Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Alright I’m going to get started then so thank you very much for joining us today, welcome to our, this is our second digital fortress digital session of 2024 where we are going to provide some practical tips based on our real experiences across cyber risk. So if you’ve got any questions, please put them in the Q&A function and we’ll try to address them at the end and if you’ve got any technical difficulties, please put them in the chat function. If you want to get in contact with anyone at the… any of the speakers directly, please click on the resources tab down below and you will be taken to their bio’s and contact details and there will be a recording of the session today for everyone who signed up. So into today’s session we are going to delve into the world of cyber security for start-ups. Obviously start-ups’ comprise a large part of the UK’s intellectual capital and business growth but they also face unique financial and personnel constraints as a result and as a result cyber security may become a lower priority and unfortunately all it takes is one attack or it can take one take for a security breach to really impact a start-up’s reputation before it’s even been established in the marketplace and obviously of importance to start-ups’ is you know, how this can impact customers but also how it can impact investor confidence which you know, can be particularly disastrous. So during this digital session we are going to explore various cyber security challenges faced by start-ups from where to host through to data privacy to data security and we’ll hear form our experts who will introduce themselves shortly, Francisco and Duncan to gain their insights on cyber security for start-ups and discuss how to meet these challenges. So thank you for joining us and we look forward to an engaging and informative session so my name is Mark Tibbs, I’m a partner in the Cyber Risk and Complex Investigations practice. A lot of my job is around cyber intelligence but also traditional investigations to support our lawyers and I am going to hand you over to Duncan to introduce himself.
Duncan Cowan
Co-Founder & CTO, Howbout
Hi I’m Duncan, I’m the Co-Founder and CTO at Howbout which is a consumer social calendar app where we allow users to connect with each other and share their calendars and therefore share their time with each other.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Thank you Duncan and Francisco?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Hi my name is Francisco Sanches, I am a Director within Mishcon de Reya, the Cyber Risk Director which means I am responsible for our three verticals of instant response, digital forensics and security consulting. Nice to meet you all.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Right thanks to meet you both, thanks for joining both of you. So first of all we are going to talk about cloud hosting platforms so obviously very important for any business these days to choose the right platform on which to host your product but I guess for start-ups because of constraints financial and otherwise, there is probably things that are more important than others when it comes to trying to choose one. So first of all panellists, I don’t know who wants to go first, maybe Francisco. Could you share your insights on how start-ups should approach selecting a cloud hosting provider from a cyber security perspective. What are the considerations for start-ups in particular?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Sure, most of the start-ups consider a major cloud provider, someone like Amazon, AWS, Microsoft Azure or the Google GCP Environment and that brings several benefits to them both starting from there is extensive experience and guidance for start-ups in there. Lots of helpful documentation, blue prints on how to set up that environment in a secure manner and how to grow with it as the start-up grows as well. They, the biggest providers also typically offer some sort of discounted service or even free services for start-ups because they do want to get you in there in the beginning of the start-up so that you grow with them as there are a lot of benefits from that. So typically I would look for a cloud provider that has start-up specific problems and support, ideally look for those free consulting services or highly discounted services and I would also consider about you know, the community and ecosystem, how many other start-ups are in there? Do we have an active environment talking about how to operate in that environment, sharing tips and how to provide common tips and support. I think those are all key aspects to take into account when you decide on your cloud provider or where to host your systems in the beginning.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Thanks Francisco so there’s a, providers they are trying to get the start-ups business before they sort of become a unicorn status or whatever. Okay, Duncan how about you from your personal experience, what were your considerations when you were thinking about selecting a cloud provider?
Duncan Cowan
Co-Founder & CTO, Howbout
Yeah I think that as Francisco says, it’s kind of you are drawn towards the big three, so in our case we went with AWS because they are really good, they are very generous with their credit system but also they are very good at helping start-ups because they want those start-ups to succeed. What we found is they had a really good security centre on their platform so you can sort of get told okay you are doing these things right but you need to change these things; you get red, amber and green status on that but a really good thing we found that AWS offer is what they call their well architected framework review where they will pay a third party company to, to come along and have a look at your set-up and they can review from a security point of view and make sure that you are doing things correctly so that you are not going to get you know, screwed by, by security issues in the future.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Right okay yeah, thank you for that. And then moving on to data privacy and GDPR, the dreaded GDPR compliance. So it is obviously a critical concern for all companies with regulations like GDPR in place for data privacy you know there is a threat of fines though probably even more kind of troubling for start-ups would be the threat of bad publicity off the back of a data breach. So ensuring compliance for any business is certainly a challenge but particularly those with limited resources you know, they are doing it on a shoestring like some start-ups so question for the panellists again, Francisco how can start-ups effectively navigate data protection and GDPR you know from the outset? So what are the strategies and tools they could use to manage these responsibilities and you know, manage the resource constraints as well?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Well as you mentioned, data protection and GDPR compliance is a concern from the very beginning and it will of course also vary depending on the nature of the business and how sensitive is the data they are handling and the volume of it but overall some tips to consider is that you should do what is known as incorporating privacy by design so whenever you build your product or services from the outset think about designing in a way that you minimise data collection, storage and processing from the privacy needs. There are effectively a lot of free and low cost resources, example of policies and processes that you have in place from a data protection perspective. The regulators in the respective jurisdictions where you might act also tend to share a lot of the online guides and templates to help you. There is also a very strong community in that space to help start-ups. Now when I mentioned this about seeking free and low cost resources, just recognising that in the beginning you might have to go at it by yourself and just try to make uh use generic approaches but that fit the needs. Eventually if you can when it becomes relevant and possible, you should aim to engage with external experts and try to get either a law firm or some professional in that space to review your approach and advise you on how to move forward, make sure that you are well protected in that space and you avoid those risky fines and the bad publicity that would be the worst for a start-up. The last thing I would advise is that find a way to keep yourself updated because the regulation in this market tend to still be changing and the approach as well taking with them so there might be either a mailing list or some websites you can subscribe just to be on the lookout for any privacy related regulation that might affect your industry or your business process so that you can anticipate any changes and adapt to it with time. That’s my key advice.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
It’s sort of like if you had all the money in the world you would be going and getting expert advice from everywhere.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Oh of course.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
You, you are looking to leverage your relationships with mentors and people in the industry etc., to learn from that kind of experience that others have had.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Exactly. Mainly if you are creating your minimum viable product, if you are at that stage the data policies on the website and all the process will not be your top priority however there is a minimum you need to have in place to make sure you comply and you address expectations from stakeholders and other parties.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
And Duncan, from the coal face because you’ve actually been the one sort of implementing these kinds of policies around GDPR. What, what are your kind of, what’s your experience regarding the needs for GDPR compliance and how have you navigated that?
Duncan Cowan
Co-Founder & CTO, Howbout
Yeah, as Francisco said, it does kind of scale as, as the company scales so you do start out really like when you’ve only got let’s say, we are a B2C company so we don’t you know, we have users rather than clients but as we started out we had a few users you know it’s not really a big deal but as you grow it does become more of a big deal so you have to do it yourself to begin with but as you get money in your investors are going to want to see that your, your policies are good but also you know, so are the users so anybody who is involved in your, in your product so you do eventually get to the point where you’ve got to start investing in that money and investing in reviews from lawyers and things like that.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Because you’ve got to demonstrate it to your, your stakeholders yeah?
Duncan Cowan
Co-Founder & CTO, Howbout
Your stakeholders and investors exactly yeah so it’s sort of like start out and it grows with the company I think and I am sure we are currently at a stage where I am sure the next, the next level we are going to have to get more reviews, more investment on that side of the business. I think the key thing as well is just having a good mentality when you start out. It is not just about tick box exercise, it is not just about having those policies, it is about what are they, what are they actually trying to cover you for, what are they trying to protect. So if you’ve got 10.25 it’s about yeah, should we be keeping that user data you know, to ourselves or should we be sharing it with loads of third parties, obviously minimising how much you are sharing as a great mentality, keeping it in the EU or the UK is is, loads of companies now allow you to do that when you are using their services so with AWS for example you can always keep it in that region you want to operate in so it is just about amending how you do things as you grow but the earlier you start out with the mentality the easier it is because you are not having to claw back you know, data that you’ve sent to the US for example and then suddenly it’s a headache from a legal point of view so yeah, it’s all about the mentality as well early doors.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Privacy from design. Okay I am going to move us all on around common cyber security requests because I know that start-ups often face cyber security demands from their various stakeholders including their clients but also their investors so what kinds of things have you seen start-ups being requested like, what kind of, what are the most common cyber security requests that you’ve seen cyber start-ups sorry, start-ups receive and can you explain the significance of them in the context of securing stakeholder trust and business sustainability, Francisco that one’s for you.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
So when and probably the most common cyber security requests start-ups receive is have you had penetration testing done over your product platform and that is a critical step to have and the reason why I believe start-ups get that request is because you might have designed it to the best of your capabilities, you might have protected the, the product or the service you are providing against the best of what you know how to, you might have adopted good frameworks, you might have a good policy in place. Now the penetration test when properly done it will be a direct assessment on how effective all the things you have put in place are irrespective of you having done it to some extent or not so it will give that feedback back, independent feedback done by a third party of if they’ve had to fight any vulnerabilities that you need to fix because they could be exploited by other attackers. It will show a bit of proactive defence on your side because before being asked or before those could have been exploited you have already got an assessment and that will reduce the risk of any data breaches or any financial losses that you may be facing. It is in many areas compliance needs. You need to have a penetration test to demonstrate that your compliance with different industry regulations and standards and at the end of the day on practical terms it also acts a bit of a risk assessment, it gives you the here are the things that you might have to improve or might not be up to where they should be on your environment and then you can frame them and prioritise them as appropriate.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Well I guess as a start-up you want to avoid the whole compliance tick box kind of mentality Duncan and so not all pen tests are the same are they. Can you just give us a bit of a flavour of your experience with pen tests?
Duncan Cowan
Co-Founder & CTO, Howbout
Absolutely so pen testing was definitely one of our requirements at our investment stage, one of our early investment stages as well so it was something that were one of the first things we actually paid a third party to do because obviously you build a product and in your head you are thinking ‘yeah this is absolutely secure’ because you know, if you didn’t think it was secure you would be changing that but having that third party coming in and actually verifying that or find why it’s not secure is definitely I can see why that requirement is there. What we did find though was that there is a big offering of penetration testing out there and it is tempting as a start-up when you’ve not got very much money to go for the cheapest option, we actually had a bit of an issue where it turns out the cheapest option sounded great but as soon as we did a little bit more digging into it it turned out they weren’t Crest accredited even though they said that they were so it’s about being wary of actually you know who, there’s a whole data protection and data security sorry element around who you actually go with because you are giving a third party access to, to your software and your, your kind of telling them that they can try to penetrate your systems so you’ve got to be really wary there as well.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Yeah, yeah, go for credible suppliers. I am going to move this on to the next topic which is around technical controls for systems and data protection so as, again with any company, appropriate technical cyber controls are essential to protect systems and data and this can include things like fire walls, encryption, access controls blah, blah, blah but that’s all well and good if you’re a big company with lots of resources to apply to your cyber security but if you are not, what are the technical controls that are sort of the essentials for cyber start… sorry for start-ups to have in the beginning and how should start-ups prioritise these when they’ve got limited resources. Is it a case of doing the basics well or are there some indispensable products that you would recommend. Francisco?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
I would go with doing the basics correct. If I look at it from a cyber risk profile I would say that in the beginning what you have is something in the cloud somewhere plus the laptops that the few employees or one employee in the company on the start-up use. So those are the two things that you want to protect. Now the cloud we talked before that you are mostly protected by ensuring that you follow he nice blueprints that the provider gives you and the hints on how to cover your security in that space. Overall, be it in the cloud or the local laptop, access controls is a key one so whatever systems you use and whatever support it always implement the MFA option, the multi factor authenticator that typically it is either an SMS to your phone or a code that you need to retrieve from your phone to complete access. The second one I would say is that back-ups, back-ups are critical for every start-up. You do not want to have a bunch of sensitive data on a laptop that can get lost or broken with no copy elsewhere so make sure you have back-ups of all the things you need to survive as a company. The two others that I would add would just be data encryption, so for instance on the laptops themselves, ensure everything on the laptop itself is encrypted. That means that if you lose the laptop it’s just the cost of the hardware it’s not your business at risk, the same thing with the date in the cloud and the last one I would say is, is the one from the patch management, it’s hard to do the patch management correctly across all devices, just make sure you turn all the settings to automatically install any patches and updates that become available so that you don’t have to keep doing that manually. Sorry one last one I forgot, get an antivirus somewhere installed on your, on every laptop that you work with.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Yeah and, and I mean that all sounds well and good be it all theoretically I suppose but it sounds to me like actually kind of the, one of the most important things for a start-up is to have a security culture so Duncan, how are you implementing these kind of essential cyber security controls at Howbout?
Duncan Cowan
Co-Founder & CTO, Howbout
Yeah I mean I completely agree, it’s sort of like the culture and I think the good thing is a lot of the software we use these days is kind of built in to the mentality so we obviously use version control i.e. GitHub for, for all our software side of things. All, all our EBS stuff is automatically backed up for us so there is a lot of good stuff that’s already there. What we found as well, we’ve moved over to Google Workspace again so once we got a few employees we got Google Workspace which allowed us to use a single sign on across a lot of products which does mean we are not having to worry about who has got access to which different products, it’s all in just one place so, so if someone leaves the company you just press a button then they’ve lost access or someone’s account is hijacked, again it is one button to get rid of that access so we definitely find single sign on really useful and I was just going to say MFA where you can do it, it is usually very easy now to require that for all accounts. An example of ours as well is we have implemented MDM software on the laptop so that is software that allows you to like lock down the laptops, make sure they are up to date and again it might have seemed a bit too early for a company with only 13 people but we’ve already had someone lose a laptop stolen in a pub so it’s a case of that, kind of like that feeling that it’s okay because we had it encrypted, we just press a button and that puts it in lockdown, nobody can access the data, it’s a good feeling to have.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Yeah it’s like a warm feeling inside that you are actually okay. Great okay so moving on to our next topic, it’s around policies so cyber security policies they lay the foundations for company’s security posture but only if really it is communicated and practiced well. So what are the key cyber security policies that every start-up implement and is there like a particular industry standard or a framework that you’d recommend Francisco?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
Sure so the most common approach is that you just start with one document, an information security policy is a catch all of the start-ups position towards information security and whilst not always mandatory it’s good to align it with cyber security policies with industry standards because that’s the way of demonstrating your alignment with best practices and also can help you meet any regulatory requirements that you might under with. The most common is the ISO 27001, that’s an international standard for information management so most policies tend to align with the recommendations from that standard. They become the policy or the written documentation becomes increasingly important as a start-up matures and start to have more employees because then you need to read the document how you go about doing for security ensuring everyone follows the same thing. Now another common policy in the beginning would be acceptable use policy, that’s just a policy that you lay out your expectations for all your employees so that they know how, what you expect from them for a security policy. The access control policy that was referred about establishing rules for granting and revoking access to systems and data like the single sign on systems that Duncan referred. You might have a remote access policy, how you expect people to work remotely into your environment, an incident response plan describes steps taken to the event of security breach but I would really start with that one catch all information security policy.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Yeah, that is that how sorry… is that how you did it Duncan, did you have a like overarching kind of policy or do you have a number of different policies?
Duncan Cowan
Co-Founder & CTO, Howbout
Yeah so as, as we kind of grew we kind of obviously started with nothing, because that’s where you start from but then yeah you get this document where, where it does just have one big kind of obviously divided into sections. It’s an area where it is not super clear as you start out what you need because the need is driven by external stakeholders usually rather than you know, internally. Internal knowledge let’s say what is normal. What we found in Howbout was that our integration with Facebook, we had… Facebook these days at least have a very strict policy on you have to have all these documents and all these procedures and policies in place if you want to use Facebook log in.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
You are forced into doing it kind of thing anyway.
Duncan Cowan
Co-Founder & CTO, Howbout
Absolutely, that integration really required us to have those documents in place and share them, get them reviewed by Facebook which was a great, almost free way of getting the documents.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Yeah that’s helpful.
Duncan Cowan
Co-Founder & CTO, Howbout
The thing is just the mentality, talking to employees about why those policies are that and not just about this is the rule but like what is the actual reasoning behind that because once you’ve got a reasoning behind that kind of known across the company it, it really helps as you grow to make sure that we are evolving those policies correctly.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
It’s all about that culture again isn’t it so that everyone’s responsibility around security. I am going to move on to our final, we’ve only got a couple of minutes left so this one final question for you which is around cyber security certificates, so what type of security certificates do you think the UK start-ups should consider pursuing and just tell me a little bit about you know, their benefits for example so Francisco?
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
So cyber security certifications typically are used to demonstrate an organisations commitment to data protection security and they are achieved due to the industry or the market or the stakeholder’s pressure as well quite frequently they expect that you or they will only work with you if you achieve a few of them. They are also a way of showing externally that your commitments to data to information security. In the UK the most common ones would be the Cyber Essentials ones, it’s an easy to get self-assessment Government sponsored security framework. The next stage will be Cyber Essentials Plus, instead of being a self-assessment you have a part that is externally assessing your environment, your security and the next most one that is most required would be ISO 27001 certification. Worldwide it is recognised as a standard in that space and it’s the most commonly requested when you reach that, that stage. Even if you don’t go for having the option of certifying yourself against that, just aligning with their principles and seeing how you fare against them can be a plus in many circumstances.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Yep, I am guessing there is a cost to it though Duncan, so as in terms of people cost but also potentially some other costs. So how do you, how do you treat certification?
Duncan Cowan
Co-Founder & CTO, Howbout
Yeah so from our, in our industry where we are a consumer app we actually don’t have the requirement from compliance let’s say to have, to have certain certification however it is all about the underlying reasoning behind it so it’s not a case of ‘oh we don’t need that certification so we’re not going to do anything with cyber security’, no it’s about what are the reasonings behind it, let’s maybe not get the certification but let’s read what the rules are and see how we can implement a policy at least internally on aligning with those rules going forward.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Right thanks very much to both of you. I am afraid we have come to the end of our session, we do actually have one question in the Q&A but I don’t think we are going to be able to get round to it so if you want to get in contact with any of the speakers directly, please click on the resources tab below and you’ll be taken to their bio’s and contact details and you will be able to ask a question there but just to say thank you to Duncan and Francisco for joining us and there will be a recording sent out to all those who signed up and our contact details so thank you very much.
Francisco Sanches
Cyber Risk Director, Mishcon de Reya
It’s been a pleasure thank you.
Duncan Cowan
Co-Founder & CTO, Howbout
Thanks very much.
Mark Tibbs
Cyber Risk and Complex Investigations
Partner, Mishcon de Reya
Bye.
Mishcon de Reya
It’s business. But it’s personal