It has become a no-brainer that all businesses must have an online presence. A company may have an internal network which it uses for administration, such as wages and salaries, typing reports and other normal functions.

However, just as soon as you add an external Internet connection, IT security becomes a significant concern.  A large part of that concern is the seemingly high capital and recurrent costs of preventative measures. Hardware, software, support and other ancillary charges such as insurances all add up to a number that seems out of proportion to the levels of protection provided.

A new startup will have an online presence from the first day and needs to build an appropriate IT Security budget into its startup funding requirement.  That requires an analysis of its needs and how to meet them.

Requirements Analysis

A simple list of the IT security requirements of taking your business online might be:

• Desktop and server malware protection;
• Web and email protection;
• Intrusion protection;
• Privacy;
• Protection of payment and other financial information.

Most, if not all, startups begin life with financial constraints defining their early life. While spending money on IT security might seem an unnecessary expense, it is possible to take steps to make the costs align more closely with the business requirement at each stage.

How to Do It

As is often the case, planning and preparation is the key.

• The first step is to prepare a list setting out phase by phase how you plan to go online.Is it to be a big splash with everything up and running from day one?   Is it to be a phased approach with essential services like email first, then an online shop coming later?
• Define the security needs of each phase.
• An idea of scale is also necessary.While the security objectives are the same, how you meet them will be different according to the physical basis of the implementation, small business versus large data centre as an example.   Where there will be external transactions, minimum response times for users are needed, and the security solutions chosen must not slow down purchases.

  The security environment of say, a brickworks will be different from an online retailer.   A simpler security environment might apply in such circumstances.  However, some businesses need a secure environment that conforms to defined standards.  One such example is the processing of credit card applications, where there are well-defined legal requirements.

• A final step is the definition of policy for your internal users.  Some considerations include:
  • Are they to be allowed personal email;
  • Can they surf the Internet without restriction;
  • Can they use removable media.

  The answers to these questions will also define the implemented security environment.

• At the end of the preparatory phase, there should be an outline online implementation plan showing what happens when, and what the security needs are at each stage. This allows you to prepare an indicative budget.

Costs will be able to be phased in line with the implementation plan, reducing the strain on startup cash flow.

The Outsourcing Question

The big question is whether to outsource IT and IT Security or not.   Quite apart from possibly reducing cost, outsourcing allows the business principals to concentrate on the business rather than the technical requirements of implementing IT systems and security.

Industry savants have suggested that outsourcing is a way to reduce overall cost without reducing security.  It can be, but since security is essentially an insurance policy against intrusion and the loss of information, the canny user must weigh up:

• how much protection is needed;
• the benefits of handing over control of the security environment to a third party; and
• the risks involved in doing so.

At this stage, it is essentially a comparison of cost.  What are the incremental costs of doing it yourself, versus the costs of having an outsourced service supplier doing it for you?

Another consideration is staffing.  You will need specialist staff to implement the new systems, a team you might not need in the longer term.  Outsourcing allows you to have the staff you need only when you need them.

Time

There is also the question of time.  How long do you have before you need to have the security systems in place?  It may be that there isn’t sufficient time for you to do it yourself, and you must rely on the expertise and a ready-made security environment provided by an outsourced supplier.

Having a well-prepared plan can mean buying only the things you need when you need them.

All startups are a bit of a gamble and a race between generating revenue and the cash reserves running out. While IT security is essential, careful planning of the security environment can reduce capital, and operational costs as the business establishes itself and grows.