[BreachExchange] 10 Privacy and Data Security mistakes that a budding startup must avoid

[Audrey McNeil]

http://knowstartup.com/2016/08/10-privacy-and-data-security-mistakes/

Startups are always in a state of rush since they want to achieve big goal
in the least possible time. While this seems like the right thing to do,
they aren’t always thinking about data security as they rush to get a MVP
to market. This however, is not an ideal situation to be in. With new
businesses, a data breach can result in the company closing down. Not just
that, the legal and business implications of poorly managed privacy and
data security practices are too important to ignore. A single error can
undermine the trust of investors and customers, attract unwanted regulatory
attention or litigation, and ultimately, derail a start-up’s success.

To prevent such a situation and to be always on your toes, we have compile
the 10 mistakes that startups make in terms of privacy and data security
and which they must avoid always.

1. Allowing security to take a backseat from the very beginning

Startups often fall into the trap of thinking that they can deal with
security later, when their company is larger. The problem with not taking
security seriously from the beginning is that security is not built into
the company’s DNA, making it a more difficult issue to deal with when it is
finally faced. Hence, it is always better to know the importance of
security and give it the topmost priority as far as your business is
concerned.

2. Focusing on product development more than security

Startups are always looking for ways and means to get the viable product to
the end users, which implies that more products mean more business and in
turn more customers. This mindset leads to lapses in security in the early
days of development. Building secure systems is a painstaking process that
can get in the way of product development.But if a startup takes shortcuts,
this will come back to bite them in the future.

3. Ignoring the personal and professional borders

Well most of the startups run on the cost cutting mantra, which often means
that the employees get their own device to work. People don’t like carrying
several smartphones and having to get proficient in different operating
systems for tasks as checking their email or updating their calendars.
However, convenience often compromises security. Workers’ personal devices
can access and store sensitive corporate information locally. When the
person leaves the company, the information leaves with them, forever stored
on his or her device. Security-wise, this is a crucial mistake.

4. No proper exit protocols in place

Other major mistake that startups make is, depending too much on the
 freelancers or part-time staff. While on one hand this might look like the
best possible solution, given the limited budget of the startups, data
lapses and security breaches are more common with companies that depend
mostly on freelancers or part-time staff unless they incorporate a
predetermined exit procedure. Data loss, in the form of confidential
information sharing, account access and other, is not hard to take place
when sensitive corporate data remains stored on the devices of these
people; they are not so security-conscious on their personal devices, or
they even forget about having the information stored in the first place.

5. Ignoring relevant rules and laws

Some tech start-ups may pay little attention to the fact that businesses
are governed by a wide range of laws and standards, and are expected to
operate within commonly accepted practices. Ignoring these laws may lead to
significant errors and trouble. Among other things, ignoring privacy or
security obligations may come to haunt a start-up when it meets its first
major customer or business partner.  If it does not have the proper
structure in place for its operations to be compliant with applicable laws,
it will struggle to meet that client’s expectations, and may have to create
in three months what it should have built over three years. If it cannot
meet the client’s standards, it will not be able to sign a contract.
Start-up tech companies may elect to ignore their legal obligations because
they are small and can easily fly under the radar. They might be able to
fly under the radar for a short time, but not for long.

6. Lack of proper policies for your cloud drive

While in today’s day and time Cloud Drives like Box, Dropbox and Google
Drive are a fantastic way to keep your team in sync and manage documents.
However, inspite of all these benefits, they are vulnerable to viruses,
ransomware and unauthorized access if they are not locked down properly.
Hence it is very important that anti-virus, backups, email attachment,
password and access policies must be in place before allowing one user to
cause problems for the whole company.

7. Lack of internal policies and not having proper structured processes in
place

Technology based startups have a strong advantage when it comes to data
security because they are able to apply best practices from the start. As a
result, their products have never been more secure. But while they’re more
secure, internal practices and protocols at tech startups have lagged
behind. Credential sharing, limited use of single sign on, and poor
password policies are all common examples of tech startups mistakenly not
focusing enough on their own internal infrastructure and policies and the
impact that it has on their data security. In the absence of rules defining
who is allowed to access certain information or what uses are restricted,
employees, subcontractors or visitors might inadvertently access highly
confidential or sensitive data and misuse it.

8. Not being vigilant about their responsibilities

The startups sometimes outsource some functions, or locate operations in
the cloud, because they do not have sufficient resources to hire personnel
or to purchase equipment. In doing so, they may think they have passed on
to those third parties the responsibility for their data. However, this is
not the case because the entity that the customers know – not the obscure
service provider – will be the one that will be sued or investigated if
data is illegally processed or inadequately protected. It will be the one
whose reputation and trustworthiness will be at risk.

9. Not paying attention and copying the privacy policy blindly

Start-ups often hope to “save” on legal costs by simply copying the privacy
policy of another website without fully understanding what it means, or
ensuring that the document describes accurately the start-up’s policies and
procedures. While this might appear as a cheap way out, this might cost
your startup big as time progresses. . From a legal standpoint, this may
end up constituting misrepresentation, which can be prosecuted by the state.

10. Collecting too much data

Some tech start-ups tend to collect much too much data just because “we may
need it later” and “storage is cheap.” The more data a company has in its
custody, the more vulnerable it is to legal violations and security
breaches. Collecting too much data can cause a compliance issue; some laws
require entities to collect only the minimum amount of data necessary to
achieve a stated purpose. Additionally, having a lot of data can become a
significant charge.  The more data a company has, the more time and data
experts it will need to retrieve it. The larger the volume of data the
higher the probability that it will be stolen.

Hence, it is very evident that  technology start-ups need to be proactive
about privacy and data security from a very early stage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160810/d78138ed/attachment.html>