editione1.0.0
Updated October 9, 2023In Part II we address small businesses, in Part III we move on to startups, and Part IV is dedicated to mid-size and growing companies that are refining their strategy. The line between a small business and a startup is not always obvious, so let’s define what we mean. It is important to get this straight, as this dictates the security strategies we recommend you follow.
For the purposes of this book, especially in Part II and Part III, we are using the term “small business” and “startup” to refer to businesses that meet the criteria in the table below. If your business is larger or more mature than the “startup” stage, you will likely find Part IV most helpful.
Characteristic | Small Business | Startup |
---|---|---|
People | • It is just you, and maybe a few others that work part or full time. • You may also have seasonal employees who come on board to help during busy seasons. • You are an individual freelancer, contractor, or owner operator. | • You have between one and ten people. • This is often a mix of founders, contractors, and early team members. • You may also have some advisors, investors, or informal governance. |
Budget | • You are running this business off of the natural organic sales coming in. • You are bootstrapping the business on your own from your savings, or are funding it through your business revenue. | • If you are bootstrapped (self-funded), the budget is likely small and the company may have a “runway” of just a few months. • If you have achieved some form of investment or funding, there may be a larger budget (or “runway”) tied to strong growth objectives. |
Goals | • You aim to be a profitable and resilient business. | • You aim to achieve product/market fit with your product or service. • You are looking to acquire early customers and prove your business model. |
Priorities | • Small might be a choice. You don’t want to become a growth company, or scale your business bigger beyond what you can manage now. • You might serve a small market niche. No one else locally does what you do; who knows what your business will look or how big it will be in five or ten years. | • Profitability is not a high priority at this stage, especially if you have funding. • The pressure to achieve results has amplified with the amount of money you have raised. • You are technology-driven or creating a solution with a large technical component. This may be built in-house or with outsourced partners. • Your target market may be large (spread across many industries or geographic areas). |
Sometimes it helps to be able to visualize what we mean when we say small. Small businesses could be:
A local brick-and-mortar business that you started yourself.
An e-commerce business that operates only online.
A service or consultancy business where you and your employees are the product.
A product company that creates and produces one type of product. This could be a physical product or a digital one (like software).
A shop that purchases products and stock, and then on-sells them to others.
A franchise of an existing business. (Although this one may vary as that existing business may provide you support, tools, or rules that you have to follow. You also might inherently pick up the brand, reputation, and risk of the parent business.)
There are a few different terms for “smaller businesses,” and they all have different meanings based on their aim and characteristics. If your small business has bigger goals and ambitions, you might actually be a startup.
Given how we define a small business, we can also make some assumptions about how you operate in a digital sense:
Area | Small Business | Startup |
---|---|---|
Devices and hardware | • You don’t provide devices, mobile phones, or laptops to your employees. If they need one, there is a shared one they can use in your physical office space or they use their own personal devices. | • You provide devices to your employees depending on their roles. Your sales team may have work mobile phones, and everyone will have a work laptop. |
Technical training | • Your employees don’t have any security training. You might have one employee that helps with more technical areas, however, security is not a familiar concept for them. | • Your employees may be more familiar with technology concepts and may have seen security issues come up at other startups or others in their industry, but they are not formally trained. • You may have started off trying to encourage a good security culture in your small team, but if your team has scaled, you may be looking at compliance requirements and formal security training. |
Digital presence | • Your small business needs a digital presence, but it may simply be a website with basic information about what you do and how to contact you. • It needs to have social media accounts so you can promote your business. • Your customers communicate with you digitally, or they might pick up the phone or visit you in person. Most people may email you. | • Your startup needs a digital presence. This is a key part for sales, marketing, and recruitment. • It needs social media accounts to communicate your startup’s message and brand. • Your customers and community communicate with you digitally, often by email or potentially via support channels or in your product. |
When do you go from a startup to a company with the larger needs outlined in Part IV? That can be hard to pinpoint, and depends on your circumstances. We’ve outlined the effect growth has on your security needs and strategy, so you can better determine where your organization stands.
Growth is amazing. However, the more successful you are, the more interesting you are to potential attackers. Simply put, before you grew, nobody knew you existed and they didn’t know how interesting and valuable you might be.
As your customer base and product grows, so does the complexity and size of your data. From customer data to commercially sensitive documents and application code—you have more of everything and it’s more spread out than ever before.