management?

Cyber risk management is the systematic identification, evaluation, and controlling of risks to information systems like servers, routers, databases, or storage devices.

It’s a part of enterprise risk management, which covers a broader set of risks like legal risks, financial risks, natural disasters, and so on. It’s also a component of cyber risk management that deals with risks from malicious cyber threats.

Note: In this article, we limit our analysis to cybersecurity risk management and refer to it interchangeably as cyber risk management or CSRM. 

3 Reasons Your Startup Shouldn't Ignore Cybersecurity Risks

Team brainstorming ideas

Most management and employees would prefer to focus on their primary tasks rather than security. It’s particularly evident in startups outside the information technology industry in spaces like biotechnology, healthcare, or manufacturing where the founders may not have any exposure to cybersecurity. However, ignoring cybersecurity risks and risk management can severely damage your business. Here are some examples:

1. Financial Costs

An average cloud data breach in 2021 was estimated to cost $3.61–$4.80 million in lost revenue and brand damages. The average cost of a ransomware attack in 2021 was $1.85 million due to downtime, ransom payments, and engineering effort.

2. Regulatory Compliance Penalties

If your startup’s in an industry like healthcare that’s governed by regulatory standards, you may incur regulatory penalties for non-compliance. For example, the Health Insurance Portability and Accountability Act (HIPAA) penalties for not handling sensitive data correctly can result in a $1.5 million annual penalty.

3. Reputation Damage

A successful cyberattack on your company can damage your reputation. You may lose some existing customers, drive away potential future customers, lose acquisition deals, or invite legal actions. For example, in 2019, the food delivery startup DoorDash faced class action privacy lawsuits over a data breach.

Plan Your Cyber Risk Management Strategy

Small and mid-market young businesses face some unique cybersecurity challenges that larger businesses don’t. For example, your budget may not allow you to obtain the security expertise and technology you need. Plus, your management may not have the awareness, time, or inclination to improve your security program.

In such a situation, designing your risk management system from scratch based on incomplete knowledge may leave your startup highly vulnerable to attacks. We strongly recommend that you instead select a standard cybersecurity risk management plan. It typically consists of three components:

  1. Principles: These are the foundational values your risk management should follow.
  2. Frameworks: These provide organizational arrangements to ensure all the principles are followed.
  3. Process: This is the implementation of cybersecurity risk management, incorporating the framework’s concepts and following all the principles.

We’ll explore these components in-depth in the following sections:

5 Cyber Risk Management Principles

Cyber risk management: person writing notes in her notebook

Cyber risk management principles are fundamental ideas that should guide all decisions and actions of your cybersecurity risk management approach. They are similar to your organization’s vision and values that influence every decision and action.

The ISO 31000:2018 guidelines recommend that an organization, at all levels, should follow eight principles for effective risk management. While you should follow all eight, these five are particularly important to a young startup or mid-market business:

1. Integrated

Cybercriminals or advanced persistent threats (like hostile intelligence agencies) may be interested in stealing any data they can find, including your research data or intellectual property. 

You should plan to integrate CSRM into every project and activity that uses cyber resources — that includes research, manufacturing, development, operations, sales, marketing, and everything else. Since a startup’s departments can sometimes work as silos, senior management should take particular care to ensure this integration even if they’re not personally familiar with cybersecurity.

2. Inclusive

Your CSRM should include the opinions of stakeholders from your entire organization — from management, security, IT, operations, sales, marketing, and any other department in your industry. Communicate the outcomes of the process to all affected departments and personnel.

3. Dynamic

New risks are constantly emerging. Your CSRM process should be aware of this. Continuous security monitoring of assets and automated security workflows are essential.

4. Accounting for Human and Cultural Factors

Other employees — even management — may not be knowledgeable about cybersecurity best practices. But an effective CSRM needs their active participation. Constant training, awareness, and communication are essential for building a good security culture and risk management process in your startup.

5. Continually Improving

The CSRM process should always look to become more effective and close any security gaps, no matter how small.

Cyber Risk Management Frameworks

A risk management process is only effective if the organizational environment around it is set up correctly. A cybersecurity risk management framework (RMF) outlines the organizational arrangements you need to use to effectively integrate risk management and its principles into your business’s daily life.

For young businesses facing organizational and financial constraints, we recommend starting with the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF). Its breadth and depth help your cybersecurity program avoid missing any critical areas. The NIST CSF’s getting started guide and learning resources are easy to access and understand. 

The ISO frameworks, although helpful, are less accessible and more expensive. You can consider them when your cybersecurity program has matured. 

In the next section, we introduce the key CSF ideas you should know.                

NIST Cybersecurity Framework (CSF)

These are the key CSF concepts you should know before setting up your risk management process:

Functions, Categories, Subcategories, and Outcomes

 NIST Cybersecurity Framework
Image credit: NIST

CSF organizes the breadth of cybersecurity concerns into functions, categories under each function, and subcategories under each category. 

A category is a set of closely related concerns. Each subcategory addresses a single concern and its desired outcome. Five functions form the top-level grouping:

1. Identify Function

This aims to develop an organizational view of your cybersecurity concerns. It addresses cybersecurity risks to your business lines, departments, business contexts, people, business partners, information technology assets, data, and capabilities.

Some key categories under this function are:

  • Asset management: It identifies all the assets — data, devices, systems, or external information systems — used by your business processes.
  • Risk assessment: The assessment identifies the threats, vulnerabilities, and impacts on your assets. See our in-depth guide to start planning your security risk assessments.
  • Supply chain risk management: This covers the cybersecurity of your ecosystem of suppliers, vendors, and buyers.

A few example subcategory outcomes under this function:

  • Software platforms and applications within the organization for the asset management category are inventoried.
  • Threats, both internal and external, are identified and documented for the risk assessment category.

2. Protect Function

This function defines the safeguards and techniques you can use to limit the impacts of threats.

Key categories are:

  • Identity management, authentication, and access control: It covers limiting access to assets to only authorized users and devices.
  • Data security: This covers the protection of your data from threats like data leaks and unauthorized access.
  • Protective technologies: It covers the deployment of technical protections like audit logs and firewalls.

Example subcategory outcomes include:

  • Senior executives understand their roles and responsibilities.
  • Protections against data leaks are implemented.

3. Detect Function

It defines the activities necessary to detect the occurrence of a cybersecurity event.

A key category is the continuous monitoring of the security of assets. Example subcategory outcomes include:

  • Vulnerability scans are performed.
  • Event detection information is communicated.
Free Assessment

4. Respond Function

This covers how your business should respond to detected cybersecurity incidents.

Key categories are:

  • Response planning: This asks for comprehensive incident response plans.
  • Communications: Communications covers how to discuss an incident and its impacts on internal and external stakeholders.
  • Risk mitigation: It includes activities to limit impacts from continuing or spreading.

Example subcategory outcomes include:

  • Voluntary information-sharing occurs with external stakeholders.
  • Forensics (of cybersecurity incidents) are performed.                   

5. Recover Function

This function identifies activities to restore any business capabilities that were affected by a cybersecurity incident.

Key categories are:

  • Recovery planning: This includes recovery plans and procedures.
  • Improvements: It asks for updates to all functions to prevent similar incidents in the future.

Example subcategory outcomes include:

  • Recovery strategies are updated.
  • Reputation is repaired after an incident.

Implementation Tiers

The CSF recognizes that every organization has constraints that prevent it from implementing all outcomes. So, it suggests four implementation tiers, each with a set of characteristics that describe how rigorous the cybersecurity risk management practices are:

  • Tier 1: Partial
  • Tier 2: Risk informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

As a young startup or a mid-market business, you should select a tier that meets your security goals and satisfies an acceptable level of risk. Base your tier selection on factors like your threat environment, your legal and regulatory requirements, and your organization’s financial and other constraints.                   

Framework Profiles

Cyber risk management: Framework Profiles
Image credit: NIST

A profile is an assessment of all your subcategory outcomes under the framework’s five functions and their categories, how far they are from where you want them to be, their priorities, their current implementation tier, their budgets, and so on. In the profile, all the framework components come together to form a comprehensive report card that tells you where you are on each outcome.

Creating a current profile — where you are — and a target profile — where you want to be — are important steps in the risk management process      

6 Steps of the Cyber Risk Management Process

Man wearing suit running up the steps

Now that you know the CSF’s key concepts, you can set up a cybersecurity risk management process in six steps. ISO 31000:2018’s risk management steps are very similar to CSF’s, but it uses different terms for them:

1. Prioritize and Scope

ISO 31000:2018 calls this the scope, context, and criteria phase. Here, your startup’s senior executives should define the scope of the process. What should it achieve in terms of business objectives? For example, an objective may be to obtain ISO 27001 certification to partner with a large client.

What business lines or projects should it prioritize? What implementation tier is suited to your current capabilities and risk appetite? Talk about the answers with all the scoped business lines and projects.

2. Orient

Once the scope has been defined, you should identify related assets, regulatory requirements, and any other factors that may affect cybersecurity. Then, assign roles and responsibilities for implementing the process.

3. Create a Current Profile

You should evaluate your current security status in terms of the framework’s five functions, their categories, and their subcategory outcomes. All the outcomes described in the framework’s five functions are addressed in this step through activities like:

  • Cybersecurity risk assessments
  • Vendor risk assessments
  • Threat analysis, to form the threat landscape (the set of all threats you face)
  • Vulnerability management to find vulnerabilities in your IT systems and assets
  • Risk analysis to evaluate impacts of cybersecurity incidents
  • Application of security controls — the techniques to improve protection of your assets — like authentication policies, firewall policies, or data encryption

Document the current status of each outcome — completed, partially completed, or to be done. ISO 31000:2018 calls this the risk assessment phase consisting of risk identification, risk analysis, and risk evaluation.

4. Create a Target Profile

Create a target profile with your desired subcategory outcomes. In this step, you’ll also consider whether you have the financial and other resources to move to a higher implementation tier.

5. Compare Current and Target Profiles

Cyber risk management: Current and Target Profiles
Image credit: NIST

Perform a gap analysis to find out how far your target profile is from your current profile. Document the gaps using outcome-specific metrics (like the number of incidents prevented), priority labels (high, medium, or low), gap labels (large, medium, or small), budget for each task, and planned actions.

The outcome of the step should be a prioritized action plan to close the gap between the target profile and the current profile.

6. Implement the Action Plan

The responsible teams should implement the actions prioritized in the action plan. Repeat these six steps to continually improve your cybersecurity risk management, security strategy, and security measures. New projects and new clients often bring additional risks in the form of new technologies or new vendors. So, you need to continually update and repeat your process to stay on top of all risks.

ISO 31000:2018 does this in its risk treatment, monitoring, review, and reporting phases.

4 Critical Security Risks Startups Should Focus On

Team listening to their colleague who's presenting his ideas

The CSF’s identify function covers a wide range of cybersecurity concerns. Of those, we’d like to turn the spotlight on four critical risks a security team at a startup or mid-market business should pay special attention to.

1. Data Breaches

Data breaches have the potential to severely damage your company’s reputation. They also affect the privacy of your customers. Sometimes, they may open you up to regulatory penalties or legal liabilities. As a young startup or business, you can’t afford any of that. The CSF covers these aspects under the data security (PR.DS) category. Ensure that all its subcategory outcomes are implemented strictly.

2. Cloud and Third-Party Vendor Risks

The CSF covers these external risks under the supply chain risk management (ID.SC) category. Regardless of the industry, you’re probably a cloud-native using cloud and third-party vendors for storing critical business documents, performing data analysis, or developing software. These vendors can become sources of cyber threats to your assets, or you to theirs. We recommend that you evaluate and implement these subcategory outcomes as effectively as possible.

3. Ransomware Risks

Ransomware attacks are extortion attacks that render your critical data or systems inaccessible until your company pays up. Such ransom payouts can be devastatingly expensive for young startups. Plus, the U.S. government’s Office of Foreign Assets Control can penalize you for lacking preventive measures and not communicating an incident to the government.

So, you should have prevention, recovery, and communications plans for ransomware. They are covered by the CSF’s data security (PR.DS), information protection (PR.IP), continuous monitoring (DE.CM), and recovery planning (RC.RP) categories.

4. Social Engineering and Phishing Risks

Such threats target your employees to obtain sensitive credentials or data. While technical approaches are possible, they are not always effective. Implement the CSF’s awareness and training (PR.AT) outcomes in addition to protective technologies (PR.PT) to address such risks more effectively.                   

How ThreatKey Supports Your Cyber Risk Management

ThreatKey’s security data platform for cloud and third-party security supports many cyber risk management activities expected by the CSF:

  • Vulnerability scanning: ThreatKey secures your subscriptions to cloud services like AWS and third-party services like Google Workspace, Microsoft 365, Box, GitHub, Okta, and Slack. You can integrate ThreatKey to achieve some of the outcomes under the supply chain risk management (ID.SC) and continuous monitoring of security (DE.CM) categories.
  • Risk mitigation: ThreatKey identifies and automatically remediates security issues in these cloud and third-party services as expected by the response mitigation (RS.MI) category.
  • Automated asset management: ThreatKey provides automated cloud asset discovery to achieve outcomes under the asset management (ID.AM) category. We use our system-of-record technology with API-based agentless scanning and log ingestion to ensure full discovery of your cloud and third-party service assets.
  • Configuration change control: ThreatKey records your configurations for these services, detects changes made to them, and finds potential security issues arising from them. This is expected by the configuration change control process outcome under the information protection (PR.IP) category.

Cyber Risk Management: a Key Long-Term Investment for any Startup

Cyber risk management: team having a friendly discussion

Cyber incidents rank as the top business risk of 2022. Setting up an effective cybersecurity risk management plan for your startup is one of the wisest long-term decisions you can take. You can use this article as a guide for beginning this process.

ThreatKey’s features efficiently support your cybersecurity risk management strategies for cloud and third-party services. Try ThreatKey for free today.

Never miss an update.

Subscribe for spam-free updates and articles.
Thanks for subscribing!
Oops! Something went wrong while submitting the form.