In the past year I had a pleasure working with a number of startups on improving their security posture. I would like to share some common pain points here and what to do about them.
Advising startups on security is not easy, as it tends to be a ‘wicked’ problem for a cash-strapped company – we often don’t want to spend money on security but can’t afford not to because of the potential devastating impact of security breaches. Business models of some of them depend on customer trust and the entire value of a company can be wiped out in a single incident.
On a plus side, security can actually increase the value of a startup through elevating trust and amplifying the brand message, which in turn leads to happier customers. It can also increase company valuation through demonstrating a mature attitude towards security and governance, which is especially useful in fundraising and acquisition scenarios.
Security is there to support the business, so start with understanding the product who uses it. Creating personas is quite a useful tool when trying to understand your customers. The same approach can be applied to security. Think through the threat model – who’s after the company and why? At what stage of a customer journey are we likely to get exposed?
Are we trying to protect our intellectual property from competitors or sensitive customer data from organise crime? Develop a prioritised plan and risk management approach to fit the answers. You can’t secure everything – focus on what’s truly important.
A risk based approach is key. Remember that the company is still relatively small and you need to be realistic what threats we are trying to protect against. Blindly picking your favourite NIST Cybersecurity Framework and applying all the controls might prove counterproductive.
Yes, the challenges are different compared to securing a large enterprise, but there some upsides too. In a startup, more often than not, you’re in a privileged position to build in security and privacy by design and deal with much less technical debt. You can embed yourself in the product development and engineering from day one. This will save time and effort trying to retrofit security later – the unfortunate reality of many large corporations.
Be wary, however, of imposing too much security on the business. At the end of the day, the company is here to innovate, albeit securely. Your aim should be to educate the people in the company about security risks and help them make the right decisions. Communicate often, showing that security is not only important to keep the company afloat but that it can also be an enabler. Changing behaviours around security will create a positive security culture and protect the business value.
How do you apply this in practice? Let’s say we established that we need to guard the company’s reputation, customer data and intellectual property all the while avoiding data breaches and regulatory fines. What should we focus on when it comes to countermeasures?
I recommend an approach that combines process and technology and focuses on three main areas: your product, your people and your platform.
Think of your product and your website as a front of your physical store. Thant’s what customers see and interact with. It generates sales, so protecting it is often your top priority. Make sure your developers are aware of OWASP vulnerabilities and secure coding practices. Do it from the start, hire a DevOps security expert if you must. Pentest your product regularly. Perform code reviews, use automated code analysis tools. Make sure you thought through DDoS attack prevention. Look into Web Application Firewalls and encryption. API security is the name of the game here. Monitor your APIs for abuse and unusual activity. Harden them, think though authentication.
I talked about building security culture above, but in a startup you go beyond raising awareness of security risks. You develop processes around reporting incidents, documenting your assets, defining standard builds and encryption mechanisms for endpoints, thinking through 2FA and password managers, locking down admin accounts, securing colleagues’ laptops and phones through mobile device management solutions and generally do anything else that will help people do their job better and more securely.
Some years ago I would’ve talked about network perimeter, firewalls and DMZs here. Today it’s all about the cloud. Know your shared responsibility model. Check out good practices of your cloud service provider. Main areas to consider here are: data governance, logging and monitoring, identity and access management, disaster recovery and business continuity. Separate your development and production environments. Resist the temptation to use sensitive (including customer) data in your test systems, minimise it as much as possible. Architect it well from the beginning and it will save you precious time and money down the road.
Every section above deserves its own blog and I have deliberately kept it high-level. The intention here is to provide a framework for you to think through the challenges most startups I encountered face today.
If the majority of your experience comes from the corporate environment, there are certainly skills you can leverage in the startup world too but be mindful of variances. The risks these companies face are different which leads to the need for a different response. Startups are known to be flexible, nimble and agile, so you should be too.
My book has been translated into Persian by Dr. Mohammad Reza Taghva from Allame Tabatabaee University and Mr. Saeed Kazem Pourian from Shahed University. Please get in touch if you would like to learn more.
Augusta University’s Cyber Institute adopted the book “The Psychology of Information Security” as part of our Masters in Information Security Management program because we feel that the human factor plays an important role in securing and defending an organisation. Understanding behavioural aspects of the human element is important for many information security managerial functions, such as developing security policies and awareness training. Therefore, we want our students to not only understand technical and managerial aspects of security, but psychological aspects as well.
We live in the developed world where it is now finally safe to walk on the city streets. Police and security guards are there to protect us in the physical world. But who is watching out for us when we are online?
- Cyber crime and state-sponsored attacks are becoming more and more common. Hackers are now shifting their focus form companies to the individuals. Cars, airplanes, smart homes and other connected devices along with personal phones can be exploited by malicious attackers.
- Online reputation is becoming increasingly more important. Potential business partners conduct thorough research prior to signing deals. Bad reputation online dramatically decreases chances to succeed in business and other areas of your life.
- Children’s safety online is at risk. Cyber-bullying, identity theft; with a rapid development of mobile technology and geolocation, tracking the whereabouts of your children is as easy as ever, opening opportunities for kidnappers or worse.
A one-stop-shop for end-to-end protection of online identity and reputation for you and your children.
A platform of personalised and continuous online threat monitoring secures you, your connections, applications and devices and ensures safety and security online.
Image courtesy ofwinnond / FreeDigitalPhotos.net
I was recently asked to develop a two-day tabletop cyber wargaming exercise. Here’s the agenda.
Please get in touch if you would like to know more.
Module 1: What is Business Wargaming?
How Does Business Wargaming Work?
Module 2 Cyber Fundamentals
- Practical Risk Management
- Problems with risk management
- Human aspects of security
- Conversion of physical and information security
- Attacker types and motivations
- Security Incident management
- Security incident handling and response
- Crisis management and business continuity
- Cyber security trends to consider
Module 3: Introducing a Case Study
- Company and organisational structure
- Processes and architecture
Module 4 Case study exercises
- Case study exercise 1: Risk Management
- Case study exercise 2: Infrastructure and Application Security
Introducing a wagaming scenario
Roles and responsibilities
Simulated exercise to stress response capabilities
The scenario will be testing:
- How organisations responded from a business perspective
- How organisations responded to the attacks technically
- How affected organisations were by the scenario
- How they shared information amongst relevant parties
Feedback to the participants
Course wrap up
Image courtesy zirconicusso / FreeDigitalPhotos.net
Implementing cutting-edge technology solutions is not the only way to combat cyber threats. Seemingly mundane administrative tasks such as network infrastructure hardening could yield greater results in terms of risk reduction.
I ran a remediation project for a major blue chip company, which successfully removed over 8,000 unused firewall rules.
Such projects can be complex and require a rigorous process to be designed to ensure that no active rules are removed. For example, a period of monitoring and subsequent hypercare ensured that only a few rules were reverted back to production after being indicated as “unused”. Proactive stakeholder engagement was key in completing the work ahead of schedule and under budget.
As a result, the project improved network security by eliminating the chance an attacker can exploit a weak unused firewall rule. Moreover, the number of rules on the firewalls was cut by half, which made it easier and cheaper to monitor and manage.
Image courtesy renjith krishnan / FreeDigitalPhotos.net