What Startups Get Wrong About Security
It's never too early to think about it.
You had a great idea that is somehow also making money, and you’ve decided to bootstrap it into a full-fledged company.
Congrats, you have a startup. In today’s market, it seems like we are all being pushed to build, grow, and sell — over and over and over. It seems like there’s no time to think about anything else. If you’re not developing something that will directly contribute to the product’s success, it seems like a waste of time.
This is the mindset of today’s startup founder. It’s the mindset of many CTOs and engineers pushing development forward without best practices being met, because “we can reiterate later”.
The hard truth is that “later” rarely ever comes. This is how bad operational security practices and, in the case of software companies, vulnerable code gets baked into an otherwise great product.
Here’s another hard truth: not paying attention to security, even from the outset, drastically increases the odds of failure for your company. It’s been estimated that nearly 60% of small companies get hacked each year.
What do you think it means to your client base when your product is hacked, and their private data is stolen because of you? You could be facing massive losses of revenue and, even worse, lawsuits. That’s a surefire way to crumble the foundation of a fledgling company.
So what are you doing wrong? How can this be fixed so you never get hacked? Well, I have some bad news — you’re going to get hacked. It’s just a given. However, there are steps you can take to greatly minimize the effects of such an attack and protect your golden goose from slaughter.
It starts with a game plan
Repeat after me: “If I don’t have a plan, I’m a big stupid idiot”. Sorry, not sorry. If you don’t have an official security plan, you’re really just telling the universe “well, it’s up to you how things work out for me”. Take responsibility, and include the following concepts in your plan:
- What tools/technologies are protecting my intellectual property?
- Is the communication across my company secure?
- In the case of software, are we checking every new development for best security practices? What sort of review process do we have?
- How are we managing access to company assets?
- What are we doing to train employees in security awareness?
- How are we tracking the safety and security of our employees?
I don’t expect you to just know the answers to all of these right off the bat. You need to do your research, and speak to your team. Let’s go over some of the key points.
Using and keeping track of security tools
In general, it’s just good practice to require some kind of anti-virus software on employee machines, and to track the security patching of these machines to ensure they are up to date. On top of that, you may want to bring in other tools like password safes (KeePass and LastPass are popular choices). You may also want to require employees to install browser extensions to block unwanted scripts and tracking.
All of this is totally up to you, the important part is that you have some way of protecting your employees from common attacks, and that you are both requiring compliance across the company AND tracking who is compliant/non-compliant. Without accountability, people will nearly always choose the path of least effort.
Keep communication secure
I always think of this one (nameless) client I had long ago when I bring this up to someone. I took on a security contract to pentest their product in blackbox fashion (no access was given, it was completely blind from the outside). To discuss the specifics of the engagement and give daily reports, I was given access to their Slack workspace.
I quickly realized two things: there were public channels that should have been private, and some very important people were very cavalier with how they shared mission-critical information. Within about an hour, I had access to everything from production servers to vendors, and even banking information.
Moral of the story: communication should always be on a need-to-know basis. If someone doesn’t need to know, they should’ve have access.
Security training is critical to success
I get it. You’ve never been hacked (that you know of) before, so why should you spend the time and resources on security training for your company? Obviously, they’re doing OK because nothing bad has happened. That’s like saying some guy without medical training is fine being a doctor because he hasn’t killed anyone.
Get your hands on some legitimate security awareness training and make participation mandatory. If you’re feeling really zealous, require a basic security certification from all employees as well as ongoing training. It might seem like overkill, but take a page from our armed forces — even the mess hall cook went to basic training. The company grows as a whole when the individual parts are strengthened.
If your company is more than a few people, consider implementing a phishing simulation program as well. You can set this up yourself, check out my article on choosing the right platform to get started. Phishing has been the #1 attack vector for years and is only getting worse. Spending a little extra effort on this training will pay off.
Monitor the safety of your employees
I’m not saying that you need to track their every move, or install spy software on their machines, but you should at least be monitoring whose data gets leaked. One way to do this is to sign up for Dark Web Monitoring.
I don’t think I need to go into great detail why keeping track of your employees’ stolen credentials is a great idea. I’m sure your imagination is doing all of that for me. This is one cost that will continue to pay for itself in damages prevented.
Just care. Take the time to plan ahead. Tell yourself that it’s ok to spend time and money on security. Treat security like any other resource you need to be successful. It’s just one of those things that you don’t need until you really, really do — and then it’s too late. Don’t be an idiot, be prepared.
Ethical hacker and IoT security specialist.