Security for Startups: Protection on a Budget
The Woerndle brothers, Carl and Alex, founded Distribute.IT in 2002 and experienced the various phases of growth. After successfully scaling their company over nine years, they had roughly 30,000 clients who paid them on a recurrent basis. It was the kind of business story everybody wants -- until it wasn't.
On June 3, 2011, Carl Woerndle received a chilling phone call. Distribute.IT's network had been breached. The brothers and their team quickly scrambled to repair the damage, but it was too late. They worked 72-hour sessions more than once, trying to restore the network to normal. But the Woerndle brothers ultimately faced the unavoidable truth: A single breach had cost them their business.
Even worse, The Woerndles' story isn’t an isolated incident. Another entrepreneur's company generated about $1 million in annual revenue, and his wife ran a childcare business on the side. One day, a disgruntled employee hacked his website, stole customers' email addresses and contacted customers with the false information that the business was a front. The employee accused the couple of using the childcare center as a means to enable pedophiles to exploit the young boys and girls there. The incident cost the couple both businesses.
Understand the risks.
Many startups are obsessed with getting funding, marketing, garnering press, boosting sales and increasing conversions. Most small-business owners devote little to no focus on security aspects. It's a dangerous mistake.
According to John Mason from TheBestVPN.com, “The most important concern of any startup should be security. Research shows that at least 50 percent of Americans will be hacked and that about 70 percent of businesses are hacked each year. Not preparing for something like that could have lasting effects.”
If your website is hacked, you could be left with serious damages. Here are a few of the most notable.
A dead business you’re unable to revive. The U.S National Cyber Security Alliance reports 60 percent of businesses that suffer a hack attempt do not survive the next six months.
A damaged brand. Major brands such as Yahoo! and Sony survived hacks because they're so integrated in people’s lives. You small business probably doesn't stand the same chance. Once your brand sustains serious damage, it's most likely damaged forever.
Financial troubles. It’s especially tough for startups to weather a hack. Security breaches cost a lot of money to fix. Sony spent around $170 million to clean things up after the infamous PlayStation Network hack in 2011. To make matters worse, your business won't generate any revenue during the hack or its immediate recovery period.
Even with all this compelling information, many companies do nothing about security. Small-business owners often feel powerless to protect themselves, and their leaders reason that their limited finances are better spent elsewhere. After all, Sony, Yahoo and federal government agencies spend hundreds of millions of dollars on security and still get hacked. What chance does the little guy have?
More than you might think, actually. Starting with the ground-level safeguards at least will protect you from basic, less-sophisticated hackers. Don't let your company be the low-hanging fruit.
Get cyber insurance.
Most people don't realize this exists. Don't assume your company's standard insurance coverage protects anything beyond your physical storefront and its inventory. More often than not, you need a specialized policy to shelter your digital assets -- your network and the information it contains. Cyber insurance will protect you from several liabilities that could arise in the day-to-day of running your business as well as the unfortunate event you are the victim of a digital attack.
Regularly change logins.
A disgruntled employee brought down two businesses owned by the married couple described above. This family's assets would have stood a much better chance if the primary business had implemented a policy that regularly required two components: new login credentials from key users and removal of users who no loner worked with the company.
Constantly require (don’t “recommend”) employees change their login details. Kick out redundant users, and suspend access for any employee who leaves your company -- the very day that employee leaves.
Review your BYOD policy.
If at all feasible, make it impossible to access key parts of your server without using company equipment -- no more bring-your-own-device leniency. Computers, smartphones, tablets and devices should be thoroughly vetted, protected and used for only for business-related matters.
Related: Fake Apps Pose New Phishing Threat
Enable multi-party authorization.
Actions of disgruntled or compromised employees represent a significant percentage of compromised websites, especially when solid security is in place. Even the infamous eBay hack that resulted in the loss of 145 million users' information was possible only because a few key employees were compromised. Enabling multi-party authorization gives you more robust protection in the event of a hack. These systems make it impossible for a single employee to carry out certain key actions without authorization from other key team members. If a single employee is compromised, it will have no bearing on your business.
Continuously monitor systems.
Constant server monitoring and scans can go long way to bolster your website security. These processes might implement services such as Sucuri and should include scans of Payment Card Industry (PCI) data compliance. Prevention is the best cure. Monitoring can inform you of potential vulnerabilities before they're exploited -- and could just save your business.