Cyber Security in the age of Startups

It is May 24th 2021, we have just seen an oil pipeline shutdown delivery of fuel on the east coast of the US. The entire IT infrastructure of Ireland's health department has been put offline due to ransomware while it’s still dealing with COVID-19 vaccinations.

Every month there is a new “massive” breach being reported, to the point that it’s no longer a newsworthy event. Almost every resident in the US has had their personal information stolen many from institutions that they have never engaged with, due to data harvesting and a lack of data protection laws.

The current estimate from Cyber Ventures publisher of CyberCrimes is that in 2021 the total cost of damage due to Cyber Crimes will hit about $6 Trillion p/a, there is a significant chance that this is an underestimate due to the nature of information that has been hacked, and how it’s being used.

Without a doubt all companies must take security into account going forward, but as a startup the question is how? Most of the time you’ll spend researching how and will turn up security controls, certifications and accreditations that seem out of reach for what your company is today, this often deters CEO’s, CTO’s, Technology owners from implementing a security practice. The problem is you can’t afford not to.

What I’m going to present to you, isn’t a comprehensive implementation — none exist — , this is but a first step to get you on the road and let you sleep at night. BTW this is very opinionated #NoApologies

Define your footprint

First things first, a lot of security is about understanding and capturing what your vulnerabilities are, and then being able to tackle them one at a time. Imagine trying to secure a building, but not knowing where all the doors and windows are 😕

Create the following 2 lists, keep it simple.

Physical assets (definition: you or anybody else can touch them):

• Laptops / Desktops / Kiosks
• Cell Phones
• Security Cameras
• Desktop Phones
• Smart TVs (yes, important to know)
• Comms room
• Routers / WiFi modules
• Printers/ copiers / fax machines

Virtual assets (this is where it gets harder, things that exist somewhere else):

• Domain name accounts (GoDaddy etc..)
• Websites (public site, youtube, twitter, linkedin, crunchbase etc…)
• Email services (corporate email, marketing email, support ….)
• Shared Drives (One Drive, Google Drive, DropBox, the magic Z drive…)
• Online banking (also sites that store your cards)
• Your online store
• CRM / ERP
• Marketing assets (print services [mugs / cards / t-shirts…], online ad buys)
• Software repositories / CI providers
• Hosting provider
• ISP
• Budgeting software / HR Software / Payroll / Benefits Provider

Yes you can make more lists, or add to the above, but start here ☝️

You now know where your windows and doors are, and you can create a plan.

Create a Plan

You will constantly hear, the biggest cyber security risk is people, no it’s not.

The biggest risk is often people being in situations they are not aware of, ready to handle or the technology isn’t there to safeguard them.

A personal belief of mine, if your security plan does not make life easier for people, they will not use it. Having to use a stick is a gap in any security process.

So here’s what you need to do (These steps require that you budget about $200 per person p/a assuming they have hardware / software assets that require protection.)

Physical assets

Get virus protection on all your laptops, desktops

Just get it done, no research just get McAfee for ~$40–60 for 2yrs per machine.

Get backup software NOW

You’ve seen ransomware take institutions offline, and force companies to pay them. Just backup your hardware, many places don’t and it will cost you 1000 to 20,0000 X to recover, if you’re a small company, iDrive is the way to go, BackBlaze for a slightly larger company.

Ransomware works by taking all the files on a computer, and any connected drive and encrypting it, and then offering a key to decrypt those files if you pay a ransom. The ransom is going to be large, and even after paying it the files may be non-recoverable or infected, the problem will still exist somewhere on your system and could occur again at a moments notice. Always have the ability to recover.

But this won’t affect us, we’re too small — these attacks can both be directed and indiscriminate, from state sponsored / trained actors to script kiddies, the reach has become catastrophic.

Virtual Assets

Get a password manager

This one is a killer, especially for small companies. How many people keep a list of passwords on a post-it, excel file, or a word doc? How many shared accounts do you have for updating your websites or linkedin profiles or “<insert other important part of your business function here>”.

It happens all the time, saving money on licensing fees, limits on accounts or shared features. Now think of all the emails with usernames and passwords that have been floating about. You probably don’t know who has access to what anymore, and when was the last time that a password was checked for complexity or that account has been hacked somewhere else?

People hate complex passwords, because they are difficult to remember and type in, so take all of that away and get a password manager.

You’re options are 1Password, DashLane, LastPass; told you this was opinionated. I have seen so many plans fail due to making “the right decision”. The only right decision is “now”.

Issue all new password accounts through this to your staff, ensure they store all their passwords in the manager and use the browser plugins, and mobile apps for logging in. And ask them please to use the password manager to generate new passwords and store them.

This one step is 3rd on the list, but should be your first step, it can cut down your corporate risk by over 80% .

Complete these and you have protected a significant portion of your company in 3 steps.

You can now take a powernap, it’s not a full nights sleep there is plenty more to do.

Recap

Define your Footprint
Create a plan
* Virus Protection
* Backups
* Password Manager

Part II — Securing Corporate Email and OneDrive (MSFT focused)

Part III — Securing Software Infrastructure

Part IV — Securing and Empowering People