Know your weak spots:
Keep your startup watertight.
This original post was written by Arun K Buduri, Co-Founder and President of Pixm, a B2B cybersecurity solution offering on-device phishing prevention at the point of click, and a Boston Founder Institute mentor.
While cyberattacks are a pain for companies of any size, the potential fallout of breaches can be particularly devastating for startups. A recent report by insurance carrier Hiscox estimates that cyberattacks cost businesses of all sizes $200,000 on average and 60% of small businesses which suffer an attack shut down within six months of a breach.
Hackers are getting smarter, and their toolbox of tactics is becoming much more complex. With 43 percent of cyber attacks targeting small businesses -- and an average of six months before founders tend to realize they’ve been compromised -- early-stage startup founders need to be thinking about protecting their products and businesses from attacks, from the first step on their entrepreneurial journeys.
As Zack Whittaker from Techcrunch puts it “baking in security from the beginning is easier than taking it on down the line.” In this article, we will offer questions startup founders should be asking themselves, to plug the leaks at an early stage of their company’s development:
Understand what hackers are targeting
The first step in putting an effective cybersecurity defense strategy in place is understanding which elements of a company’s infrastructure are most at risk. Most cybercriminals don’t hack businesses for fun, they aim to profit from their hacks, either by holding data/IP at ransom or by selling data to third parties. As such, it is important to understand what hackers are targeting. Generally, this includes:
- Customer data
- Employee data
- Application functionality which can be held to ransom
- Access to email accounts, and third party contact and financial information
Generally, hackers will target startups to gain access to their sensitive data. However, sometimes they will target specific startups, to use them as a vehicle to attack a higher value target who the company is in contact with, be that a law firm they work with, or a VC firm they are in talks with. And there is no better way to ruin a relationship with a potential investor, than letting them know their system has been hacked due to your startups poor defense systems.
Generally, there are five main areas in a startup’s overall infrastructure which are most at risk:
- Source Code
When a startup is at an earlier stage of development, and their product or service is being utilized by a lower number of users, it is generally easier for founders to put measures/processes in place which can protect their data as the product scales.
If founders leave this until too late -- as so many do -- the process of plugging holes will be much more costly and labor-intensive, and the potential fallout from a hack will be much graver.
A startup’s application is typically split into the front end (webpage/visual/app UI) and the backend (the engine behind the UI which makes the magic happen). Generally, hackers will try and target the backend of the application, as this will allow them to not only control the front end, but also to access sensitive data.
As an example, the iconic store Macy’s was recently hacked after a part of the backend which opened up the section of the store’s website that processes online payments was breached, allowing hackers to ‘skim’ card details via a ‘man-in-the-middle’ attack.
The breach wasn’t detected for a whole week, as customers payments were going through seemingly as normal. But while globally recognized brands like Macy’s have the resources and the brand reputation to pull themselves out of this hole, this type of breach would have been a death sentence for an early stage company.
To ensure their applications are secure, founders should ask themselves the following questions:
- Where do you store your data?
- Is all customer data stored on a public cloud storage? Is that access controlled? Note: Typical S3 storage buckets on AWS are open to the public unless you explicitly protect it
- How will customers login to your service?
- If a customer enters a password, are you sending this in plain text to your backend to authenticate? This is a big No.
- Are you using storage services which require login authentication?
- Are you paying to have HTTPS turned on for your website?
Source code is a startup’s entire IP. As such, it goes without saying that it needs to be locked down. Nowadays, there are a number of private repositories available to store your source code, like GitHub. However, it is important to mention that free accounts on these platforms will leave your code public, so it is essential to pay for private storage. Even if your startup is part of the growing trend of open source projects, it is vital to protect your code using the recently launched GitHub Security Lab.
I recommend setting up multi-factor authentication (MFA) along with strong/random passwords to access the source code. However, be warned that the FBI recently highlighted advanced attacks capable of breaching this measure.
If a startup is working with contractors, it is advisable to make them sign NDAs, and create separate source code branches which only grant access to the specific tasks which these developers need to work on at any time. Founders should ask themselves the following questions:
- Who has what kind of access to what source code?
- What kind of third party libraries are you using in your source code?
- Are you tracking vulnerabilities in your third-party libraries?
- Are you integrating any third-party services into your code? Are you providing unlimited or limited access via an API for services like Stripe?
- What kind of licensing do the third party libraries have?
The last point about third party libraries is often overlooked, but is in reality a life or death issue for startups. Founders should carefully review all licensing agreements and check to see whether they are using a ‘free to use’ license or a General Public License (GPL) or others. If you are not careful, you would effectively be offering up your proprietary source code for free.
Arguably this is a startup's most important asset. How you access, transmit, process and store you data are all extremely important factors. Trust is arguably the most important factor in startups relationships with consumers nowadays, and a big breach at any early stage could be enough to irreparably ruin a startup’s brand reputation. Founders should consider the following:
- How is your data transmitted between your customers and the backend?
- Is customer data encrypted end-to-end?
- Where is your data stored? Who has access to this data?
- Is your data at rest Encrypted vs Unencrypted?
- How much PII (personally identifiable info) do you have access to and is stored?
Startups often make the critical mistake of overlooking the risks posed by the hardware element of their infrastructure. From your employees’ laptops, to the intranet you use, your entire backend, to the file storage systems being utilized, make up the hardware environment which hosts your company resources and infrastructure, and ultimately on which your backend runs.
Keeping track of the different hardware and cloud elements that make up a startup’s infrastructure can be challenging, especially as teams grow, employees join and move on, and a startup begins to work with service partners, and providers. To keep their infrastructures safe, founders need to ask themselves:
- Do you have only the necessary public-facing components on the internet and everything else on private IP space?
- Do you have VPC set up that puts all non-internet facing resources behind a VPN so that only authorized people can access?
- How are the public APIs set up to access the resources that are behind a VPC?
- Are all your devices, VMs and others patched to the latest OS versions?
Email and security
People remain the weakest link in a startup’s cybersecurity defenses. Despite increased vigilance, 90% of the data breaches are still caused by human errors.
Training your employees to flag suspicious emails, and practise good ‘password hygiene’ is a good first step, however be aware studies have shown the majority of attacks exploit the human factor through creative and luring tactics. Put simply, even if you train your staff, there is a good chance they may still be duped by hackers. This is why many founders are going for the safer option of using endpoint based cybersecurity tools, which take the human risk element out of the equation, by automatically blocking attacks.
Some important questions to ask are:
- Are you enforcing strong passwords?
- Do you have MFA set up for business email accounts?
- Have your team done Phishing training?
- Do you have any extra email protection?
- Do you have some endpoint protection on your company devices?
- Are you using secure browsers?
The frequency of cyberattacks is increasing, with more than half of small businesses in the US, having suffered a breach within the last year and 40% having experienced multiple incidents.
However, despite the hard numbers telling them otherwise, the 2019 SMB Cyberthreat Study highlights that 66% of founders still believe they’re unlikely to be targeted by hackers and that 6 out of 10 have no digital defense strategy in place.
With 2020 set to be a record year for cyberattacks, it is up to founders to install a cybersecurity culture with their team, do an audit of their infrastructure’s weak spots, and ultimately pay for the right tools which can help them keep their IP, their data and their customers data safe.
After all, it can only take one breach to kill a startup, before they have even made it off the starting line.
* * *
Graduates of the Founder Institute are creating some of the world's fastest growing startups, having raised over $1.5 billion in funding, and building products people love across over 200 cities worldwide.
See the most recent news from our Grads at FI.co/news, or learn more about their stories at FI.co/journey.