Security was not something our first users asked us about. I mean, we are an early-stage collaboration tool startup in a competitive space. It didn’t seem to be that individual users or small teams were interested in that too much. Under pressure to improve our cohorts of user retention, we focused on making a beautiful and (sticky) product first.
“In this case, ignorance is not bliss” – Sonja de Vries, ilionX
In April 2014, we presented Twoodo at the Social Now conference. Against industry behemoths like IBM and Oracle, our tool shone through and won the appeal of the audience. Great! But then the questions arose about security – this was a B2B audience of vendors to large companies, mostly. We’d never been in such a context before. It’s not that we hadn’t applied security at all – rather, it was just not spoken about much in our team, it was assumed.
A lot of the big companies and SMEs are struggling with the problems of BYOD policies (bring your own device) where employees were being rather reckless with security – logging into the enterprise app over free wifi, using a simplistic password, downloading a malicious app and so on. All tech startups are BYOD. We hadn’t even thought of checking if our own intern’s laptop had a firewall! It is not only BYOD that are the problem. Now, most companies hand out laptops, tablets and smartphones so that employees can work any time, any place. So, instead of coming to work to work on fixed desktops, the employee is taking work >> data everywhere (physically). Secure data is leaving the secure company building and is:
exposed to theft or loss
being used by others (children or spouse)
being used at home for online shopping etc.
Like many other early-stage tech startups, we sought out every kind of business advice but not that much security advice. Luckily, our CTO had enough experience to deal with these issues all along! But it got me thinking of the less experienced tech entrepreneurs.
How did security not become a priority issue?
Tech startups don’t often consider the role of security, unless security is part of what they intend on selling (or like us, they have a security guru on the team). SaaS startups in particular are vulnerable in this regard. Sure, there may not be time during the hectic early weeks and months, nor the manpower to implement a stringent security system. But wouldn’t it be worth it? What would you do if your laptop was stolen, and access to the user database or code was available to the thief? Unlikely – but possible, especially with easy-to-nab smart devices.
“Unfortunately, it is not enough for startups to recognize that they need to care about application security; they need to take action. The challenge is cutting through the apparent complexity and building-in application security from the very beginning, while minimizing costs.” Technology Innovation Management Review
The bright young non-techie founders in the startup world right now have a fatal flaw, in that they are so accustomed to being around IT that little thought is put into the risks involved in, say, free public wifi or letting Chrome extensions have access to your full email account. And also – not every technical co-founder is very experienced and naivety might be the fatal flaw in this case.
Here were the top 10 security flaws of 2013 – a handy checklist for noobs still learning the ins and outs of IT security:
In the end, the biggest security flaw is typically people, not the system. How often I hear ‘the system is fine but people are idiots!’
Don’t feel too bad. Here are some of the big companies hacked in the last year or so:
Some refer to it as the ‘year of hacking’ after all these internet giants fell down. And yet, even after the recent Heartbleed revelations, people are still loath to change the most basic and best first defense against hackers: a decent password.
Take a look at this list of the 25 Most Popular Passwords of 2013 – and weep!
But changes are creeping in. More services I sign up to now have fervent messages stating that they absolutely will not sell my data/soul for ad targeting or any other nefarious purpose. Services such as LastPass can generate unique passwords and also ensure that you only ever need to remember one.
But I digress. My point is – security is a hot topic and people are beginning to take on board the advice they’ve been given for years. As startups are having a hard enough time growing, convincing a skeptical public that you have excellent security measures can:
a) give you an edge over the competition, and
b) is just awesome to have set up from the beginning
Time and money are two things founders must spend wisely, that much is true. But would instilling security measures from Day 1 prevent future calamities that would ultimately cost more time and more money to fix? I would argue – yes. A startup that loses credibility with it’s users in the early days might never recover.
Where do we start?
IT is constantly shifting – there is no static fix that can be implemented, unfortunately. In light of this fact, Ira Winkler (from the appropriately named ‘Dark Readings’ blog) suggests that loss mitigation is a better approach to have than a simple ‘keep them out!’ frame of mind.
Yes, it will most probably be the user’s fault for making a mistake
- but your systems have to be there to take the fall and survive it. You must also realize that your own team members may be the unfortunate ones that wreak havoc on your system – not out of spite, but out of ignorance. This is where ‘awareness training’ typically comes in useful, but as Winkler asserts – it has to become part of habit and not just an occasional reminder like ‘don’t forget to bring an umbrella.’ It is the CEOs role to make this part of the fabric of the startup. Simply, the way you all work.
“People mostly have a strong relationship with their personal data. What’s worse? Having your digital camera stolen, or losing the pictures of your wedding day that were on the SD card? The data on the SD card is most important to most people. If people could have that relationship with work data, protecting it and taking care of it will most likely be habit. Having a (strong) pin code or password would be natural, not a hassle.” - Sonja de Vries, ilionx
When a person has a vested interest in the data, a personal connection, they are more aware of losing that data. But an employee for example will not have the same urgency at protecting the data that the founders or managers would. This is why security measures and security habits should not be taken for granted.
Relate IQ have a great blog post with practical tips for startups on how to have a security mindset from the beginning.
…BUT make sure to also read this Guardian article - it discusses some of the shortcomings of RelateIQ’s suggested security measures for hard drives in more depth.
Here is our top security advice for tech startups
Passwords and Identity Verification
- A strong password these days is not good enough, leading the new norm in verifying your identity at a new level of security is Google with 2-Step Verification, read this link for a nice explanation
The 2-Step Verification process is an open standard, as such Microsoft is another example of a company that has recognised users are demanding better security and have adopted the open standard for 2-Step Verification in Outlook.com (formerly Hotmail).
The Google Authenticator mobile app makes the 2-Step Verification process a breeze, and since it is based on the open standard, it works with Microsoft’s 2-Step Verification for example.
Protect your source code
- On the development side, our source code repository is also hardened against brute force password attacks, by adopting SSH keys over passwords for connecting to the repository.
As a team, working on MacOSX and Windows 7 and above our hard drives are encrypted by the built-in OS technologies (FileVault 2 and BitLocker, respectively). So in the event of loss/theft we can remain calm in the knowledge that any sensitive/confidential information remains safe. We use Google Drive for storing files in the cloud, removing the need to worry about backing up files.
Other important points
- Using an external provider for a HTTPS certificate
- Data protection layer : Webserver access, data replication and server protection => Amazon Web Services provides good security easily (S3 storage and ssl access)
- You have to have an SSL certificate (also known as HTTPS) which will stop people on the same network to be able to read the information that you send and receive.
- You have to limit access to files and directories on your server. They shouldn’t be able to browse your server to find information and private files should not be accessible without the user being verified (ie logged in). Amazon Web Servers provide great security tools for this, read up.
- Limiting access and encryption
A simple way of guaranteeing no leaks is to simply not give people access. This is not foolproof, but it limits responsibility to a handful of individuals. If a leak occurs, it can be quickly identified in this case.
Grow, but grow safe
Many tech startups have a ‘growth team’ or ‘growth hacker’ as part of the core business. Why is this relevant to security advice? Well, part of what the growth team does is try to make signing up (for example) as smooth and convenient as possible for new users. A lot of ‘growth hackers’ recommend that you don’t have a 2-step authentication process because conversions drop – despite the fact that it is more secure. The same for Captchas.
“Proper methods for protecting sensitive information on computer systems, including …[the] use of two-factor authentication.” Dara Security
Take a look, even, at this list of standard startup growth hacking tools - none deal with making anything more secure.
Of course, you cannot entirely blame the growth team for people’s impatience, but you are facilitating them! Is this ethically acceptable? It’s up to each startup to decide.
If you are a SaaS provider with your sights set on the enterprise market, you better be ready for a long list of requirements around security and compliance… Managing ever-changing security and compliance requirements as your SaaS business scales is hard to do well. – Keren Elazari, Gigaom
This is not to put people off starting B2B business – not at all! – but don’t go blindly in without really thinking through how you are going to deliver a secure and trustworthy service.
We would like to thank Sonja de Vries, Security Awareness Consultant at ilionX, for taking the time to answer our questions – much appreciated!