[BreachExchange] 10 Data Security Mistakes Startups Can't Afford to Make

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jun 22 19:51:39 EDT 2016


http://www.stamfordadvocate.com/news/article/10-Data-Security-Mistakes-Startups-Can-t-Afford-8318455.php

Startups are usually in a rush, and they often forget about data security
as they try to get an MVP out.

With new businesses, a data breach can result in the company closing down.
To address the mistakes most commonly made, I asked ten YEC entrepreneurs
the following:

What’s the one crucial mistake that tech startups seem to make when it
comes to data security nowadays and why?

1. Personal and professional borders.

Bring your own device (BYOD) has become increasingly popular during the
past years, even more so in the startup scene. People don’t like carrying
several smartphones and having to get proficient in different operating
systems for tasks as checking their email or updating their calendars.
However, convenience often compromises security. Workers’ personal devices
can access and store sensitive corporate information locally. When the
person leaves the company, the information leaves with them, forever stored
on his or her device. Security-wise, this is a crucial mistake.

2. Ignoring two-step authentication.

Two-step authentication – the system that sends your mobile phone a code
via SMS, to enter when logging in a new web page – is an easy, but often
ignored, initial step. It is now offered in all the key business platforms,
including Salesforce and Google Apps for Work. You can even enable this
security system in social networks at will. Since password breaching is
becoming more and more common, the wise thing to do is to enhance your
online-stored sensitive information with an added protection layer.

3. Security issues.

Racing to get a sustainable product on the market and getting those all
important sales is a top startup priority, which may cause security mishaps
early on. Ensuring that your systems are secure is a meticulous process
which can rob resources from product development. However, when startups
“cheat” during security setup, it is almost certain that they’ll come
across the same problem in the future. Privacy and safety should be top
priorities from the beginning.

4. Insufficient exit protocols.

Data lapses and security breaches are more common with companies that
depend mostly on freelancers or part-time staff unless they incorporate a
predetermined exit procedure. Data loss, in the form of confidential
information sharing, account access and other, is not hard to take place
when sensitive corporate data remains stored on the devices of these
people; they are not so security-conscious on their personal devices, or
they even forget about having the information stored in the first place.
You ought to protect your company’s and your client’s information by
planning ahead with your legal team.

5. Forgoing SSL from the beginning.

SSL (Secure Sockets Layer) is easily implementable from day one.  It should
be enabled by default in every website. It reassures your users, while
upgrading the security level of your communications.

6. Failing to prioritize security.

Startups often think they can leave security for later when they will have
grown larger. The problem with this approach is that the company fails to
incorporate security in its core values, which makes it harder to deal with
when the time comes.

7. Having no policies for cloud storage.

Cloud Storage services like Dropbox, Box and Google Drive, are an amazing
way to keep your team up to speed and handle documents. However, failing to
lock them down properly renders them vulnerable to ransomware, viruses, and
unauthorized access. The main vulnerability is the convenience of file
sharing itself, which means that backups, anti-virus, password, email
attachment and access policies must be set up before a single user is
allowed to cause trouble for a whole company.

8. Disregarding security best-practice.

Change in security practices follows the pace of technological evolution.
This means that security standards from a decade ago are now obsolete. Many
startups fail to keep up with the most up-to-date security developments and
as a result, they use outdated encryption protocols or old techniques that
can be breached by hackers and crackers.

9. No internal policies and infrastructure.

Tech startups are in a prime position regarding data security because they
have the ability to apply best industry practices from the start, without
being kept behind by outdated systems. This has resulted in unprecedented
product security. However, despite the increased security, internal
protocols and practices at tech startups have not evolved accordingly.
Limited use of single log-in, sharing of credentials and insecure password
policies are all aspects of the failure of technology startups to invest
adequate resources in their internal systems and infrastructure or their
influence on data security.

10. No suspicious activity notifications.

About half-a-year ago, I suffered a data breach that brought me close to a
significant financial setback. For starters, I used a single (weak)
password across many organizations, as well as for personal use. Someone
figured out the password, and I suffered breaches in multiple points at the
same time. I could have easily avoided this catastrophe with a simple
policy regarding password strength. What’s more, I found out that
sophisticated data security tools exist in many systems for mitigating data
breaches. On Google Apps for Business, for example, I set up a notification
alert to be sent whenever weird activity takes place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160622/3979ce67/attachment.html>


More information about the BreachExchange mailing list