The great thing about the internet age is that it lowers the barriers to entry; it has never been easier to start up a new enterprise and drive it to success. Unfortunately, that same “ease of entry” applies to cyber criminals—and this puts your new business at risk.
Often, startups are highly resource-constrained and need to pay close attention to how funds are allocated to get to profitability. While a full information security program (handling all security best practices) is an important step in maturing your company or product, it is not the first step you should take.
Most startups can’t afford to just spend money on “all the things” for security—it is a bottomless pit of expense. The security expense needs to be scaled to the size of your business, and the amount of risk you have. So, how much and what kind of information security does a startup need?
To take on established players using only venture capital or sweat equity and grit, a startup must be ruthlessly efficient, spending only on that which will bring the business to profitability sooner. So, a startup must strategically focus only on what is essential for that specific business and work toward taking on the remaining security best practices as the company grows and matures.
How vulnerable are you?
At one extreme, a kid’s lemonade stand is all-cash and has no network connectivity, and so is not vulnerable to cyber threats at all. At the other end of the spectrum are internet startups, which are very vulnerable; their only products are the digital content that they provide to their users, and they store their customers’ information online.
Most businesses will be somewhere in the middle, with important cloud-based accounting and purchasing software for managing physical supplies for the stuff they make or sell.
Your startup probably uses online banking. Consider a small retail store, which might earn $10,000 a month, turning over $200,000 in goods. Small businesses such as this one that run on a 5 percent margin can have running balances and lines of credit that are far larger than annual revenue.
However, hackers don’t care that your business runs on a 5 percent margin and most of that money in your accounts is ultimately owed to your suppliers. If they can gain access to your accounts, they would be very happy to steal all of your float, leaving your business not just broke, but devastatingly in debt. So even if you are not specifically an internet business, you are exposed to internet threats.
How do they get you?
For non-internet companies, the cyber attackers seek to take control of your workstations (PCs, Macs, tablets, phones), your online accounts, or both, because one leads to the other.
Once they have control of the virtual “you,” then they can do anything you can do, including transferring funds or ordering goods that they can have shipped to an arbitrary address at your expense.
They can also access any files that “you” have access to, allowing them to encrypt and ransom your data, as seen in the WannaCry and subsequent recent attacks. So, security for small and startup businesses is mostly about preventing the attackers from getting control of your user accounts to either steal your money or ransom your company data.
How can you protect your business from cyber threats?
Here, we present our view of the top 6 threats to small, nascent businesses with limited resources, and what to do to defend yourself against those threats.
1. Don’t get phished!
“Phishing” is any kind of socially engineered attack (con job) to get users to share their passwords. A classic phishing method is to send users an email claiming to be from IT, their bank, Facebook, or some other site that the target likely uses.
Phishing emails usually contain a web link and an urgent instruction to click now or else something really dire will happen. When they click the link, they are presented with a fake version of that site’s login page and coaxed to enter their username and password, and so end up giving their passwords to the attacker.
You can help your users to resist phishing attacks with training, but the sad truth is that no matter how hard you train your team, someone is likely to not quite get the memo, and get phished. “Bah! Fire that loser” you might think. Think again, because often the CEO is the one being phished.
Spearphishing is the variant where the attacker spends the time to send a very convincing phish mail to a company executive, crafted to look like the kind of legitimate business the executive might be currently engaged in. Intensive training versus increasingly sophisticated spearphishing is an arms race that you are unlikely to win.
Solution: Require multi-factor authentication (MFA)
MFA is a defense where if a server sees a login from a new device, it demands additional authentication, such as proof of possession of that user’s cell phone by sending the user’s cell a secret code in a text. MFA blocks phishing quite effectively because it makes phishing the user’s normal password insufficient to take over the user’s account.
MFA used to be exotic but is now supported as an option in most modern software, including Google Docs, Microsoft Office 365, and Slack. Phishing is pervasive and easy for attackers, and trying to train your way out of the phishing threat notoriously fails to work, so requiring MFA throughout your organization is much more effective.
2. Prevent malware
Malware (malicious software) refers to programs that you download from the web and run.
Why would you do that? Because it looked like a good idea at the time; the attacker used social engineering (similar to phishing) to persuade the user to download and run the malware. For instance, lots of sites offer “free downloads” of the Firefox and Chrome web browsers, but many of them contain malware bundled along with the browser.
Of course, your users should be trained to only download Firefox from mozilla.org and Chrome from google.com, but that only covers those two cases, and there are lots of ways to coax a user into downloading and executing code. Once the user runs the malware, it can do anything that user is permitted to do, and so lots of damage is done.
There are several defenses that mitigate the threat of malware:
Solution: Install antivirus
Malware is one of the oldest threats, has been around since the early 1980s, and so anti-virus (AV) is one of the oldest security mitigations. AV’s basic job is to detect malware just as you are about to run it and block execution if the program seems to be malicious.
All businesses should run some form of AV on all client workstations as a basic precaution. Some specifics with respect to which platform you are using:
- Windows PCs should always be running AV. Windows 7 PCs often come with a demo copy of AV installed, but you have to pay the AV subscription fee or it deactivates after a short period of time, so be sure to pay it, or select and purchase a different AV solution. Windows 10 makes this easier, because it comes with Windows Defender enabled by default, and so if you are using Windows 10, you don’t actually need to do anything to get AV protection. However, AV is a competitive business, and so you may wish to consider other AV solutions as well. Microsoft Defender will step out of the way and let other AV products defend you, but if those products lapse (because you did not pay for a new subscription) then Defender will re-enable itself.
- There is a myth that Macs don’t need AV—but they absolutely do. They are just as vulnerable to malware, and for the same architectural reasons. Macs used to be “safe” because they were unpopular, but now that Macs are widely used, they are ripe for attack. Buy and use AV, even if you are on a Mac.
- App-only platforms are different; they do not actually need AV. Using app-only platforms is our third solution below.
Which AV solution is best is a subject of heated controversy. Much more important than which one you use is that you use one. Windows 10 keeps you always defended by some AV, older platforms like Windows 7 allow you to run without AV, which is not recommended. Either use Windows 10, or be sure to select an AV product, and keep the subscription paid up.
Solution: Use modern web browsers
Google Chrome, Mozilla Firefox, and Microsoft Edge all now include a download defense that checks for malware. If you use one of these browsers to download a .exe file, the browser checks the download, and blocks the download if the malware is malicious. In addition, Windows 10 will also check newly downloaded .exe files against the same list that Edge uses, and block execution of malware downloads.
Solution: Start with app-only platforms
Platforms that support only apps from an app store (iOS, Android, ChromeOS, Windows 10 S, and Windows Device Guard) are vastly more secure against malware. They effectively force you to only download from verified app stores, thus blocking social engineering attacks that try to get users to download from a malware site. Where AV lets everything run except for a list of known-bad-stuff, app-only platforms block everything except for stuff that comes from that platform’s app store. Thus app-only platforms are a form of super-duper AV.
Moreover, these app-only platforms run apps inside a sandbox, which inhibits the app from accessing the user’s files or other critical resources, without user permission. Suppose you were to install a casual game, say, “cranky hamsters” without a sandbox, that “game” could be disguised malware, and take total control of your PC, your accounts, and your data. With a sandbox, the game can only access its own files, and at most, prompt the user for access to critical resources like your Documents folder and your bank accounts. Thus the sandbox makes it mostly useless to the attacker to distribute malware to an app-only platform, reducing both the risk of harm and the degree of potential harm.
App-only platforms are an especially high priority for business executives, accounting, and administrative staff, who have access to relatively large amounts of money and critical resources such as HR files. Conversely, app-only platforms are limited in what they can do, by design, and so are not suitable for software developers. App-only platforms are the most secure, and so security-aware executives should want to use them personally.
3. Survive ransomware
Ransomware is just an instance of malware—specifically, malware with the goal of encrypting and ransoming your data files.
Ransomware has been much in the news lately, because of a large spate of attacks such as Wannacry that have had a devastating impact. As such, all of the malware defenses above are effective at preventing ransomware, but there are also additional steps to mitigate ransomware that are worth considering, because of the very high impact ransomware can have.
Solution: Keep offline backups
Cloud drives like OneDrive and Google Docs do a great job of keeping your data safe from natural disasters, like fires, earthquakes, and coffee cups encountering hard drives.
However, because these cloud drives are online, if your PC or user account is hacked, then the attacker has just as much access to your cloud drives as you do, and they are able to encrypt your cloud drives just as readily as your local drives.
Enterprise cloud providers, e.g. Microsoft OneDrive for Business, do keep versions for you, but only a fixed number of versions. Hackers know this, and can just overwrite your files enough times to exhaust your versioning, and now all of your versions are encrypted and ransomed.
The solution to this is to keep offline backups, i.e. put your data backups some place that even you don’t have write-access to. There are several ways to achieve this, such as:
- Back up to a removable hard drive, unplug it, and put it on the shelf. Repeat daily, or weekly, whatever your tolerance for data loss is.
- Be sure to periodically check that your backed-up data is not itself encrypted, by randomly selecting and opening a few of your files.
- For protection against that fire and earthquake stuff, use multiple removable hard drives, and rotate the older ones to someone’s house, preferably in a different part of town. If you do this, be sure to encrypt the drive with disk encryption to protect against these drives being lost or stolen.
- Make use of versioning.
- Many cloud drive and backup vendors let you configure versioning and retention policies for your files, and you get incrementally better ransomware protection if you configure more versions and longer retention of files.
The key point to an offline backup is that it should be hard for you yourself to delete backups. This keeps the backups safe from ransomware if you are unfortunate enough to get infected.
4. Protect yourself from 0day
The cutting edge of security research is 0day: the race to be first to find a previously unknown vulnerability in some widely used software. Because it is completely unknown, many computers worldwide are completely defenseless against attacks exploiting such vulnerabilities.
Attackers (“black hats”) want to find these first so that they can exploit users before the product vendors patch the vulnerabilities. Product vendors want to find them first so that they can patch their users before the attackers exploit them. Security product vendors (“white hats”) want to find them first so that their security products can defend their customers better than other users.
What does a 0day attack look like? Suppose an attacker has a vulnerability in a web browser. They set up a web site and lure users to browse to it, either by placing ads on search engines like everyone else does, or by actually attacking and changing a popular web site to serve up the attack. When a user browses such a malicious page with a vulnerable browser, the web page that loads into the browser exploits bugs in the browser to run the attacker’s code, escape the browser’s sandbox, and then download and run malware on the user’s machine.
Solution: Keep software current
With all of those monied parties chasing 0day, new vulnerabilities are very valuable, often worth more than $100,000 each on the black market. Conversely, once a 0day is used, it becomes likely to be discovered by the defending parties, and so it is no longer 0day—it is a known vulnerability that is soon patched by the vendor. You are very unlikely to be attacked by 0day. The attackers save 0day for their most valuable targets, and use somewhat older vulnerabilities for mass exploitation.
Thus, the easiest way to not get exploited is to keep your software current. Most major software vendors are now diligent about shipping security updates to their users ASAP, to the point that 0day attacks are exceedingly rare.
For instance, the Wannacry ransomware attack infected a quarter million Windows PCs in May of 2017, but Microsoft had shipped updates for the vulnerabilities used by Wannacry in March, and so the victims were all users who had somehow disabled or prevented Windows from automatically updating itself, and were at least two months out of date. One of the easiest ways to stay secure is to leave auto-update enabled for all software products that you use. If a product does not have auto-update, it should be replaced immediately with some other product that is more professionally supported.
5. Don’t do everything in-house
Servers are complicated, and managing them is hard. But you need them so that you can have stuff like a company mail server. Misconfigured internet servers like mail servers and web sites are a very soft target for attackers and can result in very embarrassing incidents like your web site being defaced with horrible content, or a spam campaign sent from your mail server.
Solution: Leverage the cloud
Getting great at managing your servers is not a small task and not strategic for a startup. Previously, the next best thing was to hire a consultant to periodically maintain your servers, but the quality of such work is highly variable, precisely because the customers are ill-equipped to evaluate the quality of the consultant.
So, the best recommendation now is to leverage cloud services, such as Azure, AWS, Google, Oracle, IBM, etc. Many cloud service providers offer not just machines for rent by the minute, but also software-as-a-service (SaaS) such as Microsoft’s Azure Active Directory (AAD) that relieves your business of the burden of running a domain controller, an infamously difficult task to do correctly.
No, cloud security is not perfect, but unless your startup is hyper-focused on secure server operations, it almost certainly is not as strong at defending internet servers as any of the major cloud providers. So, to the maximum extent possible, don’t host servers on-premises—outsource it to cloud providers.
6. Prepare for lost or stolen devices
Startups tend to have enthusiastic workers, who take their work home with them. That means that they are either taking work laptops home or accessing work servers from home using personal laptops and phones.
Now you have a bunch of machines riding around town on buses, in taxis, Ubers, Lyfts, and so on, and sooner or later, someone will lose one or have it outright stolen. Whoever stole it not only has a thousand-dollar device, but also access to your enterprise data.
Solution: Enable mobile device security
To defend your enterprise data against stolen devices, your enterprise services should impose minimum requirements on the machines trying to access them. For instance, Microsoft Exchange can require that all phones and PCs that access that server meet a minimum bar. Good policies for your minimum bar should include:
- PIN code/password: The device must require a PIN code (for phones) or a password (for laptops) to unlock. You should also enforce a minimum strength for the PIN code and password.
- Device encryption: Require that the device’s storage is encrypted, so that cracking the case and reading the disk does not give up all of the data. Many modern operating systems encrypt device storage by default.
- Modern operating systems: Only permit newer systems to access your data, so that you get that nice device encryption stuff, as well as all of the other modern security mitigations mentioned in this blog. So no five-year-old phones, and definitely no Windows XP.
Security is probably not the purpose of your startup, but security is a requirement for almost every startup.
Whatever it is you are doing, it is predicated on that thing mattering to your customers. If it matters, then it is worth hacking—and worth it to your customers to defend it.
Prior to joining the team at Leviathan, Dr. Cowan was a senior Program Manager at Microsoft. While at Microsoft, Dr. Cowan contributed usability improvements to UAC in Windows 7, designed the AppContainer sandbox that made Windows 8 apps possible, worked on security assurance for Windows 8.1 covering app security and making improvements to secure boot and the UEFI standard, and worked on the Microsoft Edge team to bring many security improvements to the browser. He holds undergraduate and masters degrees in computer science from the University of Waterloo, and a PhD from the University of Western Ontario.