If you’re a problem solver, being part of a startup can be an exceptionally rewarding experience. Good entrepreneurs have a laser focus on solving customer problems, but unfortunately, following good data security practices often does not make it onto the radar of product and service designers.
We see both big and small companies make rather trivial data security design mistakes that have dire and expensive consequences. Some recent security blunders include BMW’s encryption vulnerability, which allowed hackers to remotely unlock and start cars; Brink’s digital safe design flaw, which can allow a hacker to open a safe without any physical force; and the very sad Code Spaces story, which led to the complete destruction of their business.
Having built three different software products in my career, I can assure you that building a product with security as part of the initial design is easier than trying to integrate proper security processes later on in the product’s development lifecycle.
I was fortunate enough to join a great security company after college, so I learned a lot of these best practices early on in my career. Below are five simple pieces of data security advice to help you cost effectively prevent a data breach at your startup:
- Strong passwords: We hear that we need a strong
password all the time, but we don’t always get simple advice on how to
achieve this. The generally accepted technical advice is to have a
password that is at least 15 characters long with special characters. An
easy way to accomplish this is to use a memorable sentence with
punctuation as your password, e.g. “I enjoyed visiting the arcade @
Nathans when I was 12!”
- Two-factor authentication: Most of your cloud
service providers can require more than a password for you to gain
access to the given cloud service. For instance, Dropbox can require
that you enter a unique code sent to you as an SMS text message every
time you log in to the website, and Amazon Web Services allows you to
use a separate application to generate a unique code every time you log
in to their console. You have to bear in mind that the burden is on you
to use this security feature, as most cloud service providers make it
optional. The Code Spaces story is a perfect example where two-factor
authentication would have prevented a disaster, and Code Spaces cannot
blame anyone except themselves. If you have a cloud service provider
that stores sensitive data, or if their service is critical to your
business, you should demand that they have this security feature. I
recently dropped an infrastructure as a service provider for this exact
- Separate security and administration: The security
concept is that you have two people managing different aspects of your
IT infrastructure, so both people need to be compromised in order for
you to suffer a breach. For example, you can have an IT administrator
who can manage your systems by setting up new software for users, but he
or she cannot add or manage the users; a separate security
administrator is the only person who can manage users. I understand that
at a startup it may be hard to find two people for these separate
duties, so in that case, set up two logins for these purposes. I
personally have a separate login ID for my cloud services for the
purpose of managing security policies and another login ID with limited
privileges for my daily use.
- Encrypt your data: Encrypt everything that you
consider sensitive, and make sure you use SSL for any and all
communication for your products. BMW had a rather embarrassing data
security incident since their cars did not communicate to their servers
via SSL. Also, employ full-disk encryption and file encryption for
laptops and mobile devices that may have sensitive data. For example, if
you store sensitive data in Dropbox or similar services, search for a
third-party encryption solution to encrypt those files. By getting
another company to encrypt the data in that given cloud, you are
following step #3 above, and a breach within the cloud storage provider
will not lead to a breach of your data.
- Talk to your customers about their security requirements:
You probably already have a conversation going on with potential
customers about how your new product will make their lives easier. Ask
them what they require from you with regards to you internal and product
related security practices. If you’re catering to a regulated industry
like healthcare or finance, your customers will definitely have a
compliance officer who can help you in this regard. At AlertBoot, we are
constantly getting new customers in healthcare-related fields who are
required to get our encryption services, since the compliance officers
are educating their vendors about this HIPAA-related requirement.
This can all seem like unnecessary overhead when you’re trying to grow your business, but protecting all of your hard work should be a priority. I often advise customers to try to work their data security practices into their sales conversation as a way to assure your prospective customers that you have their best interests in mind. You’ll be pleasantly surprised how well this can work.
Much like electricity, hackers usually take the path of least resistance when it comes to stealing your data or disrupting your systems. The above tips will help make it more difficult for a hacker to penetrate your systems, and in many cases, the hacker will move on to the next potential victim. Most of the data breaches you hear about in the news are preventable, but you should also make data security education part of the ongoing growth plan for your business as the technology landscape is constantly changing.