By Mikko Hypponen
Today, all companies are software companies — and this definitely applies to startups, too. Practically every startup ends up writing code, even if technology isn’t the main focus of their company.
Here’s a ten-part checklist to help you and your hot new startup avoid the most common security pitfalls:
1. Note that speed is the enemy of security.
The faster you move, the faster you develop, the faster you deploy — the less time you have for bug checking, quality assurance and testing. Security is not something you can add to a ready product, it has to be built in from the design phase.
2. Do not invent stuff which has been invented already.
There are trusted and tested principals that will save you time and make you safer. Definitely do not develop things such as encryption or hashing algorithms by yourself. Just don’t.
3. Trust the cloud.
Most startups today choose to go for cloud services such as AWS, Azure and GCE anyway, which is also good for your security. Amazon, Microsoft and Google are investing hundreds of millions of dollars into their security. This means that breaking into the servers that run the largest cloud providers is hard.
4. …but use the cloud right.
The easiest way to screw up with cloud servers or cloud storage is to lose credentials. Make sure your developers use strong, unique passwords on all cloud services. Actually, forget that. Just make sure your developers use a password manager. Also, make sure everybody understands the risks of posting Private API keys to GitHub or pasting AWS Access keys to Pastebin. At the end of your next all-hands dev meeting, open shhgit.darkport.co.uk on the projector and let everybody watch for five minutes. That should do it.
And while we are on the topic of passwords…
5. …make sure everybody has their mobile devices locked by default.
(Face ID or Touch ID is fine). And make sure users enable two-factor authentication where possible. SMS is good, but an Authenticator app is much better. You can get fancier solutions for this, but frankly, Google Authenticator works fine. Also, do not force regular password changes on your users for no reason.
6. Get a Mac.
When I walk around in startup events, everybody seems to be rocking a MacBook. Macs are great for security, but probably not for the reason most people think. OS X is actually less secure than Windows 10 in many ways. However, as Mac market share hovers only around 10% and most organized cybercrime gangs have existing expertise in Windows, criminals keep focusing on Windows. This is why we see much fewer attacks on Mac. Do note that Mac users fall for phishing just as easily as Windows users — and iPhone and Android users fall even better, as there are fewer safeguards on them, and detecting a fraudulent lookalike URL is harder on a smaller screen.
7. Back up.
Ransomware continues to be one of the biggest problems we see. Recovering from ransomware attacks would be easy if you’d always have an up-to-date backup of your data. Surprisingly, many companies cannot restore their data when they are attacked. This happens often because backups are online and are deleted or encrypted by the attacker. This is why cloud backup and Time Machine systems alone are not good enough for backup. Have regular off-line backups that will survive even if your office building burns down.
8. Patch it.
Update prompts are annoying, but almost always the reason for the update is security. So update your OS. Update your applications. Update your apps. This seems obvious, but updating can fail for surprising reasons. I was recently working with a University network that was hacked because of a vulnerability on a remote-access server; it wasn’t running the latest version. This happened even though the administrators had enabled automatic updating on all servers. What went wrong? Well, the hard drive of the server was full, and it didn’t have enough space to download the patches. So the updates did not deploy, and they got hacked.
9. Prepare for people moving around.
In the fast-moving environment of a startup, people come and go all the time. Make sure your people do not take their access rights with them. Make sure you can lock people out of your repositories and cloud systems. Make sure you can change passwords and access rights as needed. It’s especially easy to get burned with shared passwords you use for your corporate social media accounts. Use password managers with shared secrets and force a password change on public company accounts whenever someone who had access leaves the company.
10. Watch out for business email compromise.
Even startups get hit by these attacks, sometimes known as ‘CEO scams’. Make sure you know who exactly can move money in the company, and make sure they know how modern BEC scams work. These attacks are way more complex than traditional fake billing scams.
11. Double-check your stuff.
Yes, I said this would be a top ten list and this is item eleven. So, I lied. Better get used to that too. Make sure your developers can identify and fix the common security vulnerabilities. Then have your app security tested. Have your network pentested. Have your code audited. And when you know your stuff is safe, your next challenge is to convince your customers that you can be trusted, even though you’re just a startup. One tip there is to get experienced advisors to join you, validating your security process and vouching for you where needed.
Good luck, and all the best.