What’s this all about and does it really matter?

By Kip

There are some very talented people starting a company’s solving very complex problems that can save organizations millions of dollars.

From providing security services, IoT, GIS solutions, auditing of systems, and SaaS platforms which provide elastic environments allowing companies to use a service that can surge when the demand is there and shrink when demand is low saving more money.

My recent research of startups early-stage companies, I found one key commonality that should NOT be there – a lack of forethought and planning of information security; in particular an INFOSEC program that would protect the environment, the startup ‘crown jewels’ so to speak, from current cybercrime and malware threats.

When I asked C level executives at many of these companies about this deficiency, the common answer I received is it was too expensive or there is no time to implement security.

Let’s take a step back and look at that statement a bit, what is at risk? The information is startup proprietary information, potential patent information, potential personally identifiable information and customer information.

On an average of the startups and established company that I have interactions there was very little or any commitment to information security within the products or services that were provided.

My key discovery was that there is a threshold of when the companies would start to think of security. The time was when a potential customer would require the necessary steps to require the security of their information that has been provided.

This is an afterthought – where, for example, has the information been stored, processed or shared. In the CISO arena, it boggles the mind to think most startups are not even thinking they will be victimized – hence many SME’s (small to medium-size enterprises) face their demise now, more from a cyber attack, than lack of early-stage revenues.

In fact, most SME’s cannot suffer a single breach without going out of business, due to the very high costs of remediation, regulatory compliance-related issues, fines, brand damage and loss of customer confidence.

If you look at US law and UK data protection of personal information there are a number of similarities as there are specific requirements to protect personal information.
Specifically, the US requires an “opt-out” while an “opt-in” for the UK for all marketing events.

Where is your information with services that you have provided some of your personal information?

This is not the responsibility of the customer but the responsibility of the companies that would use the services of a startup or a well-established organization.

How do we address security in a cost-effective method that would protect everyone?
Below is a list of an example of tools that can be used at either zero cost for the use of marginal cost as it relates to customer privacy. There is CIS who provide security hardening guides for free https://benchmarks.cisecurity.org/downloads/benchmarks/
AWS provides free AMI’s that are hardened to CIS standards https://aws.amazon.com/marketplace/pp/B00UVT5ZIW

AWS S3 encryption at rest https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/

Insecure.org provided a number of the best-rated security tools that are available
http://sectools.org/

WAF for AWS https://www.howtoforge.com/tutorial/install-nginx-with-mod_security-on-ubuntu-15-04/#-download-modsecurity-and-nginx

These are just examples of tools that can use to secure software and infrastructures and meet the technical controls. Does the question lead to why there a number of investors out there willing to invest in an organization that has not considered if the organization has included security?

In fact, some startups get acquired, just like the bigger player, Yahoo!, only for the acquirer to find out they’ve already been victimized in cybercrime – whether it be repeated ransomware attacks or a complete data breach of all the customer personally identifiable information (PII).

This either leads to shareholder lawsuits or an incredible reduction in the final acquisition cost payout.

Let’s consider the impact of not protecting information; legal proceedings can lead to closing the doors of an organization, further compensation to the injured parties or affecting the reputation of an organization.

What are some simple steps to include security into a new company to be cost-effective?
1. Understand the sensitivity of the information you are handling
2. Understand the legal liability in the event of a data slip
3. Treat the information you receive, as it was your won
4. Encrypt all data from the start unless you are processing the information which would require the information to be unencrypted
5. Keep the system up to date to close security vulnerabilities in Operating systems and software used to deliver the service.
6. Review all developed code for potential vulnerabilities
7. Always prepare for a disaster. Create a plan of action if a severe data breach takes place. Your reaction will make the difference in legal ramifications and corporate reputation.
8. Train personnel in the handling of sensitive information

Investors and those that are thinking of starting a company providing services, think about security upfront rather than an afterthought.

It is more expensive to not include security at the beginning of your product than after a request from a potential customer or a compromise.

When you start the adventure of a new business, think of the information you handle to be your own and how would it make you feel if your information was stolen.

About the Author
Kip has served as a CISO for the past 8 years and IT Executive leader for over 20 years. He uses extensive business and security expertise to advise CXO executives on strategies to deal with the quickly changing landscape that affecting IT infrastructures. His current focus is on International Privacy Laws, compliance to ISO, SSAE 16, HIPAA, in technology mobility, advanced malware, APT, and cloud security.
Kip brings over three decades of IT security leadership spanning the military and commercial experience. He previously served as a US Marine in Information Technology and a CISO at United Launch Alliance, GeoEye and ServiceSource. He has specialized in building Risk Programs, IT Departments and Security programs.
The times Kips is not behind a computer he is out in the hills of Colorado mountain bike riding.