Most small companies such as startups do not invest properly in security in their early stages. This is a result of believing that hackers only targets big corporations, which is a common misconception. More often than not, hackers prefer to target low-hanging fruit, which in this case is small and startup companies. In addition to this, the earlier you decide to invest in security, the more efficient it will be. If you wait too long with integrating security, you will most likely have a lot of legacy to deal with, which will make the shift more expensive and complex.
SUP46 alumni member Detecitfy and their Customer Success Manager, Johan Båth, is sharing some of their best tips for small companies when it comes to security.
The reason small businesses get targeted
An easy target
It’s often easier to hack a small company that does not have their security routines and infrastructure in place. Established companies have either gotten hacked in the past and invested in the security infrastructure after a breach has occurred, or they have seen what can happen if a breach occurs. As a result, they have invested in their security and are therefore harder to compromise.
Lack of knowledge
The most common reason behind breaches starts with employee errors. This could be in the form of an employee that clicks a malicious link in a spoofed email; a link that is embedded in text or just from an email phishing campaign. Another common error is employees that are using the same password across multiple services, and if one of those services gets compromised, so will the other services (such as the Dropbox or LinkedIn breach where millions of user credentials get compromised).
With this said, automated hacker attacks put everyone at risk, no matter the size of the company. But there are things that you could and should do to prevent disaster from happening.
What should I do if I run a startup and want to avoid being hacked?
The first step should be to start educating all employees about the risk associated cyber attacks. One simple remediation for avoiding having credentials compromised is to use password managers such as LastPass, 1Password (or similar service) and use the built-in functionality of generating passwords, which are unique for all services.
Next step is to inform the risks of phishing emails. This could either be done by showing examples of phishing emails and how you can validate the real origin of the emails, or to actually conduct internal testing and send out fake emails to the employees.
Spoofed emails are a bit harder to catch, though, since the origin of the emails looks to be legit (eg, from address is @companyname.com). To make sure that people are not spoofing emails from your company, make sure you have set up the SPF records correctly.
Make sure your software is updated
If you are using a CMS platform for your website, you need to make sure that there are no outdated plugins with known security flaws. This is especially important since hackers can scrape the web for sites that are using outdated versions. For example, if you are using WordPress, you should make sure that you have turned on automatic updates.
Invest in automated security testing
Ill-willed hackers will always be one step ahead when it comes to finding new vulnerabilities, but leveraging automation in the form of testing of web applications and servers/networks will significantly increase the probability that you find the security hole before someone else does. Detectify is a tool for automated testing of web applications, and also for educating your developers about security.
Leverage the crowd
There are plenty of organizations out there that are leveraging the hacking community when it comes to security (sounds counterintuitive, right?). In short, companies that take part in these bug bounty programs, allow people to hack their applications in exchange for an award. One example of this is 14-years old Karim who hacked Spotify and was awarded for it. Startups are usually really good at sharing knowledge between companies, which in my opinion should be no exception when it comes to security.
In the light of risks and suggested precautions listed above, it all comes down to taking care of the products and services that you have spent so much time building. You have put your soul into building these awesome products, and it really does suck if someone would come and ruin your product AND your brand reputation. For up-and-coming companies, it’s especially important to care for the customers you have, and a good way to achieving their trust is to have their and your security in mind when building these products.
With the risk of coming across as a bit cheesy: Rome wasn’t built in one day, and the same is true when it comes to security. There’s no quick fix that will take care of all your security problems, rather an ongoing process of learning and proactive thinking.