If you’re a problem solver, being part of a startup can be an exceptionally rewarding experience. Good entrepreneurs have a laser focus on solving customer problems. But unfortunately, following good data security practices often does not make it onto the radar of product and service designers.
We see both big and small companies make rather trivial data security design mistakes that have dire and expensive consequences. Some recent security blunders include BMW’s encryption vulnerability, which allowed hackers to remotely unlock and start cars; Brink’s digital safe design flaw, which can allow a hacker to open a safe without any physical force; and the very sad Code Spaces story, which led to the complete destruction of their business.
Having built three different software products in my career, I can assure you that building a product with security as part of the initial design is easier than trying to integrate proper security processes later on in the product’s development lifecycle.
I was fortunate enough to join a great security company after college, so I learned a lot of these best practices early on in my career. Below are five simple pieces of data security advice to help you cost-effectively prevent a data breach at your startup:
- Set strong passwords: We hear that we need a strong password all the time, but we don’t always get simple advice on how to achieve this. The generally accepted technical advice is to have a password that is at least 15 characters long with special characters. An easy way to accomplish this is to use a memorable sentence with punctuation as your password, e.g. “I enjoyed visiting the arcade @ Nathans when I was 12!”
- Enforce two-factor authentication: Most of your cloud service providers can require more than a password for you to gain access to the given cloud service. For instance, Dropbox can require that you enter a unique code sent to you as an SMS text message every time you log in to the website, and Amazon Web Services allows you to use a separate application to generate a unique code every time you log into their console. You have to bear in mind that the burden is on you to use this security feature, as most cloud service providers make it optional. The Code Spaces story is a perfect example where two-factor authentication would have prevented a disaster, and Code Spaces cannot blame anyone except themselves. If you have a cloud service provider that stores sensitive data, or if their service is critical to your business, you should demand that they have this security feature. I recently dropped an infrastructure as a service provider for this exact reason.
- Separate security and administration: The security concept is that you have two people managing different aspects of your IT infrastructure, so both people need to be compromised in order for you to suffer a breach. For example, you can have an IT administrator who can manage your systems by setting up new software for users, but he or she cannot add or manage the users; a separate security administrator is the only person who can manage users. I understand that at a startup it may be hard to find two people for these separate duties, so in that case, set up two logins for these purposes. I personally have a separate login ID for my cloud services for the purpose of managing security policies and another login ID with limited privileges for my daily use.
- Encrypt your data: Encrypt everything that you consider sensitive, and make sure you use SSL for any and all communication for your products. BMW had a rather embarrassing data security incident since their cars did not communicate to their servers via SSL. Also, employ full-disk encryption and file encryption for laptops and mobile devices that may have sensitive data. For example, if you store sensitive data in Dropbox or similar services, search for a third-party encryption solution to encrypt those files. Getting another company to encrypt the data in that given cloud means you are following the step above, and a breach within the cloud storage provider will not lead to a breach of your data.
- Talk to your customers about their security requirements: You probably already have a conversation going on with potential customers about how your new product will make their lives easier. Ask them what they require from you with regards to you internal and product-related security practices. If you’re catering to a regulated industry like healthcare or finance, your customers will definitely have a compliance officer who can help you in this regard. At AlertBoot, we are constantly getting new customers in healthcare-related fields who are required to get our encryption services, since the compliance officers are educating their vendors about this HIPAA-related requirement.
This can all seem like unnecessary overhead when you’re trying to grow your business, but protecting all of your hard work should be a priority. I often advise customers to try to work their data security practices into their sales conversation as a way to assure your prospective customers that you have their best interests in mind. You’ll be pleasantly surprised how well this can work.
Much like electricity, hackers usually take the path of least resistance when it comes to stealing your data or disrupting your systems. The above tips will help make it more difficult for a hacker to penetrate your systems, and in many cases, the hacker will move on to the next potential victim. Most of the data breaches you hear about in the news are preventable, but you should also make data security education part of the ongoing growth plan for your business as the technology landscape is constantly changing.