When you create a startup company there are many things you need to consider. You’re focused on developing a product, marketing, sales, hiring people and the list goes on and on. One thing that can easily get overlooked is securing your product and your business. This is important because startup companies are one of the most attractive targets for hackers because they have more assets than a person but have much less security than larger more established companies. 60% of small to medium-sized businesses that suffer a data breach are forced to close down within 6 months. Given how many things startup founders have to deal with, I created this list of simple things that you can do to protect your startup. If you implement just the things on this list, you will reduce your attack surface by at least 50%.
1. Change default passwords and enable 2FA
One of the simplest types of attacks is to guess a user’s password. This can be done manually, using pre-defined lists, or by using automated software. If you use any service that comes with a default username and password you want to change that immediately and create a stronger password. A strong password typically is 8-12 characters long, uses uppercase and lowercase letters, numbers and special characters. I recommend using the automated password generator that comes with many browsers and letting your browser remember the password for you. The passwords they create are very secure and extremely difficult to guess. Secondly, you want to enable 2-factor authentication for any service that you are using. This way if someone gets your username and password they will still be unable to access your account without having access to the one-time code they send to you.
2. Hide software name and versions were possible
If you have any internet-facing applications or websites you want to hide as much information about the software, version and error codes as you can. If they have information on what type of products you’re using, the programming language, the version of your software, all of this information can be used by hackers to identify potential ways to hack into your systems. So if possible remove all of this information from your website, your web application and be careful of what information your error codes present to users.
3. Keep software updated
Many times after software is released security issues are found in those products. To resolve this the developers create a security patch and release it to all users. You must keep track of what software you use and apply these patches as soon as possible. Once these patches are released, it can act as a notification to hackers, letting them know that this particular version of the software is not secure and they will begin to target companies that are running that insecure version. This can be applied to any type of software from visual code studio to google chrome web browsers and even mac or windows Operating Systems.
4. Learn to recognize phishing emails
Up to 50% of all data breaches begin with a phishing email. Hackers love this method because it’s often much easier to send a well-crafted phishing email than it is to find a technical flaw in the company. Any key people in your startup must be trained on how to identify phishing emails and general cybersecurity awareness, this reduces the chance that someone will respond to the wrong email and cause a data breach for your startup.
5. Use the least privilege model for employees
Within a startup, you don’t have a large number of employees, so many employees will need to have access to help out in many different parts of the business. Some people call this “wearing many hats” because you need to do so many different things. You must take time to segregate the access that your employees have. You want to have what’s called a “least privilege model”, this simply means that employees only have access for what they need to do their job and nothing more. Whenever you hire someone to work at your startup and you’re thinking of giving them access to something, make sure it’s necessary for what they need to do and make sure to remove that access once it’s no longer needed.
6. Keep track of what type of information you collect
This is going to help when it comes to compliance and privacy. You need to understand what type of information you collect from your customers and employees. This includes names, birthdates, addresses, medical history and credit card numbers. Based on what you collect, you can determine what type of compliance regulations and privacy laws apply to you and your business. This is going to be important as your startup grows or if you ever suffer some type of data breach. The actions you are required to take whenever a data breach occurs are affected by the type of data that is collected from your customers.
7. Start a free bug bounty program
Bug bounty programs are a cost-effective way to have your company’s cybersecurity tested. You can create bug bounties for free or with low-cost rewards and have security researchers test your company’s web application, mobile app or website. You can start one today on platforms like bugcrowd or HackerOne. You can find a full guide to bug bounty programs here.
8. Create data backups
Making regular data backups is a great way to protect yourself in case you get hacked. One of the most profitable types of cyberattacks is ransomware, where a hacker will get access to your company’s information, withhold that information from you and then charge you a ransom to get your information back. If you don’t do regular backups, this can completely ruin your business. Even if it’s not specifically a ransomware attack, if someone makes a mistake and deletes something or you have an angry employee that has access to important data, they may delete it on purpose. It’s best to make regular backups of any important information you have and keep it separate from your original copy.
9. Legally protect your Intellectual Property
Intellectual Property is the lifeblood of most businesses, whether it’s a software application, a trading algorithm or a food recipe you need your intellectual property as part of your overall competitive advantage. Based on what your intellectual property is you need to make sure you have the right type of legal protection both locally and internationally so that you don’t have to worry about someone stealing your idea or suing you. You can find a full guide to protecting your Intellectual Property here.