It’s not a matter of if your company will be breached but when and for newly established companies or startups the when may be sooner rather than later.
Startups are being established across industries and come in many different sizes. Regardless of whether they are in year 2 or year 5 of their existence, in their Series A round or their Series C round, they often fail to develop a mature and sufficient information security program. It could be due to a perceived lack of resources or time. Or, it could be the founders are laser focused on their company’s growth and security is thought of as too much of a burden and not much of a necessity.
We saw a lot of high profile hacking and breaches in 2014 and experts believe 2015 will be an even better year for the hackers. Not only are big, established companies getting attacked, but hackers often target small startup companies as well. These startups make easy game with their very innovative ideas and precious data poorly protected.
Though not exhaustive, here is a list of some of the key items to help you put together an information security program that can raise the security bar to defend your intellectual property and valuable data. These items can help you manage and reduce the information security risk you face and more than likely help to ensure your reputation.
- Know your data.
Know what it is. Know where it is. Keep an inventory of your data. Know who has access to your data and what they can do to your data. Classify your data. This is not a one-time effort. This must be almost real-time especially if you’re dealing with mostly sensitive data. If you don’t know your data, how are you going to protect it? If your industry is regulated, you got to be on top of this. Really!
Nothing turns away investors faster than a company that does not understand its regulatory requirements and nothing will doom you with consumers like mishandling their data.
- Know all your hardware and software.
Make sure you keep an active inventory of all of your hardware and software. If you have to use a spreadsheet to track it at first, that’s still better than nothing at all. Knowing your hardware is essential to knowing where your data is. Do not allow users to install software on their own. Create a standard set of hardware and software permitted in your startup. This will enhance productivity, reduce cost, and allow you to control what hardware and software enters your environment.
- Know all who have access to your data and your organization.
Keep a strong tab on user account administration. Accounts need to be created and especially terminated on a very, very timely basis. Employee accounts are usually terminated using timely HR and IT procedures. But with many organizations, the weakness has always been when consultants and temp workers are terminated.
The same procedures that are used for employees are seldom used for contractors and temps. Make sure that all terminations follow exact procedures and checklists – be it an onsite worker or a remote worker halfway across the globe. You’re a startup so presumably your headcount is small and keeping track of the workforce should not be difficult. If you need to let go of a key employee who has lots of access, consider having someone disable their account when they are having their exit interview with the CEO or HR. The last thing you want is someone with an axe to grind having an active account.
- Hire a CISO.
There is a dire shortage of these professionals and yes, they are costly! But don’t let that stop you. Look and ask around and you’ll find knowledgeable professionals who have managed and run Information Security shops. You want to find a leader who’s willing to be hands-on but you also need to find one who can shape your Information Security program to best fit your business needs – someone who can work well with your business folks.
- Encryption, encryption, encryption.
If your laptops (or desktops) contain sensitive data and that data is not encrypted, then you’re playing Russian roulette. You need to make sure all laptops are encrypted – that is, the entire hard drive and not just selected folders. Do you know which of your laptops have sensitive data? Since you can never be sure who will copy what onto a laptop, encrypt them all. It is worth the expense.
- Get an information security policy.
Make sure it is properly aligned with standards such as ISO 27001/27002, your industry regulations, industry standards, as well as your business plans and needs. (Need help determining what should be in your policy? See above, #4. Hire a CISO.) Once you have the policy, make sure it is reviewed and updated at least annually. Present it to all employees. Everyone needs to be aware of what this policy is. It is the foundation of your information security program.
- Know your vendors.
Know which of your vendors have access to your building, to your data, to your network. Know what they can do to your data. Do you know if there are fourth party service providers that have access to your data? How much of a control do you have on these fourth party service providers?
Make sure your contracts are well aligned with your information security policy and at least with your minimum-security requirements. Make sure there is a confidentiality clause in every contract for vendors who will have access to your data. This too is not a one-time effort but must be an ongoing monitoring effort.
- Secure your OS. Secure your applications. Secure your network.
OS and application patch management, vulnerability assessments, network and application penetration testing are items that must be penciled in on your calendar and advertised to the user community as needed. This reserved weekly and/or monthly window of opportunity to patch, remediate, and test on a regular basis is crucial to protect your data. (Need help developing an effective patching program? See above, #4. Hire a CISO.)
Constant postponement and/or cancellation of these events will only weaken your layered defenses making it harder and harder to catch up on patches and remediation. Hackers love to use malware as their vehicle to penetrate your organization. Do you want to provide them with an opportunity?
- It’s not if but when.
That’s what the experts say about your business getting breached. Often startups are breached and they never know it until it’s too late or never know at all. Or do you think that hackers and the competition, inside and outside our borders, would pick only on large companies? If you’ve got data to protect, it’s better to develop an incident response program – policy, procedures, and management – and be ready as much as you can for that awful day.
Don’t think that because you are not a large company storing millions of credit card numbers that you cannot be hacked. Ransomware infecting a crucial machine and locking up irreplaceable data can be expensive and devastating.
- Security is everyone’s business.
Make it an agenda item at your meetings. HR, Legal, and Audit need to be fully engaged. The C-Class executives must certainly buy in fully to this plan for it to be a success. Keep it on their radar. The language you use with the executives is extremely important. It’s not the technical stuff the executives want to hear about but how it affects their business and the bottom line.
User awareness, starting with the boardroom, needs to be kept high and constant using all mechanisms to do so. (Need help designing an effective security awareness program? See…well you get the idea.) Thanks to Target, Home Depot, and Sony, you will not have to convince many these days! The awareness is high so make sure you ride the wave.