How Startups Can Employ the Right Security As They Grow
Tammy Slaughter wrote this article
It’s 2020, and data security is no longer just a priority amongst users; it’s an expectation.
But with the amount of social capital embedded in security and data privacy when it comes to marketing these days, it can leave one wondering, just how secure is anything really?
At the same time, it can be easy for many dollar-strapped startups out there to lead with budget as a key differentiator when it comes to security spend.
This could prove to be a costly mistake later on — but that doesn’t mean you have to break the bank to make security a priority as you scale-up your startup’s digital infrastructure.
Move Fast and Don’t Break Things
Startups today are considering data security in ways Facebook and Uber did not.
This shift is motivated at least in part by self-interest, as startups pursue investors, companies and users who are all asking tougher questions about data usage.
But in the Age of Data, startups and companies alike are also starting to catch on that it’s an inherent responsibility to keep user data safe.
That’s a good thing, too, because startups with high value data are already a pretty big target for hackers because it’s assumed that typically, security is not a priority for them.
Make Data Security a Priority For Your App From Day One
Some of the most popular products today come with strong security by default, such as iPhones, security keys, even Windows 10.
As a startup, you have a strategic advantage over 90% of large companies out there. Legacy technology can be full of vulnerabilities, and smaller, more nimble organizations can do things better from the start.
It’s easier, cost-effective, and more scaleable to get it right the first time investing in new technology built with the latest security standards in mind — without having to fill in the gaps years later.
Founders should think of security as an investment for the future.
A security incident down the road could cost you big in negative press, lost user trust, and possible fines.
The reality is, the sooner you start thinking about security for your startup, the less expensive it is in the end.
Look Beyond the Buzzwords When It Comes to Data Security
Blockchain is everyone’s favorite buzzword right now — especially when it comes to data security. Many up-and-coming blockchain technology’s websites read like something out of the year 2050.
It may seem like the obvious investment to make in your startup’s digital tech infrastructure to ensure top-of-the-line security.
We are here to pop that metaphorical bubble.
As software, Blockchain still has vulnerabilities like any other.
Its reputation as a security titan is partly due to its new-ness and marketers at-large, but also, its ability to document transactions in real-time using a public ledger that’s near impossible to alter or fake. Essentially, it’s creating a digital form of trust.
Blockchain achieves this with three defining characteristics:
1. Decentralization – Creating a Single Version of the Truth
Distributes the same information to every user (or node) on the blockchain network. When you make a change, the network validates it and then miners (nodes rewarded for updating the blockchain) add that transaction into a new block, which is then added to the blockchain.
2. Cryptography – The Perfect Disguise
All data on the blockchain is cryptographically hashed; in other words, it’s processed to hide its true identity; providing each data point with a unique idea. Hashing takes any input value and applies a mathematical algorithm to produce a new value.
3. Consensus – The Brain of Blockchain
The consensus decides which blocks to add by pitching nodes against each other to confirm the transaction.
This is incredible, and the applications for blockchain technology will only continue to grow from here; changing the way we buy houses, cars, and who knows what else — but it’s not the digital fortress many would lead us to believe.
Unless your app idea readily lends itself to being built on blockchain in terms of desired functionality, think twice about going this route in development for security reasons alone.
Blockchain is just one really shiny notch in the belt of digital technology now that the Fourth Industrial Revolution is in full swing; it’s better, but it’s not completely bulletproof.
Developers who are well-versed in blockchain also happen to come at a premium right now, so app development costs to build on the blockchain tend to run much higher than going the more ‘traditional’ route.
But blockchain is still evolving, becoming more secure (and popular) each day, even spawning a new type of hybrid blockchain app we’ll be seeing more of in 2020.
Going Beyond the Traditional Outside-In Security Model
One of the most cost-effective steps a startup can take in preventing a data breach is looking beyond the traditional approach of installing anti-virus tools.
Instead of coming from an outside-in approach, startups should adopt an information-centric approach when it comes to data security.
This requires monitoring where files are kept, how they are used and where they are being sent in order to prevent a future breach.
There is still value to shielding your network and using security software to keep the “bad guys” out, but those steps should be a part of a much larger, more holistic strategy to address the sheer amount of information that exists outside the company’s servers and accessed on so many devices.
Even in the early stages as a startup, you need to know exactly where sensitive data lives at rest and how that sensitive data is being used in motion, so you can detect any deviations that could signal malicious intent.
This may take a fair amount of monitoring to familiarize yourself with these metrics, including examining file locations, time of day, what devices are being used, IP addresses and URL reputation.
Early on, make sure core team members understand what those metrics look like for you on an average day, too.
You never know when that might save the day.
Actionable Items to Boost Your App’s Security Today
Early-stage companies can certainly balance the risk and reward of security, even as needs change based on headcount and company data usage.
Setting up shop on AWS (a best practice at Chop Dawg for the average app’s day one launch, by the way) is a few hours of work and more secure as a cloud-based solution early on.
For most startups, the time to bring on a full-time security professional is between 30-100 employees.
Use Social Logins
Plugging in a simple API to enable social logins for your app could not only save you in development costs, but also maintenance down the road.
Login credential and password reset requests make up between 20-50% of all customer support volume for online businesses, according to Janrain, and each password-related support request costs companies on average about $70!
Social login APIs also allow you to leave username security up to the big boys and focus on your core business instead.
Many users are over the moon for social logins, too, because they don’t have to go through the inconvenience of filling out a new registration form when trying to sign into your app for the first time.
Take Steps to Ensure User Verification
User verification is one of the most reliable and effective ways to apply vital account security measures to your app’s users.
Here are some steps to take to verify your users:
– Via email or text message, send them a link to click and confirm the account. Don’t allow them access to your application until their account is verified.
– For all eCommerce transactions, perform a payment method verification prior to approving an account.
– For the more secure scenarios, finger-touch recognition or even driver’s license verification.
– The aforementioned social login tool is a convenient, and relatively secure method of user verification.
– Use two-factor authentication always.
Limit the Collection of User Data
Any startup also benefits from minimizing the amount of protected information in their possession.
Startups should not collect protected information from customers and even employees unless they truly need it for their operations.
If you are accepting payments through your app, use a gateway to store all the payment-related data. Avoid storing any payment-related data on your server directly.
More Steps To Safeguard Your Digital Infrastructure
– Backup frequently and systematically. This can be useful for business continuity, too in case of denial of services attacks and ransomware.
– Enable app logs, and monitor them frequently for any suspicious activities.
– Create network boundaries by isolating your infrastructure assets.
– Update all your dependencies with the latest security patches. This is an easy fix and Github can help you stay on top of this.
Get Your Team On Board Early On
Make your company security standards and procedures straightforward and intuitive, and be sure to establish them early on.
Team training should include the basics of strong passwords (yes, seriously), like using separate login information for work accounts and personal ones, and identifying suspicious emails, link and attachments.
We’re in an age where the line between personal and business devices is blurred, and with the mobile workforce on the rise, it’s difficult to keep track of where business-critical data ends up.
This year, the number of unmanaged IoT devices will likely bypass the number of managed devices within the average organization. In the absence of formal policies or endpoint controls, it can be difficult to understand (and subsequently control) how they communicate within the network.
With awareness programs and training to promote a security-first mindset amongst team members, including preventive measures against device exposure and file-sharing, you can at least limit the human element in security risks at-large.
You also want to remove any hurdles to a team member reporting a possible security breach, helping them to hone their early “detection” skills so your team can react in time to limit the impact of a potential breach.
Essentially, make cyber-security part of your company’s standard of excellence.
Cybersecurity is a form of craftsmanship in today’s market. To not supply compliance on cybersecurity procedures is to say we do not care about our work and quality. The easiest way for employee buy-in, therefore, is to support a high standard of quality, excellence and craft.
Have An Exit Strategy In Place for Former Employees
It’s not pleasant to think about, but you need to have a plan for limiting risk of exposure in the event of an untimely employee exit.
As a general company policy, establish clear guidelines and roles around immediately revoking access to important assets and source code of anyone that leaves the company.
It goes without saying that a disgruntled former employee with an active account can do serious damage.
Users are starting to take notice on the fine print in the Data Privacy policies of many of our most beloved apps and software .
Having a dedicated area on your startup’s site detailing your security protocols isn’t a bad idea, either.
Because no matter what, transparency in the age of regular data breaches is paramount.
Security For Your App Isn’t About Reducing Risk To Zero
In a founder’s epic quest for team members, product-market fit and profitability, it’s easy to see how security might fall a bit lower on the priority list.
But once you’ve done your due diligence and built safeguards into your product and procedures along the way, remember that security for your app isn’t about reducing risk to zero.
Instead, it’s about continuously rebalancing risk as standards shift and what was once cutting-edge becomes obsolete.
The risk always remains the same.
About ChopDawg.com: Since 2009, we have helped create 300+ next-generation apps for startups, Fortune 500s, growing businesses, and non-profits from around the globe. Think Partner, Not Agency.
Follow us on Twitter
Like us on Facebook
Double tap us at Instagram
Connect with us on LinkedIn
Find us on social at #MakeItAppn®