For startups, user growth, product growth, virality, marketing usually goes on the top of their priority list. As part of product planning cycles, embedding information security into their product/service is the last concern for most startups.
Which is deeply ignored here? Information and data security.
Often you see devops engineers, systems engineers, infrastructure engineers or system administrators wear the security hat in these startups and performs some of the small security fixes or patches. Even though they can perform research on the procedures to apply patches, harden databases, or implement remediation as a result of the industry breaches, they might not take every decision or option from security perspective.
Consider the Code Spaces startup breach that basically caused them to go out of business due to improper hardening of the root passwords and not following the AWS security best practices. This deeply ignored lack of security awareness has actually caused millions, and in the case of some companies has even lead to shutdown because of the loss of data and reputation.
Robert Hansen, the director of product management at WhiteHat Security, said persuading start-ups to invest in security could often feel like "talking to a brick wall."
I'm going to share some of my startup security experiences about 7 deadly sins that startup security professionals often fail to recognize. Applying information security practices in startups and medium and large sized organizations needs shifting your mindset in deciding the right controls for your organization.
1. Lack of understanding of your business threats
Cyber security is not just an issue for governments and FTSE 100 companies, cyber attacks can affect every business, however large or small.
According to last year's Information Breaches Survey conducted by PwC for the Department of Business Innovation & Skills:
87% of SMEs had a security breach in the last year; and only 9% of small organizations know that outsiders have stolen confidential data.
It is very important that you understand your business threats before you can protect your data. Perform risk assessment and prioritize your data, assign threat levels, assign risk score and evaluate the appropriate controls that you want to protect against. Pragmatic risk management isn't about trying to anticipate and mitigate every source of risk. For example, the risks for bitcoin startup will be different than the risks for a startup that specializes on IoT.
2. Misalignment with your IT strategy
Security engineers need to be fully involved while setting up the IT Strategy. Unless you clearly know whether your servers will be hosted in the third party public cloud by a third party firm (SSAE16/ISO27001 certified) or if it's better to bring your infrastructure in-house in the near-term (2 years), you cannot clearly frame your security strategy around this.
Sign up for Computerworld eNewsletters.