Target. Home Depot. Sony. What do they all have in common other than falling victim to major security breaches? They aren’t startups.
When big names fall victim to data breaches, its big news, making smaller companies believe they aren’t likely to be a target. However, according to Greg Sullivan, CEO of Global Velocity, smaller companies should be on the offensive.
“The issue is that SMBs wrongly assume that their size or small influence does not merit attention from hackers or do not educate themselves about potential exploits in their infrastructure,” he says. “While SMBs are not as big as companies like Target and Home Depot, they are the majority of victims at the hands of cyber thieves seeking easy targets. The Verizon 2013 Data Breach Investigations Report found that 62 percent of breaches impacted smaller organizations, likely a conservative figure since not all small organizations are reporting breaches.”
In the first 18 months, startups are extremely vulnerable to attacks. Here’s a few cost-effective security tips for startups to follow to protect their valuable data
1. Be careful of 3rd party tools/vendors
Know what your employees are doing with your data, especially any tools they use to work with that data. Any breaches in tools could lead to a data breach and serious loss.
According to Ann Fellman, Director of Product Marketing at Code42, “While consumer sync/share tools may be widespread among your users for personal sharing, organizations need to carefully vet the security and encryption practices when it comes to sharing business data.”
Eric Basu, Founder and CEO of Sentek Global, adds that the most important thing a company can do is to spend a fraction of their security dollars “training their team to avoid doing simple things that leave themselves vulnerable to cyber attacks.”
This was a lesson learned not soon enough by Dairy Queen, who had several hundred stores affected by a compromised 3rd party account. Ouch.
2. Don’t rely on anti-virus software
Anti-virus isn’t a perfect solution, and with hackers becoming more and more advanced, it can’t be the only thing your startup relies on.
“Symantec’s recent admission to the Wall Street Journal that antivirus software is “dead” is a big red flag that this approach of hardening the network and data stores is insufficient, particularly as companies increasingly move their data to cloud-based services,” comments Greg Sullivan, CEO of Global Velocity.
3. Proactive, not reactive
Monitoring your systems to prevent and intercept attacks is costly, and many startups only realize they had a data breach after the damage is done. In fact, many small businesses don’t realize they’re under attack, even allowing hackers to have access to their data for months.
Bryant Tow, CSO of Vaco Risk Solutions, warns “Small businesses are by far the largest attack surfaces for cyber criminals because most do not pay attention to security, don’t allocate any budget to security and have few to no resources.” He adds that startups should consider outsourcing until they have the financial stability to carefully monitor their data.
Chris Kirby, IT Manager at Voices.com, adds that startups should “Protect everything, secure everything, encrypt everything. Don’t wait for the breach to happen. Identify the bad guys early (when they are only probing) and lock them out of your infrastructure. Make sure that if they do get their hands on anything – it is useless to them.”
4. Minimize human error
Sometimes, hackers don’t even need to hack to get access to your sensitive data. Reddit user, KittenTitterBurns, shared the story of his company’s HR rep falling victim to a phishing scam, sending all of the employee’s tax info to a fraudster. According to the IRS, this is a well-known scam, yet seems people are still falling for it.
Simply training employees on what to watch out for, and what to question, can save a huge headache.
Sam Cornish, Cyber Security Expert, adds that “vigilance is the key, as breaches are more likely to be caused by human error than by a successful cyber-attack.”
5. Think Cloud
Michael Talve, Founder and Managing Director of The Expert Institute, recommends startups consider putting everything into a cloud solution, such as Salesforce. He says “By using Salesforce to manage the majority of our data, we are able to provide technical security without maintaining expensive internal systems for data management. The beauty of Salesforce is that it can neatly scale with our growth without much hassle, since we can just expand our data usage with their platform.”
6. Don’t forget about passwords
Passwords are notoriously a soft spot, as demonstrated by this yearly list of “worst” passwords.
Entrepreneur Anant Mendiratta recommends using a tool to have employees test their passwords like http://www.passwordmeter.com/. Another option would be to implement password requirements on any systems that hold sensitive data.
Keith Alexander Ashe adds that your tech team should secure HTML Inputs by using “the ‘ type=”password” ‘ for text inputs tags to mask user passwords. For example: Text input would show user’s password <input *type=”text” *name=”password”> Text input would mask user’s password <input *type=”password”* name=”password”>”
7. All data is important
It’s critical for a startup to remember that all data is important. Even something simple like your email newsletter list in the wrong hands can wreak havoc on your reputation.
Expert Neal O’Farrel of Credit Sesame, says “It’s not enough simply to focus on the obvious, like payment processing systems. Even a database of customer email addresses, for something as benign as a newsletter, can harm customers and company reputation if exposed.”
8. Consider insurance
Data hacks happen and can be very costly, possibly even putting a startup out of business. Ted Devine, CEO of TechInsurance, recommends companies “Invest in insurance – the only thing that can protect them when their data is hacked.” Why? If you’re responsible for a data breach, repercussions include notifying your customers and possibly even providing credit monitoring. It can add up very quickly. Lawsuits are also a very real possibility.
9. Two factor authentication
Traditional username and passwords are just too easy, according to Gene Shablygin, CEO of WWPass. He recommends using a 2 factor authentication because “Two-factor provides a second layer of protection, usually in the form of a physical token like a USB device or a secure mobile app. Users have to provide not just something they know, like a password, but also something they have. Even if hackers get their hands on passwords, they still can’t access sensitive data. Cybersecurity experts have long stressed that two-factor is a far better option, but many start-ups aren’t aware of that. When it comes to choosing a vendor for two-factor, there are many options and not all are equally secure. But some form of two-factor is always better than none. Two-factor is also affordable: some of the most secure options cost just a few dollars a month or less per user.”
What are your recommendations for security tips for startups?