Your Startup Should Think About Security From the Beginning
We live in the age of data where storage is a cheap commodity and data is of inestimable value. This means that you’re going to store the relevant data that will prop up your company for whatever it needs to build later -- and everyone will be cool with that.
The problem is that this abundance of data, collected largely from companies that don’t know how to store it properly, is why we're seeing headlines every month about another major data breach.
What you may not realize is that such breaches happen a lot. The occurrence rate is pretty much every day when you figure in companies that aren’t newsworthy or don’t even know they’ve been hacked.
When a big retailer is breached, that event immediately causes a loss of trust with the company's customer base. On top of that, the company can be sued by customers who have been damaged.
If this happened to your startup, what would it cost you? Could you afford a class action lawsuit the way a Fortune 500 company could? Could you afford to lose the trust you worked so hard to build with your customers? What would happen if your proprietary information, algorithms or formulas were stolen and sold to the competition?
Horrible things, no doubt.
This illustrates how many startup founders aren’t security oriented. Even tech founders usually lack experience in security. And this is a potentially fatal mistake. The decisions you make in the first round of building your company can affect your next funding round or that big exit that you’ve been dreaming about.
With all of this doom and gloom, however, there is still a silver lining. And that "lining" is that it's pretty easy to get a basic level of protection on all of your digital assets from day one.
First, it's important to learn about the most valuable piece of data for a hacker: PII. PII, or personally identifiable information, is exactly what it sounds like. It’s what ties your customers' names to a phone number, email address, mailing address, etc. This is the first thing that should be protected. Generally, it should be hidden as deeply as you can manage.
This can be done by encrypting, "hashing" if you only use the data for verification or just not storing it at all if you don’t need it! If you block this sensitive information out, a hack will be much less valuable. If you have to store it, there are some basic steps to take to make sure it’s safe and sound.
Encrypt data at rest.
When your data is resting in your database or in a file somewhere, you should encrypt it. With a solid encryption plan, like AES-256, in place, you need a decryption key to see any of the data. If someone gains physical access to your files or database, he or she could be in trouble without that key.
"Hash" and "salt" all passwords.
For data that is only sent to you and isn't from you -- like a password -- store it with a one-way encryption called "hashing." This way, if someone steals the stored password, he or she can’t easily decrypt and use it. There's a bonus if you add some text to the password before you store it -- called "salting." This makes it even harder to find out what the password is.
Secure data in transit.
This is the lowest-hanging fruit by far. HTTPS or SSL connections (that green padlock on the left of the address bar in your browser) will encrypt all data that is in transit between you and your customers. If someone intercepts it and steals it, he or she will have a hard time getting any value from it at all.
If your valuable data is safe from being used if stolen, you’re looking good. To look great, make sure your servers can’t be breached at all. This involves securing your code, as well. In order to secure your code, you need to lock down the common vulnerabilities.
Avoid "cross-site scripting."
This attack occurs when someone is able to inject some code straight into your database or onto your server.
Avoid cross-site request forgeries.
These attacks occur when someone steals a form off your page, customizes it and uses it to perform some action that the thief isn't authorized to perform. An example would be changing an admin password.
If you are using Wordpress to power your web technology, you’re in luck. There is a plugin called BulletProof Security (BPS) that solves most of this problem for you. If you don't have Wordpress, get a pro to scan and fix these issues for you as soon as possible, because they are serious. There is also a pretty handy tool called CloudFlare that will stop many of these attacks before they ever reach your servers. I always recommend both, where applicable.
The human side of hacking
It’s important to realize that behind every security breach, behind every hack, there are people. These are both people who are trying to get access and people who are letting them in. So, be overly cautious in your business. Change passwords regularly and require only authorized personnel to be near computers and documents.
Don’t leave that new delivery person alone at the front desk. His presence probably isn't a big deal, but he just might be trying to hack you and leaving him alone provides that window of opportunity.
What it all boils down to is a security mindset. You need to be consciously thinking about security and training your team to be mindful of it at all times: not just for your company, not just for your team, but for your customers too. This is important for everyone.
Following through on these points is generally enough to thwart most hackers. Add these actions with a security-first mindset and your empire is likely to be safe and sound. Your app can thrive. Your software will be secure. Your customers will trust you. Your data will be safe.
Getting your office, data, code and servers locked down early will save you from a world of hurt later on down the line. What are you doing right now to make sure your hard work isn’t taken down by some faceless hacker?