[vc_row padding_top=”0px” padding_bottom=”0px”][vc_column fade_animation_offset=”45px” width=”1/1″][text_output]Editor’s Note: This is a guest post from Aaron Warner, a mentor for the Iowa Startup Accelerator and CEO and Lead Security Strategist at ProCircular, Inc. You can view the original post here. [/text_output][text_output]In the world of startups, cybersecurity is often an afterthought.
Not because budding entrepreneurs haven’t heard the horror stories, but it seldom ranks highly among things that directly generate cash or hurry a company to market. Like so many other priorities, cybersecurity often falls to the wayside in the early business stages.
This is largely due to a few immutable truths of the startup world:
- Cash is precious, and there is never enough of it.
- Next to cash, time is the most valuable commodity, and it’s all used up too.
- Things move fast, big decisions abound, and a startup’s bandwidth is only so wide.
This sort of environment makes it difficult to consider infosec as anything more than another hampering cost center. So startups often choose to roll the dice and hope for the best.
In years past this might have been a valid approach. No longer the case.
Startups are influencing and reinventing every part of our world—healthcare, finance, childcare, transportation, energy—and this hasn’t been lost on thieves. Leaving aside the state-sponsored thirst for acquiring intellectual property through theft, the data stored by flourishing startups has been recognized as valuable and marketable by denizens of the dark web.
Personally identifiable information (PII) and healthcare data translates into identities for sale. Financial information, either as account data or credit card information, is valuable both for direct abuse or resale. And the word is out—startups generally suck at protecting their data.
- Startup “Clinkle” was hacked in a rather modest way, but embarrassing pictures of the CEO holding up stacks of cash (presumably from investors who had poured in series B money) has brought their future into question even before their official launch.
- Software engineers Abhishek Anand and Manish Kumar were able to identify critical security flaws in seventeen of the biggest startup organizations in India. These organizations collectively were worth an astounding ten billion dollars and the negative press they received damaged their credibility and likely their valuation.
- In 2014 the startup Codespaces, a collaboration and hosting company, was forced to close after hackers used a combination of DDOS attacks and penetration to delete its Amazon EC2 instances. Codespaces said that, “In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted,” and was forced to close its doors and use its remaining cash to help clients to recover what little data and work remained.
We know starting a business is arduous, so why should you give cybersecurity the same attention that you dedicate to UX, product design or financial management? Here are some of the reasons to make cybersecurity part of your startup’s Core Value Proposition.
You’re not the only one to recognize the need for cybersecurity. Your customers are reading the headlines and they’re often in no better shape themselves. Rather than fix their own internal problems, they’re increasingly looking for vendors that have these issues solved for them. This risk transfer approach is a common reason for shopping solutions in the first place. You may well have competitors with similar features or capabilities, having every major news outlet marketing one of your standout features (privacy or security) can be a great advantage.
Apple may have its challenges, but compared to many of their competitors they’ve done a great job of making security and privacy a competitive advantage. Their very public disagreements with the FBI in a number of recent cases have proven that the company takes the protection of their customers’ data seriously. Web hosting companies like Pagely or Armor.com are able to charge a significant premium due to the quality of their security programs and compliance. No longer just a comforting reassurance, security now adds to value.
Compliance and Regulatory
Whether you realize it or not, you may already have regulatory compliance requirements built into your business model. Here’s a quick reference of data types and the requirements that come along for the ride:
- HIPAA – Any health information, including that of your employees (think insurance data)
The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
- the individual’s identity or information for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number, diagnosis ,condition, medication, etc.).
- PCI DSS – Accepting credit card payments? You’re on the hook in some form or another.
Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
- FERPA – Are your customers minors or students? Bingo, you’re subject to FERPA.
The Family Educational Rights and Privacy Act gives parents and eligible students these basic rights:
- The right to inspect and review the student’s education records maintained by the school;
- The right to request that a school amend the student’s education records;
- The right to consent in writing to the disclosure of personally identifiable information from the student’s education record, except under certain permitted situations; and
- The right to file a complaint with the Family Policy Compliance Office (FPCO) regarding an alleged violation under FERPA.
An important point to consider is that these standards apply to both your organization and the third parties you’re using to host your data. If you move the data to which these regulations comply to the cloud in any way they’ll also need to be compliant. This applies to the storage of the data, whether in a database or a flat file, as well as the applications used to access it and the methods you use to transfer the information. You’ll need to review each of your cloud vendors very closely, and perhaps perform an onsite inspection, in order to be in full compliance with the standards.
Making Cybersecurity and Compliance a Competitive Advantage
Noting these advantages and obligations, how can your startup join the ranks that use security and privacy as a competitive advantage? The steps are less daunting than you might think.
ProCircular’s recommendations for startups are a subset of guidance provided by a recent Department of Homeland Security publication (Reference Number JAR-16-20296, NCCIC/FBI/DHS) that states that 85% of the targeted cyber attacks can be prevented by taking these steps.
Note: We’ve rearranged the list and modified the comments to make them more realistic for cash-strapped and time-hungry startups:
- Backups: Space on Google or Amazon is cheap and secure, and you should be backing your data up. Ask your team, Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
- Incident Response: Do we have an incident response plan and have we practiced it? A basic template from NIST and an afternoon war gaming meeting can go a long way. Don’t hesitate to reach out to FBI or DHS early so that you at least have a relationship, and (shameless plug) befriend a local cybersecurity firm in case you someday need them. A breach is a terrible time to meet and vet people who can help.
- Risk Analysis: Have we conducted a cybersecurity risk analysis? Basic vulnerability assessments or application testing can be far more reasonable than you might think, and may save you an embarrassing hack.
- Staff Training: Have we trained staff on cybersecurity best practices? There are a number of services such as KnowBe4 and com that can provide great training for less than $20 per employee.
- Vulnerability Scanning & Patching: Have we implemented regular scans of our network and systems and appropriate patching of known system vulnerabilities?
I’ve separated these last three because they’re often difficult for smaller organizations. If you can afford them, or your organization deals with some of the sensitive data mentioned above, private health records (PHI) in particular, you may want to budget for them regardless:
- Application Whitelisting: Do we allow only approved programs to run on our networks?
- Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
- Penetration Testing: Have we attempted to hack into our own systems to test their security and our ability to defend against attacks?
Your Startup’s First Disaster Recover/Cyber Meeting
A good start is to have ask everyone to read this article that you’ve already worked 2/3rds of the way through. Once they’ve given this modest piece a read, gather the team for an open and honest discussion of your risks. This can be divided into three steps:
- Start by talking about the data type risks (HIPAA, PCI, etc.) Ask, How much of what’s outlined in this article applies to us?
- Walk through the DHS list of the eight items listed above – what are we doing now and which of these steps aren’t we taking?
- Of all of the data we hold, which information might be valuable to a competitor or sold on the black market?
- Outside of IT, what steps could each of us take to mitigate some of these risks?
Business Impact Analysis (BIA)
- What are the most likely scenarios that could seriously impact our business and what could we do to prevent them? (no meteors or Red Dawn scenarios allowed)
- Organize these thoughts into a risk matrix, ranking by “Likelihood vs. Impact” on a scale of 1-5.
- Revisit this conversation every quarter to keep up to date. Things change fast in the startup world.
- Using the SANS for Small Business approach (found here) put together at least the following from this site: https://www.sans.org/score/incident-forms
- Incident Contact List – list out the contacts you need, and who needs to be a part of the plan. Also, pick a leader for incident response, and note that it does not have to be someone in IT.
- And do a ‘test run’ for ransomware. Fill out an example of the following document: https://www.sans.org/media/score/incident-forms/IH-Identification.pdf
Once you’ve pulled all of this together, divide up the work. Go around the room and have each person read off the work that they’ve promising to do. Put these down as action items and use them for a follow up meeting to be scheduled in a month. Get together each month for two hours and stay religious about it and VOILA! You have a functioning cybersecurity program.
We’re going to sound like a broken record, but PLEASE insist that backups and a recovery test is done as one of the action items. Even if you’re sure you’re already doing them, have someone demonstrate that it’s been done again at the next meeting. This is the most effective way to protect yourself and your business, and it’s so rarely done well. Ransomware preys on those who don’t back up, and you’ll enjoy telling the hackers to ‘go kick rocks’ if your backups are in order.
While this may seem like a lot, it’s a body of work that any startup can complete with about ten hours from roughly three people. If this reasonable commitment might derail your product launch, you may want to rethink what you’re launching and when.
Think about it this way – how much would losing all of your shared files impact your product launch or cashflow? If you divide that impact by ten, the result is probably more than what’s needed to pull together a plan. Meanwhile, staying operational and available to your customers may be just the thing to put you ahead of your competitors.[/text_output][/vc_column][/vc_row]