The following post was written by Ofer Brandes, SVP Strategic Effectiveness at Payoneer, during his tenure as CTO at Viola Ventures (2003-2019).

Earlier this month we hosted a Viola CTO Forum session on Cybersecurity. Our guest speakers included Itay Yanovski, Co-Founder of Cyberint, Nadav Aleh, Advanced Security Center at EY, and Udi Yavo, Co-Founder and CTO at enSilo, and they all shared some insightful tips (see below). We also discussed the results of a survey completed in advance by CTOs and Heads of R&D from Viola’s portfolio companies, on the security measures taken both by IT departments and product teams. Here are some of the insights:

Startups are doing well but need to do more
The level of preparation for security challenges increases as companies grow, with bigger startups deploying more security measures and in most cases assigning a dedicated person to be responsible for IT security. Bigger startups are also more likely to carry out an annual security audit, have Cyber Insurance in place, and constantly strive for improvement in their level of protection.
None of the companies surveyed have removed any of their existing security measures or products in the last 12 months. If anything, they have actually added more security measures.
Product security (as opposed to IT security) is typically handled by R&D.
The most common components of IT security are: Firewall, endpoint protection, encryption, and Automated Penetration Testing.
Top issues to focus on going forward are: Data theft/breach, compromised credentials, unexpected vulnerabilities, and ransomware.

Some of our key recommendations based on the survey results are that it’s important to conduct periodic security training for all employees, to closely control access to user data, and to carefully review open source components before incorporating them.

No one is immune to security threats
One third of the companies surveyed reported a security attack in the last 12 months, but it’s probable that other respondents may have also been attacked without their knowledge.

It would be prudent for virtually any startup to assume that it might potentially be a target for an upcoming cyber-attack. Ronen Nir, General Partner at Viola Ventures, noted at the session that Israeli companies are doing a great job developing security products for leading companies in the world, but are not using such products themselves to the same extent as others in the developed world, suggesting that it’s about time that Israeli startups become not just leading providers of cyber security products, but also users of these products.

Some practical tips from our guest speakers:
Itay Yanovski, Cyberint: You can’t protect everything from all attacks all of the time, so map your online assets, identify the major business threats you need to prioritize and build the relevant protection measures against them.
Nadav Aleh, EY  Israel: You need to have a concrete, written plan of your security strategy with a set of realistic tasks to perform, and make sure they are properly executed. Also, the earlier you eliminate vulnerabilities in the product’s development process, the lower the cost (as opposed to implementing them later on). Try to integrate the identification of risks early on in the development lifecycle.
Udi Yavo, enSilo: With the growing number and sophistication of attacks, it isn’t possible to stop them all, and existing tools provide too many false alarms. Even when the alarm is valid, the damage can already be done while it is being investigated. enSilo’s solution stops the exfiltration of data when it occurs so that as soon as a breach is detected, the damage is stopped.

Further reading on recent security trends: 5 Key Security Takeaways from RSA Conference 2016