in ,

Start-Ups Don’t Care About Security

 In the Digital era, young people are focusing on building their own start-ups with IT Technology and they are working hard for branding, and funding, instead of securing the user’s trust (user information). As per analytics, there are 150 million start-ups in the world today, with 50 million new start-ups launching every year. Most of the start-ups were started in 2004 to 2018 for funding purposes only. At this time, there are no unique ideas or any unique problem solving, or even something better than other existing products or services available. These start-ups are being created because of funding. Investors are also investing blindly, without even considering their start-up ability. We always relish encouraging young talent to start something new, but, most of these youngsters took the opportunity as an income source. 

If you have a great idea, that is somehow also making money, and you’ve decided to bootstrap it into a full-fledged company, then congrats! You have a start-up. In today’s market, it seems like we are all being pushed to build, grow, and sell over and over and over. It seems like there’s no time to think about anything else. If you’re not developing something that will directly contribute to the product’s success, it seems like a waste of time.

This is the mindset of today’s start-up founders and engineers, who are pushing development forward without best practices being met, because “we can reiterate later”. The hard truth is that “later” rarely ever comes. This is how bad operational security practices and, in the case of software companies, vulnerable code gets baked into an otherwise great product. 

Another hard truth, is not paying attention to security, even from the outset, which drastically increases the odds of failure for your IT security. It’s been estimated that nearly 60% of small companies get hacked each year. What do you think it means to your client base when your product is hacked, and their private data is stolen because of you? You could be facing massive losses of revenue and, even worse, lawsuits. That’s a sure-fire way to crumble the foundation of a fledgling company.

I get it. You’ve never been hacked (that you know of) before, so why should your company spend time and resources on security training? Obviously, they’re doing okay, because nothing bad has happened. However, that’s like saying some guy without medical training is fine being a doctor, simply because he hasn’t killed anyone. 

Get your hands on some legitimate security awareness training, and make participation mandatory. If you’re feeling really zealous, require a basic security certification from all employees, as well as ongoing training. It might seem like overkill, but take a page from our armed forces–even the mess hall cook went to basic training. The company grows as a whole when the individual parts are strengthened. 

If your company is more than a few people, consider implementing a phishing simulation program as well. You can set this up yourself. Spending a little extra effort on this training will pay off.

Few  start-up companies go to the end-user level without major changes along the way. But these companies are taking care of a number of accounts, not only for marketing purposes, but also for securing their user’s data. Hackers who take a chance to break into their systems, can causemany data breaches to be leaked into normal web and dark web. 

Most of the researcher on this topic has found users’ personal information like name, address, mobile numbers, email address, etc. in these data breaches. They have also found sensitive information like credit card information, user credentials, locations, device information, and etc. Some of the companies have not even cared about users’ credentials, and they used weak ciphers while encrypting the data or user credentials. Some other companies did not even encrypt the user’s credentials! How careless a situation to place the start-up in, and what a dangerous product they are bringing to the users. Many users will learn not to trust any start-up application. Users often are using  services with fake personal information because of this loss of trust. 

Many start-up companies are building apps with the integration of third-party apps, or vendors in their products. Due to developers with a lack of knowledge, or due to mistakes in their main applications or third-party applications ,these applications are vulnerable, and may lead to data breaches in that application. These vulnerabilities exist in their web applications, mobile applications, at the API level, and in the network. 

Web applications are where most of the vulnerabilities of any system are generated, and security can damaged at any  level, based on the vulnerability severity (risk level) involved. When security is not deployed, there can be a chance for the data breach of user information and revenue loss.

Everything Start-ups Need to Know About Security

Keeping your start-up safe from hackers, data loss, and breaches, takes more than just a firewall and antivirus software. Hacking has become a serious – and expensive – global problem that has destroyed the reputations and finances of small businesses and corporations alike.

Recently, I heard about a company,  Rokenbok, which was a start-up using blocks and robotics to teach children to think like engineers. This company lost thousands in sales when its data was held for ransom by hackers. Rokenbok database files were infected with malware and it wasn’t the company’s first experience with the hack that ultimately shut down its website. Unfortunately, smaller companies are easier to hack, because they are inexperienced with the kind of cybersecurity required to combat the ever-growing legion of sophisticated hackers. 

First impressions in the online world are absolutely everything, and can make or break a company. In a world where missteps and bad customer service experiences go viral, companies can’t afford to wait until getting hacked, to do something about their cybersecurity. A major corporation with a longstanding, and good reputation in their industry, along with loyal customers, may be able to restore consumer confidence after a data breach, but start-ups rarely have that same type of consumer currency in place.

Social engineering is the use of manipulative tactics by fraudsters to convince individuals or organizations, to voluntarily give up valuable private information. Modern businesses must contend with a range of cybersecurity threats, from DDoS attacks and hacking attempts, to viruses and ransomware. However, according to findings published in the 2019 Trustwave Global Security Report, social engineering is now by far the dominant method for cybercriminals looking to access your data. Indeed, the report found that 46% of all breaches in corporate settings can be attributed to successful social engineering attacks, and this rises to 60% in the cloud and point-of-sale environments. As a result, learning to prevent social engineering attacks needs to be a top priority for all businesses and individuals.

There are also investment implications to consider when it comes to hacking. Your start-up can’t survive looking for funding, if investors see it as an insecure entity. And if you’re an existing company, your stock could wind up in freefall. Sony’s stock price plunged by $11.39 after a data breach and DDoS attack on their servers in 2011, and eventually crashed by 36%. As with most every start-up, they had relied on both the strength of their ideas and their company name. A data breach that sees your industry secrets or confidential client data hitting the dark web – or the headlines – could greatly affect your company’s ability to drum up investor interest.

To counteract these risks to your important information, you’ll need robust policies, processes, and software that put security first. You will also need software for managing and distributing documents such as Stellar Library, for example. Stellar Library fills this role, replacing insecure channels like email, while supplementing existing services such as Google Drive and Dropbox with improved oversight and control of any device, anywhere, any time. It’s an agile solution for an inherently agile sector. 

More recently, spear-phishing attacks often take the form of emails that point you in the direction of a fraudulent website that looks as though it’s provided by a trusted source, such as a co-worker, friend, or even your boss.

All it takes is a tired Monday-morning click or email from the compromised account of a trusted individual, and before you know it, you’ve handed over access to accounts, documents, or important internal information to an unscrupulous third-party. It’s better to be safe than sorry, so always double-check the source of an email if you’re ever in doubt.

As the name would suggest, Ransomware locks down, or encrypts data, an affected computer, or an entire server, rendering it inaccessible to the user until they cough up the cash. Like any other cybersecurity risks that eventuate from downloading or installing compromised files, appropriate training and anti-malware solutions such as Bitdefender or Norton, are both strong ways to mitigate against the risks of Ransomware.

Start-ups are, by their very nature, agile things. As are the management and staff that power them. Whether you’re working on your laptop in the waiting lounge of an airport, or typing up an important report over a coffee in a café, you need to stay connected. To do so? Chances are you’re connecting to public Wi-Fi.

Don’t let your start-up’s internal IT security measures trick you into a false sense of security. Beyond your four firewalls, there’s a world of security flaws and vulnerabilities out there. Free, public Wi-Fi connections may be a great modern convenience, but it’s all too easy for third parties to set up compromised connections in public places like hotels or cafes, which can then monitor and harvest all traffic once you’ve hit ‘Connect’. 

No matter how robust your security protocols, there’s simply no accounting for human error. For all the high-profile headlines about private email servers, there is a lesson to be learned here for start-ups about the lengths staff and employees will go to in order to circumvent even the strictest internal security policies in the name of convenience. This includes personal email accounts, laptops, and mobile devices.

The stats agree–25% of employees use the same password for every account, while only 40% use a personal device that’s properly monitored. Mitigating against convenience is a constant struggle, but it starts as common-sense policies and internal training, as well as built-in fail-safes such as two-step verification and multi-factor authentication. These days, most everything is a connected, or smart device, boasting Bluetooth, Wi-Fi, internal storage, and – most importantly – a connection to your internal network. With the sheer speed at which these connected devices are finding their way into the average workplace – from connected coffee machines to security cameras – traditionally rock-solid security policies are becoming outdated before the ink has dried. 

Whether it’s a DDoS attack or data breach, your start-up needs to be aware of – and working on – the new, emerging risks these IoT devices present to your day-to-day operations. They’re fast becoming the overlooked weak-point in what may otherwise be a robust security system. Yes, even your toaster can now be a threat.

 It’s time to take security threats seriously.

Akhil Rapelli

With new threats emerging each and every day, it can be difficult to keep up with the pace of change. The best you can do is stay prepared, and mitigate against these risks as best you can with policies, procedures, and supporting software. While even the strictest security is always liable to be broken, taking action is far more effective than sticking your head in the security sand.

Using and keeping track of security tools

In general, it’s just good practice to require some kind of anti-virus software on employee machines, and to track the security patching of these machines to ensure they are up to date. On top of that, you may want to bring in other tools like password safes. You may also want to require employees to install browser extensions to block unwanted scripts and tracking.

All of this is totally up to you, the important part is that you have some way of protecting your employees from common attacks and that you are both requiring compliance across the company, and tracking who is compliant/non-compliant. Without accountability, people will nearly always choose the path of least effort.

Take the time to plan ahead on threat modeling, threat intelligence, active monitoring, and regular security audits. It is okay to spend time and money on security. Your internal security team or third-party companies, will provide and maintain your security. Treat security like any other resource you need to be successful. It’s just one of those things that you don’t need until you really, really do, and then it’s too late. Don’t be a failure start-up! Make it successful and be prepared.

Author

Akhil Rapelli

CTO of Swiftsafe

SwiftSafe is a Cyber Security Company Specialising in Securing the IT infrastructure and assets with Security Consulting, Auditing and Testing Services.

Socials: Facebook Twitter LinkedIn YouTube Instagram

Comments

Leave a Reply

Your email address will not be published.

Loading…

0

After SolarWinds Hack, Courts Revert to Paper for Secrets

FTC Finalizes SkyMed Data Leak Settlement