now browsing by tag
2019 has been a total disaster regarding security considerations. According to a report published by Risk Based Security (via Forbes), there were more than 3,800 reported breaches during the first half of the year, and three of them made it to the 10 largest of all time.
Data leaks are as common now as the vagaries of the weather. Withstanding such a storm is a tough challenge, especially for young companies that are too short of money to build a strong defense against digital villainy.
It’s possible, though. Here is the security guide based on the experience of the startup I work with, focusing on the options that will go at each maturity stage and won’t conflict with the future add-ins.
Nothing To MVP
You’re probably not sure yet if your business is going to raise any investments. In my opinion, your best choices are cheap or free.
• Application security: From my experience, hashing the user’s credentials is essential here. Also, you might not want to store credit card information for now. It’s in the scope of PCI compliance, a set of regulations too hard to chew with limited money.
• Infrastructure security: You should exploit managed services like Google Cloud, Microsoft Azure or Amazon Web Services and configure them properly. Use separate accounts for production and other environments, enclose everything in a virtual private cloud (VPC) and limit the number of IPs that can access the environment.
Other great steps are to move your production configurations out of the code and into a separate repository and enforce multifactor authentication (MFA) on all services that engineers work with.
Also, don’t forget to restrict access to the production server and database, organizing everything through Continuous Integration tools like Jenkins or TeamCity.
• People security: Hire a reliable development and operations engineer to be sure that sensitive accesses are in good hands. Running secure coding training for your engineers will also be beneficial, as one day of their time can save your company. Additionally, a measure as simple as encrypting their laptops and providing them with antivirus software can be a life-saver if some of the gadgets get lost in a coffee shop.
MVP To Seed
You’re still short of funding but already have customers and want to secure their data properly. I believe you should keep focusing on less expensive but impactful measures.
• Application security: You should enforce a password policy for your users and run at least one penetration test, which could help you uncover hidden security breaches. Another good practice is to maintain the OWASP Top 10 status of your app. It’s a regularly updated report on concerns for web security.
• Infrastructure security: Back up your databases, encrypt data in transit and make critical resources only available through the private VPN. These steps are simple but can save the company.
• People security: Your goal here should be to set up basic onboarding and offboarding procedures. You’ll want to revoke all the access to sensitive data when people leave your stronghold. Enforcing password management policy would be useful as well.
Another good step is running engineering-oriented security awareness training. In critical circumstances, everyone should know what to do by heart.
Seed To Series A
You are in an active development phase, might have some money and could have up to 15 engineers in the house. From my experience, this is an excellent time to establish security policies and procedures without losing flexibility.
• Application security: Running application penetration tests should be a habit at this point, but don’t hesitate to change your test vendors sometimes. It will give you fresh eyes on your safekeepings. Also, you should encourage your engineers to follow the Secure Development Lifecycle. From now on, security is at the front and the center of your company.
• Infrastructure security: You might want to become a bit paranoid at this stage since your company could start attracting predators’ attention, so stop sharing any accounts. Everyone accessing the resource should have their own account with the minimally acceptable permissions. You’ll also want to run an infrastructure penetration test regularly and make a disaster recovery procedure. It’s vital to have a plan if something goes south.
Additionally, you’d want to know about any unauthorized attempt to access your servers. A host-based intrusion detection system should help you with that, while a vulnerability scanner should reveal weaknesses in your servers and remind you to keep their software up to date.
• People security: It’s time to get your team through a series of drills. Make an incident response policy and perform a few exercises by simulating an “end of the world” scenario. In addition, run a risk assessment exercise and carry out the company-wide security awareness program. Your nontechnical employees should know what “phishing email” means.
You’ll also want to control every workstation in your company and ensure they have antiviruses, the latest security updates, screen locking timeouts and so on. Any mobile device management software will be of help.
You have a large staff and hordes of happy customers. Hence, you’ve become a tidbit for cybercriminals. I believe there is no better time for serious reinforcements.
• Application security: In my opinion, running a bug bounty program is a must-have here. White-hat hackers are the best at finding vulnerabilities in the software — except for regular hackers, of course. To detect the actual malicious activity in time, use any good application performance monitoring tool. You can also enforce the application change management procedure. Any change in your production systems and infrastructure should get extra approval from one more person.
• Infrastructure security: Use a security information and event management tool. Configure it to receive all security notifications from your servers, vulnerability scanners, intrusion detection systems and so on.
• People security: It would be beneficial to hire an IT team and arm it with the security event monitoring tool in order to manage and control all of your employees’ workstations.
Finally, use centralized account management for providing and revoking system access during onboarding and offboarding.
The modern age provides you with plenty of means to protect your business, and many of them require no more investments than your time. The only hitch is to apply them at the right moment.
You can never be immune to all kinds of hazards, but minimizing their chances of knocking you out is within your reach.
The post Council Post: Cyber Security For Startups: A Step-By-Step Guide appeared first on National Cyber Security.
View full post on National Cyber Security
Small Sydney tech company Qnect is in damage control after its customer data was reportedly stolen and held for ransom. The attack comes just weeks after ransomware known as WannaCry disabled over 300,000 computers and essential services worldwide. The hackers, calling themselves RavenCrew, threatened to publish the data – including…
The post Hackers hold Sydney start-up’s customer database for ransom appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
A push towards digital economy (otherwise known as demonetization) by the Indian government is changing the way businesses and governments are run in the country. However, at the same time, these recent changes are creating vulnerabilities by moving processes online, …
The post India’s Cyber Security Startups Are Gaining Traction, Thanks To Demonetization appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
TECH CRUNCH – Nov 12 – The newly-launched Venntro Ventures incubator plans to invest in and incubate tech startups in both the U.K. and U.S. who operate in the online dating and lifestyle spaces. Read More….
The post Venntro Media Will Take 40% Stake In Startups They Invest In appeared first on Dating Scams 101.
View full post on Dating Scams 101