In a recent post, I showed that cyber threats were more frequent than ever, and talked about essential best practices to protect your business. Today, let’s go further.
This edition, "Cybersecurity 101" will take you to the next level with real-world lessons, actionable tools, and strategies.
Lessons Learned from real-world attacks
Cyber attacks do not only happen to others. It's a real and present risk.
Just ask CodeSpaces, a promising code hosting and project management startup, that permanently closed after a cyberattack in 2014. The attacker used a DDOS attack and gained unauthorized access to their Amazon cloud infrastructure network and erased their servers, backups, and data.
But they're not alone. A recent study showed that 66% of small and medium businesses suffered a cyberattack in 2022, which cost an average of $170,000 per incident.
And it's not just the financial cost. The reputational damage can be irreparable.
So what can be done?
Regular vulnerability scanning and robust access controls are the first technical steps to take.
One error can be fatal. As Chris Vickery, Director of Cyber Risk Research at UpGuard, says, "A data breach can happen to any organization, no matter how big or small. It's not a matter of if, but when".
I’ve helped startups choose their tech stack and hire the best team for more than 15 years. If you have any questions or doubts, I offer a free 30-minute consultation to help you make the right decisions.
You Need a Cyber-Secure Culture
Employees are your first line of defense. But what makes security training actually effective?
Aim for interactive and engaging sessions, based on real-world scenarios. That can be serious games, such as identifying phishing emails, creating strong passwords, and handling sensitive data.
The SANS Institute, for instance, offers great resources and courses.
Kevin Mitnick, the famous hacker turned security consultant, recommends using live demos and hands-on exercises to make the training stick.
Repeat the training regularly. Studies show that regular micro-learning sessions can boost knowledge retention by 20%.
Gamification techniques, like quizzes and leaderboards, are great for keeping employees engaged. It’s more and more frequent and, by 2025, 50% of large organizations could use gamification in their security awareness training.
Security must be a core part of your culture from day one. Your C-levels and board must advocate for cybersecurity.
Onboarding processes should set it clear: you care about data. So share good practices and implement rules about password strength and expiration, or data encryption.
Use the principle of least privilege: employees must only access the data and systems they need to do their job. Create clear guidelines around acceptable use, BYOD, and incident reporting.
Also, don't forget about offboarding. That’s even more important than onboarding. Immediately revoke access to resources and accounts, and collect devices when employees leave.
Secure Your SaaS Tools
SaaS tools are often the backbone of modern startups. They don’t require maintenance and have cost-effective plans, allowing to setup operations on a budget and see how things go.
But each new app is a potential entry point for attackers. According to a report, companies used an average of 130 SaaS apps in 2022 (compared to 80 in 2020).
Since SAAS tools often only need an email registration, many of them are added without approval from IT services, creating serious security gaps.
Before adopting any tool, study the vendor’s security practices. You can use my checklist, based on the Cloud Security Alliance framework.
Some key questions to ask are:
Do they encrypt data at rest and in transit?
How often do they back up data and where are the backups stored?
What compliance certifications do they have (SOC 2, ISO 27001, etc.)?
Have they undergone third-party penetration testing?
What is their process for vulnerability disclosure and patching?
Once validated, harden your instance by configuring strong authentication (2FA everywhere!). Limit user permissions, and regularly review access logs.
Tools like G2 Track can help manage your SaaS stack Using a cloud access security broker (CASB) can also help you enforce security policies across all your cloud apps.
If you have sensitive data, end-to-end encryption add-ons like Virtru or client-side encryption are your allies.
Your Security on Auto-Pilot
In the fight against cyber threats, you can expand your arsenal:
Patch management: Unpatched software vulnerabilities are responsible for 60% of data breaches. Tools like Automox and ManageEngine keep you covered.
Set up automatic patching for all your systems and devices, and regularly check that patches were applied successfully.Endpoint detection and response (EDR): The endpoint security market is booming and is expected to reach USD 28.80 billion by 2029. Crowdstrike, despite the recent affairs, is one of the leaders in the fields.
These AI tools continuously monitor your endpoints for suspicious activity and can automatically quarantine threats.Attack surface management: You can only protect what you can see. Attack surface management tools (Randori, for instance) help you monitor your digital assets while finding and fixing your vulnerabilities.
Faster Response, Less Damage
Breaches will likely happen. IBM found that the average time to identify (and fix) a data breach in 2022 was 277 days.
But the longer it takes you to respond, the more damage will be done.
For an effective incident response plan, you should follow the NIST framework:
1. Preparation: gather your incident response team. Define everyone’s roles and responsibilities, and ensure each member is trained on the plan. Work on communication templates, for different scenarios.
2. Detection and Analysis: Set up monitoring systems to alert you of breaches and attacks. If an incident happens, quickly assess and classify the severity. Warn your response team.
3. Containment: Isolate affected systems to prevent spread. Gather and securely keep evidence for forensic analysis.
4. Eradication and Recovery: Once contained, remove the threat and restore systems to normal operation. Don’t forget to test carefully, to ensure the threat is gone.
5. Post-Incident Activity: Conduct an extensive review to find the root cause. Capitalize on experience and lessons learned, and update your plan and controls accordingly.
How you communicate during and after an incident is just as important as your technical response.
Be transparent and have a clear communication plan that covers employees, customers, partners, and regulators.
Emerging Threats and Solutions
Threats are evolving fast. Even more with AI around. Attackers can use machine learning to automate reconnaissance, create advanced phishing emails, and find new vulnerabilities.
To fight AI, we’ll probably need AI. AI-powered security tools can detect anomalies and adapt to new threats, and will be crucial allies to businesses of all sizes.
Startups need to adopt a zero-trust architecture, where every user, device, and application is considered untrusted (until proven otherwise).
Multi-factor authentication, device health checks, and risk-based access policies must become and habit to secure your (local and remote) workforce.
Confidential computing will become the basic way of protecting data in use. By using hardware-based trusted execution environments (TEEs), you can process sensitive data in an isolated, encrypted space,
Remember, cybersecurity is a marathon. Attackers are smart and imaginative. So you must set up your defenses, even before your startup grows and evolves.
Stay vigilant, stay curious, and stay one step ahead of the bad guys.
I’ve helped startups choose their tech stack and hire the best team for more than 15 years. If you have any questions or doubts, I offer a free 30-minute consultation to help you make the right decisions.
FELICES
Thank you for this comprehensive and educational post about security measures for startups. All you points deeply resonated with me. You articulated them well.