Apemag

  • #MyStartupStory
  • tech
  • maker
  • Startup Lessons
  • In the South
    • Tennessee
    • Alabama
    • Arkansas
    • Florida
    • Georgia
    • Kentucky
    • Louisiana
    • Mississippi
    • North Carolina
    • South Carolina
  • Startup Support
    • Accelerators
    • Coding Bootcamps
    • Colleges and Universities
    • Incubators
Startup Lessons

5 Information Security Actions Every Startup Needs to Take Now

- Matt Bennett -

Information Security (infosec) is a topic which has received a large and growing amount of attention in the past few years, and with good reason: not only have data breaches cost companies billions of dollars, but they have resulted in significant embarrassment and loss of reputation. However, for every Target or Sony Pictures that garners national attention, there are hundreds, if not thousands of successful attacks carried out on companies of all sizes that result in capture of sensitive data or financial loss, in some cases irreparably damaging those companies.

Indeed, while many small businesses would not consider themselves as targets because of their size, the data would not bear this out, with reports showing that as much as 43% of cyberattacks are targeted at small businesses – indirectly because of their small size, rather than in spite of it. Small businesses, lacking resources to hire information security personnel are often poorly protected, and automation allows advanced attackers to target them by the hundreds.  

Founders and those considering jumping into entrepreneurship may be groaning at the idea that there is yet another hat they should be wearing. For non-tech startups this is an especially tall order, because the business may not even have IT staff, much less anyone in a position to train IT security. However, like the old joke about running from the bear goes, you don’t have to outwit the hackers, just be more secure than the other companies around you, which is a much more manageable task. No matter the kind of business or the complexity of the IT infrastructure, here are some simple ideas for becoming a harder target which require neither lots of money nor extensive technical knowledge to implement, but if used company wide can greatly improve the outcome when you are attacked:

1. Password security – Passwords need to not just be long, they need to be complex as well. Make sure that passwords are at least 12 characters, and use numbers and special characters as well. Never use the names of your kids, pets, or any other personal information – in the age of social media (and of large companies losing your private information), attackers have access to a lot of data to help them guess your password. If you provide computers for employees, or if you use Active Directory or something similar, make sure complexity requirements are enabled (your IT pro can easily set this up for you). Also talk to employees about why this is important and require that passwords are changed regularly – at least twice a year. If the prospect of having a bunch of complex and random passwords which change regularly seems overwhelming, consider using a program like LastPass, which helps you generate complex passwords, stores them in an encrypted state, and then fills them in for you automatically via browser extension.

2. Two-factor authentication – In addition to your new complex passwords, two-factor authentication adds another level of protection by requiring that the user also enter a numerical code, which is typically either sent as a text to the user’s registered phone, or generated by an app like Google Authenticator which the user downloads and then syncs to the app or website in question. After a one-time set up, the user is required to enter the code which is constantly changing, so it cannot be guessed by an attacker. While this adds a few seconds to your login time, it also provides a lot of protection, because even if an attacker manages to guess or obtain a password, they would still need physical possession of the user’s phone in order to have both factors necessary to gain access. Enable this feature on every website and application that has it as an option, and require employees to do so as well.

3. Backups – One of the attacks most rapidly growing in frequency is Ransomware, where the attacker implants a piece of malicious software (malware) onto your system (more on how later). This software then encrypts all the files on your machine, and you must pay the attacker for the code to unlock them. Once the files are encrypted, deleting the software (if you can locate it) will not help, as all of your data will be useless in its encrypted form. The only way to get up and running again without paying is to wipe the hard drives and reinstall everything. If you are backing up all your files regularly (daily if possible, at least weekly), then this will be a minor problem. If not, you may end up paying, and then hoping the attacker gives his word and gives you the unlock code. Backup important files and folders daily (both Windows and MacOS have tools to help automate this). If you have any hosted services, make sure your provider does daily backups as part of your service agreement. If nothing else, use a service like DropBox, which can sync files automatically in real-time for your working files, and then run a backup at the end of the week to an external hard drive or flash drive (password protected and encrypted, of course), or to a company server if you have one.

4. Email security – This is a topic on which whole books have been written, so we will not cover it exhaustively. However, there are a couple behaviors that can add a lot of security. By far, the way most malware gets introduced into a target’s system is through phishing – a simple yet effective attack where an email is sent out with a malicious link or attachment – often written to either look like an email from a senior member of the company, or designed to entice the user (fill out this quick survey for a chance to win a gift card, etc.). This is the typical method, or attack vector, by which Ransomware gets onto target systems. Insist that employees never send each other links to anything – so if an email arrives with one in it, suspicions should immediately be raised. Let everyone know that you will not be communicating any kind of requests for money to be transferred or new accounts to be opened via email, and that if they receive one, they should call you immediately, before clicking a link and giving away company information into a fake account screen, and definitely before sending any money, period. Consider using an application like Google Messenger as the primary form of intra-office communication instead of email, which is free and has two-factor authentication.

5. Software patching – After new software has come out, vulnerabilities are inevitably found – many companies even pay users who locate such vulnerabilities before they turn into attacks on customers. Fixes then become security patches which roll out to all users. If you ignore those requests to update (we are all tempted), then your system remains vulnerable to the attack – plus since the vulnerability is now public knowledge, an attacker has a cheat sheet of things to try if he gains access. Most software (including operating systems) give you the ability to configure automatic updates – make sure that option is always selected, and configure checks for updates to run daily. Operating systems usually allow this process to be scheduled for a particular time – try setting it for first thing in the morning, so it can do its checks and updates while you are still getting settled in and pouring the first cup of coffee.

This is only the surface of information security, but these tips will make a real difference – they prevent or hinder the most common attack vectors for the most frequent attacks on smaller companies. They work for one user or twenty, whether you have company servers or just a team with laptops working remotely. Nevertheless, implementing them can make you a hard enough target that attackers decide to move on to the next one, and then you and your company can go back to business.

Jul 15, 2016Matt Bennett

Sloss Tech Gives Nod to Birmingham's Origins and Its FutureHow Yoga Is Helping NOLA's Students Cope With Trauma
4 years ago 6 Comments Startup Lessonsbackup, infosec, two-factor authentication178
retro
Matt Bennett

Matthew Bennett is a corporate IT auditor, freelance information security consultant, and evangelist for small business security awareness. He is a founding partner of Startup Southerner.

Website Twitter
Comments: 3
  1. Tony Lettich
    4 years ago

    Great article with solid advice Matthew! Very timely…appreciate your sharing.

    ReplyCancel
    • Matt Bennett
      4 years ago

      My pleasure, and I’ll hope you’ll check this space in the coming weeks, as I plan to do a deeper dive on some topics like Ransomware and Phishing attacks – things that are highest relevance for small companies.

      Really glad you enjoyed the article.

      ReplyCancel
  2. Tony Lettich
    4 years ago

    Thanks for the heads-up! Will plan to do so.

    ReplyCancel
Pingbacks: 3
  1. Your Startup Could Be a Target for Phishing Attack « Startup Southerner
    4 years ago
  2. InfoSec Tips for the Holidays « Startup Southerner
    4 years ago
  3. IT Expert on the Single Best Way to Protect Your Information « Startup Southerner
    4 years ago

Leave a Reply Cancel reply

Share It!
0
GooglePlus
0
Facebook
0
Twitter
0
Linkedin
Posts
Recent Comments
  • East Tennessee Startups Have Chance to Win $15,000 on 2017 Startup Day « Startup Southerner on #MyStartupStory: Start a Beer Fund With BrewFund
  • East Tennessee Startups Have Chance to Win $15,000 on 2017 Startup Day « Startup Southerner on Ed Pershing, CEO of PYA, Reflects on Entrepreneurial Journey
  • Salemtown Board Co.: Scaling a Social Enterprise « Startup Southerner on Entrepreneurial Thinking for Nonprofits
  • Salemtown Board Co.: Scaling a Social Enterprise « Startup Southerner on The EntrepreLingo Series: S Is for Scalability
  • Domonique Townsend on The Unbalanced Reality of Work-Life Balance for Working Mothers
Be up-to-date!
  You Might Also Like  
Startup Lessons, Technology

InfoSec Tips for the Holidays

Don't fall for these infosec traps this holiday season.

Startup Lessons, Technology

Why Everyone Needs to Care About Cloudbleed

Matt Bennett brings to our attention the ramifications of the recent Cloudbleed security breach. Your data could be affected.

  • About
  • Contact Us
  • Advertise
Most Viewed
2016 FOUNDING SPONSOR
your-image-description
2016 FOUNDING SPONSOR
2017 © Startup Southerner, LLC