At a launch of a digital project (be it a website, system, or a mobile application) our thoughts go directly to focusing on the market growth, which is indeed correct; but will we be safe when reaching the stage of scaling up? Well, without making any practical steps towards it – we’d probably reach that stage unready in terms of security.
From stable businesses to newly formed startups – all should be concerned with the issues of data security and privacy, but well-established businesses can use their immense resources to recruit or hire an external professional with expertise on data security, whereas new startups need to address these issues in the form of time rather than money.
Startups which focus at the beginning of their way in developing an MVP and in initial growth need to invest their time and some amount of money, that naturally depends on the project itself, in order to be secure from the outset and not be exposed to any lawsuits or technological difficulties that may arise.
Here are several solutions that will help you realize the matter in your startups:
1. Appoint a Head of Security in the company and be open with him/her
Whether it is a small startup company with a CTO who’s supposed to be in charge of the said matter (being the technological chief within the company) or a company in the post-recruitment stage that needs a CSO (Chief Security Officer) – that responsible body needs to be aware of the data which passes within the company, as well as the employees’ doings with the company’s data, which tools they are using and where the different data is stored.
There needs to be an ongoing sharing and synchronization between the different bodies – employees to the CSO and vice versa. As the company grows, it gets harder to track the data flowing in the company and the lines between the different devices (from a smartwatch to a tablet or laptop), all of which are the company’s property, get blurry.
If we share clients or e-mails via the cloud, we need to make sure that there is a security layer on that same cloud. Also, if a certain device is connected to one of the company’s devices, there needs to be a security layer that examines the transferred data. Because if there isn’t – the distance from an infected file to spreading a virus or malicious content within the company and on its servers, is short.
2. Create a data security policy and chart vital assets that may become susceptible
Each company or project – big or small, needs to set a data security policy.
It is recommended to spend time to chart the digital assets of the company and our most vulnerable sources which the cybercriminals will want to identify and take advantage of. Every such asset needs to receive proper protection with a unique key that will be held by a person in charge. It is also recommended to have more than one such person, in order to not “put all your eggs in one basket”.
3. Brief your employees and make sure they understand the importance of the subject
If there is a Head of Data Security in the company, the cost is naught. If there isn’t – it is better to hire a professional data security person for an entire day in order to cover the critical aspects in the company in regards of data security and make it so our employees get a foundation in the world of social security for the organization in which they’re employed.
They will have to be instructed about the use of:
- Devices
- Data transfers
- Identifying malicious links
- Phishing attacks
- Password management, etc.
4. An established startup company but not sure how to keep your company’s data? Outsource
There are freelancers as well as data security companies who know how to cover the security subject in end-to-end projects, starting from the diagnosis stage, through finding the existing problems and up to implementing the solution within the company and its employees.
Here’s a small tip – store your data on a cloud solution which may incorporate data security as well as application-level security, meaning security on the client-side, the server-side, and the application side. It is mandatory to maintain a security layer in all of the 3 mentioned areas. It is possible to use Google Cloud, Amazon Web Services (AWS), etc., which give a suitable answer for the issue.
5. Identify your weak spots and encrypt them
Are you handling a project dealing with e-commerce? Great, but make sure your credit card information is stored behind a few layers of security that stand by all possible standards.
Is your project dealing with collecting users’ data? Great, but make sure that you stand by the GDPR and other required parameters concerning security.
According to the segment in which you act, you need to check your competitors’ doings, consult a professional lawyer or data security person, and check what needs to be covered tightly.
- Implement a system that checks your code and finds security breaches
- If you’re using clearing – use a gateway to do that and do not store payment details directly on your servers.
- Any data stored on your system or servers should be encrypted with AES or TDES encryption methods.
- Make sure that the client-side code is encrypted to avoid the possibility of being injected with untrusted data
6. Do frequent penetration tests
There are companies as well as different tools (for example, KomodoSec, Spirent, Berezha Security) that know how to perform penetration tests on various systems. The purpose of those tests is to check how and which things have advanced technologically and can now hack your system. This is the time to figure out what needs to be blocked or overly secured in order to be up to date with today’s new hacking methods.
It’s recommended to spend money and time to identify your company’s specific needs and find a specific tool to answer your business needs that can be managed every once in a while. After all, startup companies need to be able to expertly use all of the tools invested in them.
Despite their limited budgets, startup companies cannot afford themselves to risk a data breach.
7. Store your code in SVN
The code of your website, system, or application needs to be saved in SVN, as it makes the code encrypted, can reroll it backward as well as view changes that happened and by who. It can be done by dedicated software such as TortoiseSVN or even be copied onto the company’s Google Drive or Dropbox.
The content of the article was written by Ido Yaakov, CEO of Omnis Digital Agency, an agency which manages and performs end to end digital services, starting from building a business and marketing strategy, through company branding, UI/UX and developing for the company’s website/system/application and up to launch services, digital marketing, and data security for companies.