Hyper-growth startups face a unique set of challenges when it comes to secure data access. Their priority is to drive rapid innovation, scale their customer base and grow revenue. Their data footprint is increasing exponentially, with new first-party and third-party data coming in daily. A quickly growing customer base has trusted them with their most sensitive personal data (PII, health, financial data and so forth), and leaders within the company want to easily access this data to make strategic operational, marketing and sales decisions.
Startups must secure access to the data, track who is accessing it and comply with data privacy regulations such as EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These companies also need to strike a balance between preserving privacy and enforcing security while being mindful to not limit the ability of stakeholders to access the data for continued innovation and growth.
For some startups, this isn’t a problem…until it becomes one. 67% of organizations experience multiple threats from insiders – whether malicious, like what occurred at GE when employees stole insider information to start a competing company, or through negligence, like the Robinhood breach that led to customer support personnel mistakenly sharing records for over five million consumers with hackers.
Securing data and implementing the right access controls is critical to minimizing inside threats and preventing catastrophic results. But as companies grow quickly, secure data access may become an afterthought.
Top three data challenges plaguing startups
While all companies struggle with common data security and access issues, startups face three main challenges:
Challenge #1: Startups lack resources to build a security team
At startups, it’s typical for founders and CEOs to do it all. Even as a company grows, gets additional funding and hires a CIO, CSO, CISO or Chief Data Officer, that money might be allocated to other initiatives instead of building a robust security team. And when these teams are present at startups, they are usually small and focused on protecting the company from outside attacks on infrastructure, network or devices. With all their energy focused on the perimeter and DoS threats, this leaves very little bandwidth to focus on threats within the company.
Challenge #2: Startups use disparate tools for securing sensitive data – if any at all
Most startups use different tools to manage data discovery and classification, data masking, access controls, request logging and reporting. But these tools often require manual coding and don’t integrate with each other or the data warehouse.
For example, let’s look at date of birth (DOB) data. Sales and marketing might want access to this data for personalization and promotions – but they only need the month and day, not the year. HR needs access to full DOB for reasons like background checks and payments. And there’s no use-case where engineering would need any of this data at all. But without universal access control, you would need to create copies of the data and write manual scripts outside of the data warehouse to find, classify and mask this data. For compliance purposes, a person would have to manually go through data warehouse logs and compile data access requests that involve customer data for the last 60 days, 90 days, etc. – this is time consuming and error-prone. Even worse, some startups aren’t doing any data access control at all because of lack of resources.
Challenge #3: Long lead times in accessing data can slow down innovation
Small startup security and data teams are bombarded with requests. The compliance team’s priority is to make sure that the executives don’t land in jail or end up paying hefty fines due to non-compliance with government regulations. Top priority for the data scientists and analysts is to access behavioral information to build better models and gain new insights for improving business operations. Product engineers want to access customer experience data for the mobile app and the website to identify bottlenecks and improve the user experience. Manual processes for requesting access to data for these data consumers slow down the pace of innovation.
So how can a startup overcome these challenges? It begins with having the right data access framework in place to scale securely and with end-to-end automation.
Finding the right data access framework
Many companies in hyper-growth mode lean toward “default-to-know” data access. This means that data is open to all and accessible in an over-permissive – and sometimes uncontrolled – way. Data “over-privilege” is common within startup culture, but this free-for-all approach has inherent and potentially severe security, operational and compliance risks. Anyone in the company can access and download a customer list with PII data without a trace or trail.
To control data access while maintaining democratization, the next step is to move from “default-to-know” to “need-to-know.” Whereas previously everyone had access to every piece of data, that access is now controlled based on a person’s role or responsibility within the organization. For example, a Northeast Sales Manager can only access information for the accounts within their region. Or in the case of our DOB example above, marketing titles can only access birthday and month, but birth year remains hidden.
Implementing a sound data governance strategy
As startups move from open-for-all to need-to-know data access, they need to adopt a strategic approach to data governance. The following considerations should be kept in mind:
- Is my data discovery and classification automated?
- Is it continuous? Is it real-time or batch mode?
- Can I do role-specific data masking?
- Do I have responsibility-based access control?
- Where is my sensitive data?
- Who has access to it? And how can I control that access?
- Who has accessed it recently and is there any suspicious behavior?
- Am I tracking every request for sensitive data?
- Am I logging those requests, and do I have an automated way pulling reports?
A universal data access framework can help companies overcome common challenges, by securing data access while offering complete visibility over how sensitive data is used throughout the enterprise.
All companies (especially high-growth startups) need to develop and enforce data sharing “rules of engagement” which should include: constant visibility into where the sensitive data is, agile access control, the creation of a “Data Security Operations Council” for decision making and conflict resolution, and a commitment to train all stakeholders on privacy, security and governance.
As custodians of highly sensitive data, companies must protect it to meet regulatory requirements and honor customers’ privacy preferences, while providing timely access to relevant data to drive innovation. It’s imperative that cybersecurity leaders at high-growth startups don’t lose sight of their sensitive customer and company data – they need to maintain visibility over what employees are doing with it and how they share it. These steps will help startups overcome unique data challenges and deliver growth with security and compliance.