For startups in the health technology industry, information security should be a priority for your business. With the rise of cyber threats and data breaches, it is critical to ensure that your company and its assets are secure. We recently published a post on the NIS 2 directive, which will increase the information security requirements on companies in the healthtech sector. For startups, drafting your information security roadmap can seem daunting, and taking external help might be tempting.

In this post, we will suggest 3 things that you can do to get started with your systematic information security work. As you grow your business, it can grow with you from this baseline.

First: Understand what needs protection

Information security is about protecting your assets while balancing the aspects of confidentiality, integrity and availability.

To do this, you need to get an idea of what it is that you are looking to protect. Start by making a list of all the different assets and information systems at your company. This is often referred to as an asset register.

An example of an information asset can be designs, employee personal information or patient data. An example of an information system can be Google Drive, Github or Slack.

Once you have listed all assets, you need to think about how important each asset is to your business. Some questions to ask yourself are:

1. How quickly would an interruption of access cause disruption to your business?

2. How sensitive are the assets?

3. How often do they need to be accessed? By which people?

4. What are the consequences if the information they hold would become incorrect?

Based on these questions, you can determine the required level of confidentiality, availability and integrity for each of your assets. This can guide you to which assets are the most critical, and help you prioritise the information security work going forward.

💡 Side note: Since information security is a balance between adequate protection and adequate access, only select assets should be subject to the most restrictive protection measures, or you might slow yourself or your colleagues down.

You can expand the asset inventory over time, so starting small with these basic steps is actually of great value. At Leyr, we used a free Notion template as a backbone and tweaked it to fit our needs.

Next: Find the weaknesses to address

Now you know what assets and information systems need to be protected. But how do you know what to protect them from? This is where risk analysis comes in to the picture. This can be done in many different ways - but what you’re after is playing the devil’s advocate for a moment. Start with your most valued assets and try to identify any weaknesses. Some example questions to ask yourselves are:

• How can you be sure that only authorised users can access this asset?

• How would you know if the asset was compromised?

• How would you restore access to the asset if it was lost?

Once you’ve identified a potential weakness - a risk - then try to determine the impact it would have if the risk materialised, and the probability of that happening.

Risk analysis can be done in a number of ways, and you can find inspiration on to stepwise approaches online that can help you work in a systematic way. Document your reasoning and conclusions carefully as you will need to revisit those risk assessments in the future.

Identifying risks to your assets unlocks the next important step: implementing adequate protection for them.

Then: Implement Security Measures

It can seem daunting to implement security measures, but as long as you start with your most important assets, each step you take will have a big impact.

From the identified risks, try to find ways to reduce the probability of each risk materialising. Example:

• enabling multi factor authentication to access your most sensitive assets could reduce the probability of a user account being breached.

• restricting access to a critical asset to those who need it to perform their tasks, could reduce the probability of confidential information being leaked.

Once such protective measures have been implemented, make sure to document this in relation to the risk that the suggestion originated from.

However, introducing security measures could lead to an asset becoming more difficult to access. You need to determine your company’s level of acceptable risk - your ‘risk appetite’, so to say.

You are never done with information security

The above steps are just a primer to get started with working with information security. Remember that maintaining a high level of security requires a systematic and continuous approach over time. By sticking to a process that works for you, you can keep the work at a manageable level, while making sure that your information will remain safe.