In today’s market, security is at the heart of major buying decisions—especially in the B2B world. With cybersecurity and data breaches making headlines regularly, enterprise companies only want to do business with vendors that pose little to no security risks.

The cost of a security incident can have long-term effects on your business in the form of lost revenue and consumer trust. For perspective, the average cost of a data breach in 2020 was $3.86 million, according to a new report from IBM and the Ponemon Institute. The same report shows a 1.5% decrease in breach costs from 2019. That said, breach costs are trending upward, with a 10% increase over the last five years.

So, what’s the lesson startups can learn from this? 

We now know that products with security baked-in from the get-go win over customers faster and prevent future costs associated with product development and updates. 

If you’re an early-stage startup, chances are you have an overwhelming list of tasks that keeps on growing, and you probably don’t have the headcount to manage them all. It might be tempting to de-prioritize security controls and policies. But don’t. Even a 10-person startup needs to have some semblance of an information security policy

If you’re skeptical, consider this: 55% of startups experienced a cyberattack in the past year.

In this Cybersecurity series, we provide PMs with tactical advice to building products that put customer privacy and security first. Today, we tackle the top three security considerations product managers should include during the product life cycle. 

Tip #1: Decide What Data Your Product Will Be Collecting Now, and in the Future

This is where you discover which security frameworks you’ll need. An information security framework is a series of documented, agreed-upon and understood policies, procedures, and processes that define how information is managed in a business. 

These frameworks lower risk and vulnerability and increase confidence in an ever-connected world. Knowing what information you intend on collecting will help you develop your product with the right security framework in mind. Not only is this best practice — it also ensures security is part of your product’s foundation. 

Your application will evolve over time, and so will the data it interacts with. In the future, you may collect protected data that you didn’t foresee. Now’s the time to gaze into your crystal ball and ask yourself, “What kind of data am I going to collect now, and what am I likely to collect in the future?” 

This takes a great deal of foresight, and it’s unlikely you’ll get it all right. But that’s okay. It’s still an important step to take, as it will inform which security frameworks you should comply with now. Plus, it’ll ensure you have a solid foundation in place for any security frameworks you’ll need to comply with in the future. 

Tip #2: Encrypt or RIP

Encryption protects private information, sensitive data and can enhance the security of communications between client apps and servers. The number one mistake people make is not encrypting their data from day one. Here are some examples of what you should encrypt: 

● Your database 

● Any uploaded files 

● Extra sensitive data (which warrants double encryption) 

At Tugboat Logic, we have third-party integrations so that our customers can input security credentials for their AWS instance. The data is encrypted inside an encrypted database. That way, someone can’t use another person’s credentials. Trying to encrypt information after the fact isn’t impossible, but it requires resources that most startups would rather use elsewhere.

Besides being best practice, this also touches on our first tip mentioned above. At some point, your company will be audited. If the data you collect is not being encoded so that it remains hidden from or inaccessible to unauthorized users, you pose a serious risk to your users. And your audit will highlight this to your prospects. 

So, make sure encryption is part of your product management worldview! 

Tip #3: Design Roles and Access Controls in Your Product

This is a major rule of thumb for security at any organization, whether you’re a two-person startup or a 2,000-person strong enterprise. You’ll be in a world of hurt if you try to implement security after the fact. And when it comes to your software development lifecycle, always think about the security of every feature or function that you’re building into your application by asking yourself: 

● How is this going to touch my data? 

● How is this going to impact my infrastructure? 

● How do I protect this new piece of data that I’m going to be collecting?

When you’re determining how to build out roles and permissions, consider privacy, data safety, and access controls. Providing access to stakeholders on a need-to-know basis is critical. By including security awareness into your company workflows, you’ll be able to enable your team to address potential risks holistically.

Build Security into the Foundation of Your Products

If you work at a startup, you may not have a comprehensive security program in place—and that’s okay. You’re definitely not alone.

Thankfully, you don’t need to overcomplicate things. By following these tips, and keeping security top-of-mind as you build out your products, you’ll be able to establish a strong foundation for your entire business. And if you’re looking for help, do it at the beginning of your compliance journey—not midway through. Or worse, last minute.

TL;DR: You have to be diligent about security and take it seriously from the start, even if you’re a small startup getting off the ground. Do security early, do it often, and keep it top-of-mind because your business could depend on it.