We are living in interesting times where numerous businesses are popping up and shutting down every day. As if it wasn’t already difficult to start and grow a business from scratch, startups are now also facing the threat of complicated cyber attacks. Back a few years, hackers’ main target used to be big corporations from where they could harness confidential data, personal information and intellectual property. But now there is no distinction. No matter if you are a 5-employee company or a Fortune 500, if hackers find an exploit, they will leave no stone unturned to hit you hard. Hackers are expanding their sights beyond large enterprises to include any business that store any electronic data.
If you look at it, cyber threats are becoming more critical for startups. They not only have to protect their intellectual property, they have to maintain the trust of their small customer base. At this time, security breach is the last thing they would want. This article will explore a few steps a startup should imbibe to avoid major mishaps right from the basics.
Securing The Data
The critical data of the company and personal information of customers are two important data sets that need to be fenced with the highest level of security.
- Examining where the data is located: Upon creation of data files they are mostly stored on a local or cloud storage platform, ensuring that these files are created in a secure environment is important. If it’s on local storage like laptop or PC, proper firewall installation is necessary. If it’s stored on a local server then access to that server needs to be defined to protect it from unauthorized people.
- Securing the data in transit: Using SSL certificates and proper encryption process is crucial in maintaining the security of the data. Virtual Private Network (VPN) is a prominent option but it can be a little costly when there is limited cash inflow. The best bet is to use a proper encryption mechanism and ensuring that the key management is not flawed.
- Securing the data on a third party server: Third party vendors are not always reliable and therefore it’s a good idea to encrypt the data before storing it on cloud storage apps such as Box, GoogleDrive and OneDrive. This ensures that vendors would not be able to snoop on your data.
Securing The Access Lifecycle (AAA Protocol)
Securing the data is only one part of the puzzle. Managing the access to this encrypted data is equally important. If encrypted data can be accessed by anyone, the threat of data leakage increases.
- Authentication: Authentication is the process of making sure that a person is actually who he/she claims to be. A combination of email id and password is the most common form of authentication in the web applications and therefore creating strong passwords becomes a necessity for users. (Learn how to create strong passwords)
To thwart off hackers from cracking your password by brute force or any other hacking techniques, two-factor authentication should be used. For startups, implementing two- factor authentication, for example token-based One-Time Password (OTP) increases the cost but ensures better security. Similarly, while using popular services within the company, startups should take advantage of two-factor or multi-factor authentication if made available by the service provider.
- Authorization: Authorization is the process of evaluating whether a person or entity has the rights to perform a certain action in the system. This becomes specially important as the startup grows and the team expands.
Though all organizations have a legal agreement with employees, it is not uncommon for disgruntled employees to air the dirty laundry of the company when they leave the organization. It has happened with Zynga and Whole Foods and you could be the next in line.
- Access: Access rights must only be granted to an employee based on role or the function he performs. For example a marketing guy should have access to apps such as Hootsuite, corporate blog, kissmetrics etc, to allow him to work effectively. He however should not have access rights to the company’s accounting app.
The strength of a company is in its IP, its employees, and its digital assets and so they must be properly protected. Managing access rights to critical data can save the business from risk for brute-force attacks, data breaches and regulatory violations.
- Audit: Auditing is the process of monitoring and keeping a log of above three activities. When employees regularly access company’s resources it’s important to monitor what they are doing with it. Startup employees mostly have strong bonding and mutual trust but not all employees works towards the vision of the company and fall off with the management is not a rare scenario. Auditing provides assurance that controls are in place and that user access privileges is managed and monitored according to the company policy and government regulations.
Securing Cloud Infrastructure
Public cloud has come a long way in helping startups reduce their operational cost, store huge amounts of data, and the ability to access it from anywhere via any device.. However, it has its demerits. The most prominent being the multi-tenant architecture, where multiple entities share the same server. If a hacker is able to break the server encrypted by a cloud service provider, in a multitenant service, chances are he will be able to steal the data of hundreds of different business customers all stored on that database. It’s a valid concern and a fiduciary responsibility to protect even against a suspected vulnerability.
Primarily you have two options to safeguard your data:
- Encrypt the data and then store it on the cloud. It is not always feasible as sometimes files need to be in an unencrypted format to achieve the desired results. For example, if you’re uploading source code (HTML and CSS) of your static website on a shared server, you can’t encrypt it or it will never work.
- Understand and verify the security infrastructure and processes deployed by the service provider. This will require you to weigh in different security measures provided by different service providers and select the best according to your needs. All service providers adhereto compliance requirements (mostly!!) of their and their customers’ region. Regular audits are conducted to maintain the security standards however it doesn’t guarantee the safety of your data like in the recent Target security breach where it was found that Target was PCI compliant but still faced the massive breach.
Secure Coding Practices
Enough has been said about following secure coding practices but when the choice comes down to shipping the product or securing the code, in a haste to secure customers, companies often choose the former. As a matter of fact, most of the companies do not focus on security right from the start, rather they patch it in later on when they realize its importance.
For more insights on best practices you can go through Apple’s Secure Coding Guide.
In the game of getting ahead of competitors, most of the service providers try to capture as much data from users as possible. The data can range from personally identifiable information to their usage pattern inside the application. If the company doesn’t have proper security in place how would they be competent in handling the user’s information?
The user’s data is also sometimes sold to third parties and if that’s not the case, it is being used to target advertising on them. Though it sounds like a great marketing tactic but the fine line is crossed more often and privacy of users is killed mercilessly.
For example, almost all the services require users to register using an email address. If a company has ten thousand users, they can essentially use those ten thousand email addresses to run highly targeted Facebook advertising campaigns.
It’s important to respect the privacy of users and hence only that much data should be collected which is required to give the complete experience of the service.
Security seems like an abstract concept to most of the companies and is therefore kept as the second priority. If 99% of startups fail, a fair share shuts down due to a significant amount of data loss or loss in reputation because of a security breach. It therefore becomes a critical element in the success of any company.
It’s about time you start embracing it, it can’t be ignored forever.