Julie Leo, RBCx’s Director of Cyber Security and Technology Risk, shares strategies to safeguard startups from cyber threats

Last December, Toronto’s SickKids Hospital spent much of the holiday season in disarray. The preeminent pediatric health care provider was hit by a cyber attack that disabled its computer systems, delayed lab and imaging results, knocked out phone lines, and shut down its staff payroll system. While the ransomware attack was eventually resolved, it took several weeks for services to return to normal.

It’s a cautionary tale that Julie Leo, RBCx’s Director of Cyber Security and Technology Risk, shared in a recent webinar on “Cyber security for startups: Protecting against cyber attacks and fraudulent behaviour” to illustrate the havoc malicious actors can cause.

The Canadian Internet Registration Authority (CIRA) reports 44 per cent of Canadian businesses faced a cyberattack last year, compromising data and devices and costing almost $6 million on average. Moreover, PwC finds 11 per cent of Canadian CEOs believe their company is either highly or extremely exposed to cyber risks over the next 12 months— and that number jumps to 18 per cent over the next five years.

Sami Khoury, Head of the Canadian Centre for Cyber Security, the country’s technical authority on cyber security that works in collaboration with the Government of Canada, puts it more bluntly: “Ransomware attacks are becoming more frequent, our critical infrastructure more vulnerable and the information we encounter online more divisive and misleading. We’ve said it before, but we’ll say it again: now is the time to take cyber security seriously.”

“It’s not about if there’s a cyber attack because in today’s day and age, it’s happening at all times. You need to determine what impact the breach will have on the company when it does.”

To help gain a deeper understanding of the cyber threat landscape and the importance of cyber protections in 2023, Julie gave RBCx clients a crash course in cyber security covering everything from the basic domains and concepts to threat actor types to why data privacy protections matter for scaling ventures—and, crucially, actionable takeaways on how startups can protect themselves. “It’s not about if there’s an attack because in today’s day and age, it’s happening at all times,” says Julie. “You need to determine what impact the breach will have on the company when it does.”

If you missed the webinar, or just need a refresh, here’s the recap:

Foster a culture of vigilance

You should weave cyber security into the fabric of your startup’s culture. Encourage employees to report any suspicious activities promptly and create channels for open communication regarding potential security incidents. Conduct regular security awareness campaigns, reinforce the importance of cyber security practices, and reward employees for their contributions to maintaining a secure environment. Hold regular workshops and training sessions to educate staff on best practices, such as identifying phishing emails, creating strong passwords, and recognizing suspicious emails and links.

If training activities are too pricey, Leo suggests tapping into free resources online or even starting a book club to get team members to read up on the topic. Whichever way you go, setting the tone and instilling a security-conscious mindset throughout your organization will help build a collective defense. “Drive the conversation about security from the top leadership level right on down to team huddles to get people familiar with it,” says Julie. “Protection begins by building that culture and speaking that language because it’s not ingrained.”

Establish a robust cyber security framework

Prioritize building a strong, resilient cyber security framework as the foundation of your startup’s defense against cyber attacks. This includes implementing a combination of technical and operational controls. Technical controls encompass intrusion detection systems (i.e. virus and malware protection), encryption protocols, and secure coding practices. Operational controls involve developing comprehensive security policies, conducting regular risk assessments, and establishing incident response plans.

“As a startup leader, your number one priority when coming up with a cyber security plan is to think about your technology, your people and your processes.”

“The number one priority when coming up with a cyber security plan is to think about your technology, your people and your processes,” she says. “As your company scales and becomes an enterprise, it’s no longer just about the single business unit that’s generating revenue; it’s about building that company framework for the lines of business—your security team, your risk team, your audit team, and so on—so that all of the security protocols are in place.”

Engage with cyber security professionals

Startups, as any fledgling founder knows, often have limited internal resources, but that doesn’t mean cyber security expertise and capabilities are out of reach. Leo advises scaling companies to leverage consultants who specialize in improving security for startups from the top down. “If you’re struggling to hire, contract the best security-oriented technologists and developers you can afford to build the cyber security strategy and framework,” she says. “Invest in that education and make them your security champion, and then they can support all your other technologists.”

Conduct regular security assessments

Assess your systems and networks to identify potential vulnerabilities and weaknesses. You can accomplish this through security audits, which help identify gaps in security practices and policies as well as penetration testing, which simulates real-world attacks to evaluate the effectiveness of existing security controls. By conducting regular assessments, startups can proactively detect and address vulnerabilities before cybercriminals exploit them, thereby fortifying their defenses.

Julie, however, is quick to point out that cyber attacks can come just as easily from inside your startup by disgruntled staff, for example, who can abuse the resources available to them as part of their role. “Whereas an external threat is limited to what they can access outside of your company, your internal threat actors have trust, access and opportunity,” she explains.

Adopt other layers of protection

“To protect your business information, the most crucial thing is to protect the product itself,” explains Julie. That’s why she recommends adding multiple security barriers across critical systems and platforms, including:

  • Security patches and software updates: Keeping your devices, infrastructure and applications up to date can mitigate significant risks and help maintain a secure operating environment.
  • Multi-Factor Authentication: MFA requires users (both internal and customer-facing) to provide two or more credentials, such as a password and a unique verification code sent to their mobile device. This significantly reduces the risk of unauthorized access, even if passwords are compromised.
  • Data encryption: Adopting these measures for data at rest and in transit means that even if an attacker gains access to the data, it remains unreadable and useless without the private encryption keys.
  • Data backups and recovery measures: Implement a robust data backup strategy, including offsite cloud-based backup solutions, to ensure data is securely stored and readily available.

Final thoughts

Safeguarding your assets, preserving your reputation, minimizing regulatory risks, avoiding hefty fines, and ensuring uninterrupted business operations are just some of the reasons to prioritize cyber security. However, as the digital landscape becomes increasingly complex, entrepreneurs and founders should be mindful that cyber security is never a one-and-done deal; it’s an ongoing practice that requires constant vigilance and adaptation. By adopting these strategies proactively (or just getting started with some of them), you can significantly enhance your startup’s resilience against evolving cyber threats, ultimately securing its future growth and success.

We want to thank our clients and partners for attending our cyber security webinar. We look forward to hosting another event soon to help new founders succeed in their startup journey. With 150+ years of institutional knowledge, we’re dedicated to sharing our deep expertise to help our clients succeed. Speak with a RBCx Technology Advisor to learn more about how we can help your business.

This article offers general information only and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While the information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the author(s) as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or its affiliates.


Other articles you may be interested in