I love security. And I love startups. Which is why I co-founded a security start-up. Unless you’re running a security startup too, you’ve probably not thought too much about security yet, even though you know you should, because it’s in the news and vendors try to scare you half to death with this stuff. So, it’s there, somewhere at the back of your mind.
Problem is, it’ll jump right to the front of your mind when this day comes around:
Investor/ Your first Major Client: “I need to see your latest pen-test report and your Information Security Policy before we can do business.”
You *lying “Absolutely, that’s definitely in my eh…filing cabinet back at the office. I’ll send it when I’m back there on Monday.”
Narrator: “But there is no report. There is no policy. In fact, there’s no filing cabinet or even an office, these guys are working from their Granny’s converted attic.
Now in this scenario your next move will be to make panicked calls to vendors who’ll charge you eye-watering ‘wedding price’ rates to get the report and policy done in time. But it doesn’t have to be like this - there is another way.
To guide you, I’ve pulled together my top tips that any founder can use to make their startup more secure from the outset. Naturally, I’ve peppered them with with startup-y terms to make it sound like I’m one of you, I’ve even titled each section with a beautiful rhyme to help you remember each tip.
1. For security to be high standard, apply it like you would fake tan-dard.
As a start-up you might be tempted to think that Security is something that can wait till you’re bigger and can afford it. After all, you’ve better things to be doing (bean-bag shopping) than making sure your software is up to date.
But the reality is that most big companies are less secure than yours - not more. This is because companies generally start thinking about security too late, which just makes everything a million times more costly. Being small puts you in the enviable position of having a clean slate.
Startup-types talk about ‘Technical debt’ a lot, but ignoring security for too long is the hardest to of kind of debt to get out of. It truly is the PayDay loan of technical debt.
So, the number one rule is: Start early, doing a little of the right stuff, and doing it often. Think of it like gardening, or applying fake tan (I’ve been told that’s the general principle for applying fake tan anyway).
2. Find what would cause the greatest loss, and protect that asset at all costs!
As a start-up you’ll have limited budget and limited time. This forces you to focus your effort on protecting what is most valuable. First identify those core elements that your company would die without. No, not the foozball table dammit, focus! Then figure out a plan to keep it as secure as possible and action it. More on the details of the plan to follow…
3. Everyone knows that policies are boring, but an Info-sec one is worth exploring
Writing an information security policy is literally the last thing you want to be doing in your startup, as it cuts into valuable time you could otherwise be spending nominating yourself for industry awards. But the act of actually writing this policy from scratch (not just googling/cut & pasting) is an incredibly useful exercise.
So pull up the bean-bags in the beer-pong room and get some colleagues to think about the 10 biggest risks to your startup. What common-sense rules you could put in place to prevent them?
A security policy could (should in fact) start off as a super-simple list.
Don’t leave passwords on post-its that are visible on LinkedIn video tours of your exposed-brick WeWork offices
Don’t let Dave from the social media team have access to the payroll files
Then expand this list into a simple, sensible policy that evolves over time. Build it into the staff handbook, so that newbies have a simple set of instructions to adhere to.
In particular make sure your policy makes people aware of the threat of social engineering as it’s highly likely your company will be a victim of this some day. I didn’t say this was going to be a pep talk.
4. Multi-factor authentication, gonna save the entire nation (shun, shun)
People who know about security go on about Multi-Factor authentication. A lot. And with good reason, that’s because MFA makes life sooooo much more difficult for hackers. I’ve seen a startup fold in the first 6 months because they had their gmail hacked into - no joke. Turn MFA on everywhere it’s available, but it’s absolutely necessary on these accounts:
Your email (Gmail/Office365)
Cloud-based hosting providers (i.e. AWS Login)
Software repos (this may have to be client-side certificates, more info here)
5. Don’t be too proud to run your startup from the Cloud
You’re a startup. Dream big. You’re the next unicorn, you’re going to have an IPO exit in 3 years, then spend the rest of your life sitting on the board of blockchain and AI startups. This might be a somewhat controversial bit of advice, and it’s certainly not a blanket recommendation for every startup. But in terms of economy, scaling and security, for most startups it’s better to use cloud-hosting (AWS, Azure, Digital Ocean, Google) for pretty much everything.
That way you pass headache of maintenance and software updates over to people who actually want to do it. Leaving you to get on with what you’re good at - inflating user numbers for the purposes of a higher A-round valuation.
Remember though, you need to understand what you are responsible for and what the cloud provider is responsible for.
As a simple example: if you’re running your web app in the cloud you are responsible for the security of the app, whilst the provider is responsible for the security of the web server.
6. The basics of security you should recall, unless painfully you wish to fall.
A while back, I wrote an award-winning* article about the simple steps to secure yourself as an individual. These steps are just as applicable to your start-up and to your staff. So, as the head-honcho it’s up to you to breed these five elements into your culture like your company was a petri dish and security was an antibiotic-resistant superbug.
Use Anti-Virus and Firewalls
Keep machines automatically updated
Do cloud backups
Use password managers
Be aware of social engineering
I highly recommend you read this highly entertaining, yet informative, article and add the relevant procedures to your information policy.
*OnSecurity award for best article written by an OnSecurity employee on that particular day
7. Don’t know much about Security? then you should call OnSecurity (or other vendors of Security). (Not my best rhyme I’ll admit).
How much does your company know about Security? Probably not a lot, and that’s OK. Just like with any other problem, if you don’t have the skills then get some outside help with it, or have key staff trained up to be more secure in their roles. More than likely it will be a few years before you’re in a position to hire dedicated security folks, so reach out.