No one sees the need for insurance when life is going well. In fact, we often complain about paying monthly premiums on something that we'll "never need anyway." But once that car wreck, house fire or flood happens, we're thankful we have the policy. Many startups view security in the same light as flood or fire insurance; it doesn't get the same love that building an application or growing the company gets. But every day that startup founders neglect security is another day they're exposing themselves to serious risk.
A security breach can sink a startup in the early stages of development. While your company may offer an amazing product that brings something novel to the market, one security blunder could steal all the attention from driving innovation. Adopting some basic security measures may not only repel would-be intruders, but if you do suffer a breach, your user base may be more accepting after seeing the measures you took to keep your environment secure. Here are several ways that startups can think about security from the start.
Protecting Customer Data
A former Racker once told me that "making the data useless" is the secret to securing sensitive data. Obviously, every company is going to store some information that isn't worth much. If you run a travel site you might not care to securely store the cost to fly from Philly to DC.
Protecting customer and employee data, on the other hand, is critical for a startup's success. Data loss in the early days of a company's existence can tarnish its reputation for years. Many companies will look to encryption as a first step in protecting data, but consider ways to obfuscate your sensitive information to make it even more difficult to steal. You can shard large chunks of data into smaller pieces and store them in different locations or use one-way hashes to store data that you only plan to use for comparisons. A determined attacker will probably be able to piece the shards back together, but your average opportunistic hacker may search for an easier target.
Storing passwords securely is a topic that starts many arguments. One of the biggest risks is that someone could steal your password hashes and begin attacking them with modern GPUs or widely available rainbow tables. To make that process more difficult, use salting along with stronger password storage methods like PBKDF2. This slows brute force attacks and reduces the chance that an attacker can determine a user’s password.
Use Known Development Frameworks
I know that this point will draw a lot of criticism from people who say, "I don't use frameworks because they always seem to have known vulnerabilities." This may be true - anything that is widely used will get attacked more frequently.
However, a major advantage of using known frameworks is not simply the software, but also the community that supports it, which can rapidly respond to attacks and patch security issues. Take WordPress as an example. Its community of developers responds quickly to vulnerability reports and releases updated versions that can be easily installed by administrators. If you write a custom CMS application yourself, you might not know when issues arise. Even if you find a vulnerability, you will have to manually adjust and audit your own code. This means that you're taking resources away from your product to assign them to deal with the problem. Leveraging a community of developers makes it easier to focus on your core product and less on the frameworks that enable it.
Securing offices, workstations and laptops is also critical to a startup's success. The intellectual property of a startup can quickly be compromised via physical access even if there isn't a central office. There have been several prominent news stories about a thief stealing an office full of unencrypted laptops when a startup team left for lunch. Other reports center around remote workers who forget to keep tabs on their laptops at coffee shops and airports.
Some thieves will just want the devices for their resale value, but theft is increasingly tilting more towards corporate espionage. In startup-rich cities like Austin and San Francisco, stolen devices are valued more for the data they hold rather than the hardware itself.
Take Care Where You Store Sensitive Documents
Every company needs to share data among employees. Deciding on a provider for document collaboration should be a thorough process. Find out if the company is liable for losing your data, whether they can access your files and even if you retain ownership after uploading information to the service. Ask some critical questions around two-factor authentication and data encryption.
Furthermore, examine the process for automating user access to the file storing service. You don't want to be caught in a situation where a disgruntled employee suddenly leaves the company and you don't have a quick way to remove their access.
Why Security Is Not Like Insurance
Like insurance, security is about protecting yourself from unwanted circumstances. But that's about where the similarities end. While insurance pays out in money, security pays out in customer trust. Money can buy some trust, but it's horribly inefficient.
To keep your insurance intact all you need to do is keep paying the premium. Security, meanwhile, is a habit, a discipline. For startups and established companies alike, encrypting or shredding data is never going to be as fun as building an app or launching a website, but it's a necessary chore. When users lose faith in the security and privacy of the data they hand over to you, they lose faith in your company, your application and your ideas.