Security 101: Know your threats
Engineers often know they have to take security seriously and improve the state their product is in. Non technical management is often worried about security, they know all the horror stories of data leaks and abuse and that this is not always well received by customers. What companies as a whole often do not know is what threats they actually face. Knowing what you try to do is usually a pretty good start.
Let us start our security series with figuring out what threats we should think about in various stages of the startup.
What we will be discussing can be considered threat modeling. Just keep in mind that this will not discuss your full and your specific threat model. We will also not discuss the infamous „nation state attacker“. First of all you will likely not be able to defend against a nation state attack in any way, secondly you would need dedicated professionals to make it a bit harder and thirdly it is likely never a nation state attacker, which is often just a very convenient excuse for “we messed up but want to make it sound like we could do nothing”.
The kid next door
The kid next door is actually a more relevant threat. They usually show up, together with some more serious “bug bounty hunters” or “security researchers” whenever your startup appears on some news portal. They often run an automated or semi automated set of tools like Metasploit, Burp Suite and depending on your marketing page wpscan. The more experienced ones also might play around with your mobile applications or take a look at the source code of your web application to see where assets are hosted and if there is other data they can access by modifying the URL (why you want access controls and no sequential IDs is a topic for another post).
If they find something they consider a vulnerability they likely send you an email asking for the existence of a bug bounty program and if you are willing to pay a few dollars if they disclose their finding. This is not necessarily bad by any means, it gives you an idea of potential attack vectors malicious third parties could actually use against your system.
Running some of those tools yourself is something you can learn. Having the experience to understand the scan results is a bit harder but also doable. But you have to be aware that this is basically a specialization within the whole field of information security, so doing it on the side will always put you at a disadvantage. If you feel like you cannot spend the time on this you should be able to hire an affordable consultant on an ongoing basis who is doing it for you and presents an actionable report.
Engineers should appear on ever single list talking about threats. Companies usually trust their engineering department. In the end they are building the software, running the servers and taking care of the data - they surely know what they are doing, right?
In reality they are still humans, do not know every single thing in existence and make mistakes. Sometimes convenience is favored in the decision making process over best practices, other times people simply lack the full understanding of the consequences of certain actions.
Some classics I have seen is the lack of disc encryption while they carry a dump of the production database on their laptop, insufficient access controls and audit controls around production data, misconfiguration of production services and many more things that „should never happen“, but still do.
Engineering is also likely the easiest team to get in line with new security protocols and implementations. There is often the most understanding of the importance of security and more often than you would expect only some small fine tuning of processes and practices is required to get the team to the point you want them to be at.
Your team, all of your employees, leaders, contractors,..., are basically one big security risk. Again, not the bad one doing things out of bad intent or because they think they should not care, but most likely due to a lack of knowledge or usable solutions for their problems.
Thankfully, same as engineering, people usually understand the importance of security, latest after explaining it to them. Which is the key point, you have to explain to them what to do and more importantly what not to do. Without being arrogant. Or sarcastic. Or believing they are stupid. You know, things you see happening every single day when tech-savvy people with an ego explain something.
You also need to work on tooling. „You cannot share data via DropBox or upload it to Mega“ might be correct - but how are they supposed to share data? The alternative cannot include the words „download gpg“ and „create a key and send it to the key server“. Tools need to be intuitive, easy to use and preferably also look nice.
There will also be people who are upset and actually try to hurt your company in one way or another. Maybe someone gets laid off and is angry - how fast can you lock all their accounts and make sure they do not have access to any company data anymore?
Competitors are often very interested in what you are doing, the health of your company and your data. While this is not something that usually happens in the very early stages of a startup, the more funding and traction you gain, the more people will have an interest in those things. Being able to target your customers directly, having an understanding of your finances and investors or simply copying internal parts of your code that differentiate your product are a huge competitive advantage.
Luckily most things we will discuss that prevent accidental data loss also guard against the cheap ways to get to your data - what is left to cover are the more expensive attacks. The moment someone is willing to spend money on getting your data one of the key elements is physical security. How easy is it to get into your network? Are your printers secure? Can people just walk into your office and out with some equipment? Believe me when I say that getting a call starting with „someone walked into the office, put five laptops in a trash bag and walked out“ is not as fun as it sounds years later - thankfully no data was lost this day.
The four horseman of data breaches are a very high level overview of threats you might be facing. Some of them more likely than others, some of them harder to guard against. I hope a bit more understanding of those different kinds of threats will help with the understanding of why some things that seem totally irrelevant are actually necessary and cannot be ignored, no matter in which stage your startup is.