Cyber Security and Your Business

Building Secure B2B Software

Authors: Sam Honey and Claire Cooper

with Jon Stock, Chief Information Risk Officer, PureCyber

If you’re a UK start-up building or selling B2B software, it’s not enough for your product to just work: it also needs to be secure, resilient, and compliant. Whether you’re targeting enterprise customers, handling sensitive data, or scaling quickly, people expect more than mere functionality. Customers, investors, and regulators all want to see that your product has been built with care and maintained responsibly. To get you started we prepared this founder-friendly look at cyber security and your business.

The basic requirements 

Under UK data protection law, you’re expected to “process personal data securely by means of appropriate technical and organisational measures”. For start-ups, that means adopting a secure-by-design mindset from day one, aligning with regulators’ and governing body expectations. 

The risks

Security failings can lead to serious consequences, including ICO investigations, mandatory audits, enforcement actions, substantial fines, and reputational damage. Directors and Board Members can also face scrutiny for failing to manage these risks properly. Importantly, regulators aren’t just looking at whether an incident happened, they want to know whether you had reasonable and up-to-date controls in place. Often, the absence of good practices is what causes regulatory fines and reputational damage.

Aside from regulatory fall-out, your revenue could also be at risk. Far-reaching consequences could include:

• Reputational brand damage
• Loss of future customers or more complex contract negotiations due to lack of trust
• Damaged relationships with current and potential customers, resulting in churn or re-negotiating contracts. 

For a scaling business, customer lifetime value is crucial to revenue stability. That stability is invaluable if seeking external investment. 

Put simply, investors are becoming more interested in the whole sum of your parts, and that includes understanding the risk of their investment going sideways because you didn’t build appropriate software safeguards, security controls or audit them periodically to ensure they were still working effectively and appropriately.

“But I don’t work in IT….”

Sorry. security and resilience are not solely the responsibility of the IT function – ownership is shared,  and the organisation must be aligned on their responsibilities to good security practices:

Founders/CEOs and boards should set strategic direction and allocate resources. Utilise your board’s expertise or connections to share this burden and upskill. 

CTOs/engineering leads should design and enforce secure development processes and systems. Allow your team to raise awareness of issues and track decisions and actions.

Infrastructure, cyber security and developers should secure infrastructure and enable monitoring with effective warning systems.

Compliance/DPOs should ensure GDPR, DPA 2018 and contractual compliance.

Customer-facing teams should understand and be trained on security and resilience, their responsibilities and how to react to issues.

HR should drive training and awareness among all staff.

Strategic security questions for leadership

Founders and senior leadership should routinely evaluate and document the following questions as the basis of an internal security action plan and management engagement evidence.

1. Are we demonstrating secure-by-design principles in software development?
2. Are developers adequately trained and using secure tools?
3. Do we have a defined and timely patch management process?
4. Is there a public mechanism to report vulnerabilities?
5. Would we detect a breach, and is our incident response plan actionable?
6. How is our business continuity plan reacting in tests, what gaps are present, do we need external support, and are we strengthening resilience and minimising downtime?

What do “good practices” look like for the software itself?

A good starting point is making sure that the software is compliant to the five security controls of Cyber Essentials. This ensures that the boundaries, authentication, configuration and patching are compliant to the baseline security standard set by UK Government.

Handily, the DSIT and the NCSC recently published a voluntary code of practice for security in software, spanning four key areas: 

1. Ensure secure development practices: Practical steps: train your developers on secure coding and common vulnerabilities, such as the OWASP Top 10. Implement code reviews and security testing as part of development and continue these practices beyond deployment.
2. Secure build and deployment environments: Practical steps: limit access to repositories and deployment systems, enforce multi-factor authentication (MFA), and ensure only trusted code is released.
3. Resilience and recovery: Article 32 of the UK GDPR mandates the ability to ensure ongoing confidentiality, integrity, availability, and resilience.Practical steps: maintain secure backups and a tested disaster recovery plan.
4. Software composition: Most software now relies on open-source packages and third-party components. Practical steps: make sure you’re tracking what you’re using (a Software Bill of Materials is helpful) and scanning for vulnerabilities regularly. 

Execution in small and medium teams

Running a lean operation does not make your business exempt from regulatory scrutiny and the need to operate good practices. Even with limited resources, start-ups can build robust security postures by:

• Conducting a gap analysis (e.g. against the Cyber Essentials and ICO checklist).
• Using built-in security tools (e.g. cloud monitoring and MFA) and DevOps technology
• Integrating security tasks into existing workflows.
• Using external consultants for audits or testing.

Most importantly: document everything. It shows accountability and helps reduce exposure if something goes wrong.

As the CEO in a small business, often without a broad-based team. your selection of board members or fractional consultants is critically important – particularly if security and resilience is outside of your expertise. Consider joining relevant LinkedIn groups on these topics, verifying any expertise shared, and learn the basics. There are online courses to upskill you and your team’s knowledge.

Sector-specific considerations

If your business is operating in a regulated sector e.g. fintech, there are additional cybersecurity obligations. The Financial Conduct Authority, for example, expects firms to manage operational resilience and report major incidents. If you work with healthtech and develop software for the NHS, NHS Digital has its own Data Security and Protection Toolkit. These sectors usually expect alignment with industry standards like ISO 27001. Plus, if you’re working with other countries or your data is outside the UK, additional regulatory frameworks will likely apply. Falling short can mean fines, enforcement action, reputational damage or ongoing regulatory attention.

Incident response and breach reporting

Despite the best preventative efforts, incidents may nevertheless occur.

If/when they do, make sure you are prepared by establishing clear internal escalation procedures so that staff and contractors can report anomalies quickly.

Under GDPR, breaches affecting personal data must be reported to the ICO within 72 hours, and possibly to affected individuals. Check your contracts and Data Processing Agreements for any time reduction to the 72 hours (in reporting to your customer) or extra reporting obligations, especially if you’re acting as a processor.

Be aware that your contract may include non-UK data shares, meaning that additional data protection regulations must be considered. When considering your go-to-market approach, the regulatory position outside of the UK and the requirements that come with that may be important considerations.

Clear, prompt, and transparent communication with customers during incidents is essential. Having pre-drafted statements at the ready and a designated point of contact can streamline the process and preserve client trust.

Put simply, effective security is not optional; it is a fundamental requirement for client trust as well as compliance.

By adopting secure development practices, maintaining resilience, planning for incidents, and engaging the entire organisation, UK B2B software start-ups can scale securely while meeting legal, regulatory – and customer – expectations.

If you need help with meeting your cyber security obligations, contact our Commercial & Technology team.