You have an innovative startup, and it’s finally starting to generate some business. Then, out of nowhere, you have a major security breach. Just like that, everything you worked, hustled, and planned for is jeopardized.
It won’t surprise anyone to hear that, in 2018, businesses of all stages and sizes should take their security seriously. The world today is riddled with people trying to access and take advantage of private information, from Social Security numbers and banking information to internal communications and email addresses.
But for startups with limited resources, handling security can be somewhat of a challenge. Who should be responsible? What are the best practices for protecting your infrastructure when you’re a tiny team taking on the entire cybercriminal world?
In Austin Texas, SXSW Interactive 2018 recently brought together a security expert and startup founder to answer those pressing questions from their own perspectives.
Here are a few pieces of advice from the trenches.
1. Add “Security” to Everyone’s Job Description
Whose job is security? Everyone’s, the panelists argued.
They recommended adding security to everyone’s job description, including your own. As Patrick Coughlin of TruSTAR Technology emphasized, including “security” in all your team members’ job descriptions ensures everyone takes ownership of the information they’re working with.
By now, most of us are familiar with Equifax’s massive security breach. After exposing millions of Americans’ personal information to cybercriminals on the black market, it became a hard-to-miss story. In the congressional hearing, Equifax representatives stated that their Chief of Security was made aware of the vulnerability via email.
But, according to George Chamales of CriticalSec, what goes largely unnoticed is that the warning email was only one of the thousands of emails the Chief of Security received that day. Is it any wonder that one essential email was missed in that sea of messages?
One lesson we can learn from Equifax’s experience is to not put that amount of pressure solely on the shoulders of one person or team. Coughlin went on to say that security is often seen as a specialized art, but in reality, it shouldn’t be.
Instead, he said, task your existing engineers with the security projects. As your resident experts on their respective systems, they won’t only perform better than a security generalist, they can also use their insider knowledge and status to preemptively stop breaches.
2. Make Your Security Enhance Your Operations
Good security should not come at the expense of your business’ speed and efficiency. If you find yourself hindered by your security efforts, you’re doing it wrong.
The first thing you need to do is to simplify: less is more. Whatever security system you put in place needs to be 100 percent dedicated to security. Coughlin and Chamales laid out four tips and techniques you can use for streamlining the process.
One time, Coughlin tried to access his website, only to discover a hacker had come in and broken the entire thing. It could have been a game-ender. As entrepreneurs know, the longer your site is down, the more money goes down the drain.
But since his website’s infrastructure was set up properly from the start, his engineering team (not security team!) was prepared to investigate, identify, and eradicate the problem immediately. This moment reminded Couglin of the importance of not only staying organized, but also utilizing the talent of his engineers: they already knew the ins and outs of the system, and therefore were adept at fixing it.
It’s a cool name, but you’re not protecting the president — just sensitive logging credentials.
In order to protect logging credentials in your own environment, it’s important to have an inner structure for managing them internally, what Chamales called a “secret service.” Counting on people offsite can lead to problems.
As an example horror story, Chamales discussed the recent incident when Oculus was brought down by an expired security certificate. All of their software stopped working, and because they didn’t manage it themselves, their customers had to manually download a patch. It was a huge hassle and pointed to the inefficiencies and insecurity of their system.
Avoid Oculus’ mistake: make your own secret service, and protect yourself onsite.
Backup and Restore
Back in 2014, a company called Code Spaces experienced a breach. Their entire infrastructure was wiped out, and they couldn’t recover it. The breach ultimately put them out of business.
Companies don’t have to be wiped out by breaches if they maintain backups. Backups do more than restore lost data: they’re also a tool you can use to thwart hackers in the event of ransomware attacks.
The last takeaway is to ensure only your people can alter your infrastructure.
A team of security researchers recently discovered a vulnerability in Tesla’s cloud environment that enabled them to tap into Tesla’s computer resources. Even worse, the researchers realized they weren’t the first to notice it: hackers had already breached the cloud and were using it to quietly mine cryptocurrency.
It’s important to have security settings and procedures in place that only allow your people to make changes. But it’s also a good idea to have two levels of procedures – one for general code pushes and one for “hot fixes,” so your team doesn’t have to wait for lengthy approval processes to fix critical issues.
3. Use Security as a Competitive Advantage
Once you have all of these security measures in place, you’ll not only enhance your day-to-day operations, you may also have a competitive edge in your industry.
Take, for example, the Vendor Risk Assessment. Many large companies ask potential partners to fill out this 1683-question security survey, which is a time-consuming process to say the least. Naturally, vendors that can streamline the risk assessment process will have a faster time-to-purchase and less repetitive work to deal with.
Coughlin’s company tackled this issue by becoming SOC2 compliant, a rare distinction for early startups. By going through the process of SOC2 compliance and maintaining an ongoing Vendor Risk Assessment document, his team was able to cut their time-to-sale in half.
The moral of the story? Go above and beyond when it comes to implementing and documenting your security policies. It’ll make it easier for you to earn the trust of potential partners when it counts.
Your Start-Up and Security: One and the Same
In the end, there’s no silver bullet for startup security, but recognizing the role security needs to play in day-to-day tasks and policy setting is a great place to start. If you’re part of an established startup, set a strategy and timeline for incorporating security in each person’s job description and getting the correct policies in place. If you’re just starting out, even better — get it right from day one.
It won’t happen overnight, but each small step makes a difference. So get your entire team involved now, and ensure your business operates securely — it’s too important to get wrong.
- The Keys to a Successful Small Business Saturday in 2020 - November 4, 2020
- How to Reopen Your Business After a Shutdown – Four Important Steps - July 14, 2020
- 8 Best Practices and Technology Tips for Remote Employees - March 30, 2020