Venture capitalists and investors, your ability to make good decisions is one of the most important tools in your arsenal. It's up to you to decide how a business can make more money in the future, whether its business model's sustainable or not, how great the return on your investment will be and ultimately, whether a startup is worth investing in.

security flaws hinder business growth

However, one regularly overlooked factor in the decision to invest or not is security.

On the startup's side of things, security may be neglected due to a lack of funds. Or, the team may fail to address security issues and possible vulnerabilities within their network as their ultimate goal is to make their business profitable and security is an afterthought.

From the investor's point of view, security may not have been considered if the startup itself doesn't make money from technology or because you just don't know what sort of security flaws you should be looking for.

But security is a vital factor and in order for your investment to last longer than the time it took you to sign your money over, it should be a priority when you invest in a new startup.

Why can security flaws hinder business growth?

The reason why security is such a prevalent issue now is because these days, people are constantly surrounded with potential attack vectors (entry points that malicious users or hackers can use to access a network). As we covered in an earlier article on this blog, even the connectivity of home appliances can be exploited for nefarious reasons and so it's paramount that every precaution is taken.

And these precautions shouldn't just be taken by strictly technology companies either as plenty of non-tech startups should be wary of the security of their networks. Any startup collecting cardholder data has the obligation to keep those details safe in the interest of their clients. Even if you're investing in a company that may not take payment data but it may have a CRM database of clients and customers' information, that will need to be protected.

Failing to address these security flaws leaves the company at risk for devastating hacks and threats or non compliance, which can eventually lead to exploitation or large fines from financial institutions. With consumers becoming increasingly concerned about their privacy and the security of their data, having anything less than a totally secure network could lead to a loss of trust and in the long-term; a loss of customers and revenue.

Furthermore, there are also many laws related to security that companies that deal with data must adhere to. One example is the Payment Services Directive (PSD) which is valid within the European Union and regulates who is offering a payment service and how they are offering it. Many countries around the world also have privacy acts, with the United States' privacy act governing "the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies".

The sooner good security is put in place (and good security practices are learnt by the team) the more peace of mind you will have that your investment is safe and sound.

How to put good security measures in place

The most effective way of ensuring that a startup has proper security in place is to conduct penetration tests and secure code reviews. Penetration testing, which is often called 'ethical hacking', tests the strength of a network by using the same methods that a malicious user or hacker would in order to gain unauthorised access. Code reviews, on the other hand, are automated and static reviews of code from a security standpoint.

The reason that these two methods are both useful in this scenario is because it allows you and the startup to reach a level of assurance around software quality, something which could impact a startup's future revenue. Furthermore, these tests also allow you to factor in the costs of additional security measures or fixes into your initial investment. Knowing the real cost of investing in a startup is key if you are to make the right investment decisions.

Another important success factor for your investment is to be in control of the status of its compliance to data security standards like PCI DSS or information security management like ISO 27001. Studies show that the requirements set by authorities like the PCI SSC (Payment Card Industry Security Standard Council) are able to affect the security of your organisation. Complying with those standards is a decision that will boost your business, help you gain trust from your customers and avoid you from being charged with undesirable fines from financial institutions or from your bank.

What should you do now?

Don't let security flaws hinder your business growth. The best way to go about security checks is to hire an external company. As an investor, it is your job to facilitate the investment of funds – not to oversee security checks of the companies that you invest in and hold people's hands as it happens. Plus, you don't have time to do this.

It's more convenient in terms of money as well. For example, many companies are able to provide you with a fixed price of how much the penetration testing and the secure code review is going to cost. That's the ideal outcome for you as you can factor this price into your investment total.

Advantio is a PCI QSA (Qualified Security Assessor) and a PA QSA. We offer penetration tests, code reviews and a range of other services that can help to make sure that your business is secure.

We have written quite some articles about IT Security, take a look at our content.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.