Why start-ups must step up on data security
We’ll send you a myFT Daily Digest email rounding up the latest Business education news every morning.
There is so much fun and sexy stuff that goes into building a start-up: hiring smart people, chasing funding, developing an exciting marketing plan, going to and hosting events, buying groovy furniture for your funky office in London’s Shoreditch or Berlin’s Friedrichshain. But however disruptive and exciting your venture, there is one area founders and young, fired-up entrepreneurs tend to forget about: compliance.
Compliance sounds like something for the grown-ups rather than the cool kids to worry about. It is a dull word and a complex subject — and one that can get you into serious trouble if you do not have as tight a grip on data protection and software licensing as you do on choosing the football table for that office.
Data protection and hacking is perhaps the scariest aspect of all this. It sometimes feels like a day never goes by without another big data breach hitting the headlines. There have been some huge breaches this year alone: Dropbox revealed in September that the login details of 68m users had been compromised in a hack that happened in 2012. In the same month, Yahoo told the world that some half a billion users’ details had been hacked and exposed.
When the focus is on large companies such as Dropbox or Yahoo, it might be tempting for the founder of a start-up to think that the complexities of data protection, security infrastructure and risk management are not something she or he needs to be concerned about.
Rune Syversen, co-founder of Crayon, the software licensing company, says small companies tend not to think about the necessities of compliance “until it’s too late”. He points out, however, that the complexity of compliance tends to increase the longer a company is in business, so it is wise to build it in from the start rather than to add it as a bolt-on later.
Syversen is talking specifically about software asset management — keeping tabs on what software is being used in your organisation, how that is licensed and whether the licences are up to date. But the same concerns apply equally to data security.
Data protection laws apply to individuals and all businesses, regardless of their size. A breach can lead to a fine; the maximum fine under existing UK data protection legislation is £500,000. That kind of sum might be small change for a big company but it could empty the coffers of a start-up relying on seed funding or early tranches of investment.
Meanwhile, Brexit notwithstanding, the new EU General Data Protection Regulation (GDPR) is due to come into force in May 2018. This is a concern not only for UK businesses — the new rules require any company that handles the personally identifiable data of an EU citizen to comply.
One of the key principles of GDPR is “privacy by design”, which says that looking after the security of personal data you are entrusted with as a business should be at the heart of your company.
The new regulation is a vast compliance exercise regardless of the size of the business — and it carries much heftier fines for non-compliance than existing UK law provides for. The exact size of any fine will depend on the severity of a breach, but if it is serious enough, a business could face a fine of up to €20m or 4 per cent of global turnover, whichever is the higher.
Data protection is as much a risk-management exercise as it is about IT. It is a common mistake in organisations of all sizes not to realise that and to leave it to the IT department, rather than making it central to general strategy.
Not all risk management around data security is as eye-catching as the news that banks have been hoarding bitcoin to pay ransomware demands. Presumably they are calculating that it is cheaper to buy the cryptocurrency now, when the volatile commodity is not being pushed up by people panic-buying it to pay off cyber crooks, than it is to spend money strengthening IT systems. Businesses grapple with the question of whether it will cost more to build up cyber defences, or whether it would be cheaper to ignore the complexity and cost of improving their data security regime and simply cough up if they suffer a breach and are hit with a fine.
Whichever you decide, that is not the sort of decision you should leave to the IT department. The young founder needs to put compliance and data security at the heart of the business: an empowered and knowledgeable chief information officer is just as important as any other C-suite executive — even if your C-suite is less a suite than a corner of a warehouse in Shoreditch.
It is here that start-ups have an advantage over bigger, older businesses, especially those that have had to make the transition from analogue to digital. Those “legacy” organisations have had to graft data security and compliance on to established ways of doing business. Or they are stuck with a less than ideal set-up that has evolved over time and would cost a fortune to replace.
A telling parable for that scenario is the saga of Hillary Clinton’s email server: the Clintons started off with a single Mac in their basement in New York state that was pressed into service as a mail server. A few hardware and software upgrades and a move to a New Jersey data centre later, and the Clintons were the owners of a ramshackle set-up, oblivious to the running and problems of it.
That this came back to haunt Clinton during her bid for the US presidency is a useful reminder that protecting the personal data you are entrusted with should be at the heart of your thinking and your company. If there is one thing a funky young business should be, it is a grown-up about data security.
Apps to save you time
Android, iOS, free, altomail.com
There are goodness knows how many email apps in the app stores, and as someone who lives and dies by Outlook, I am hard to convince on the virtues of the others. Alto, however, is surprisingly good, especially when you consider that it is developed by AOL, a company that is the clunky epitome of Web 1.0. It does all the usual things — folders, threaded views and so on — but where it stands out is with its Cards and Stacks. The former pulls items such as receipts or flight details into one screen so that you can see them without having to search your inbox. The latter filters emails by items such as like photos and files so that again you can find them quickly. It does this without you having to do anything. It is smart-learning and turns the humble email client into something truly useful.
Android, iOS, free, get.google.com/trips
As with email apps, there are thousands of travel apps to choose from. Google, however, has done something very nifty with Trips: give it access to your email and the dates of your trip and let it suggest itineraries based on your information and on data gleaned from millions of smartphones. So not only will it pull together information from your email about flights and hotel bookings, it will also plan an itinerary to work out the best route, then factor in how long people generally spend at each location and offer the best ways to travel between them. It is perfect if you have an afternoon off between meetings and want a flavour of a new city in an efficient, geeky but hugely satisfying way.
Android, iOS, free, flio.com
If you spend a lot of time in airports this might be helpful. It pulls together airport information such as how to navigate an airport (no small feat in some of the sprawling global hubs), places to eat, location of lounges and more. It also offers money-off vouchers for airside and landside shops and restaurants and access to WiFi. Under the “Arrivals” tab you’ll find information on services such as showers, local cabs and other transport options. Of course, it is basically a giant affiliate marketing scheme, but it probably provides enough useful, well-organised information and vouchers to make it worth your while to hand over your data if your working life takes you through too many airports.