Building Cybersecurity Strong Defenses for Startups

This article is based on a webinar, which you can watch the recording of on YouTube:

4 myths and 3 scary stories about cybersecurity in Startups:

Myth #1 - We are not an interesting target for attackers.

And it is completely false. This is a dangerous misconception that can lead to complacency and a lack of cybersecurity measures being implemented. The reality is that all businesses, regardless of size or industry, are potential targets for cyber attackers. In fact, smaller businesses and startups may be even more vulnerable, as they often have fewer resources to dedicate to cybersecurity and may assume they are not likely to be targeted. However, attackers often see these businesses as easier targets with weaker defenses, making them more susceptible to a successful attack. Therefore, it is vital for all businesses to take proactive measures to protect themselves and their customers' sensitive information from cyber threats.

Reality #1 - 99% of the threats are automated already, and there is an unofficial “market” that allows you to buy access, data, etc.

Nowadays security has become more crucial than ever in today's cyber landscape. With automated threats constituting 99% of all cyber attacks, the risk of a data breach has become a real possibility for individuals and organizations alike. What's more, there is an underground market where attackers can purchase access to sensitive data, making the problem even more acute. Attackers can now easily exploit vulnerabilities in popular platforms such as Linux, Windows, and Ruby on Rails thanks to the availability of automated tools aimed at installing malware or reselling access to data later. The speed with which automated threats can spread is also concerning, with attackers scanning entire internet environments within mere hours of discovering a new exploit. In short, with cyber-attacks becoming more frequent and sophisticated, one cannot be too careful when securing digital assets.

Myth #2 - Security requires a lot of money, we just don’t have it for now.

This myth is a common one that often discourages many individuals and businesses from taking adequate security measures. While it is true that some security measures can be costly, not all of them require a large amount of money. There are many simple and cost-effective security measures that can be taken to improve security without breaking the bank. For example, regularly updating software and ensuring strong passwords can go a long way in protecting against cyber threats. Additionally, installing deadbolts and security cameras can increase physical security without requiring a significant financial investment. It is important to remember that any investment in security is a worthwhile one, as the cost of a security breach can be much higher than the cost of preventative measures.

Reality #2 - 99% of the security depends on people like engineers who can easily pick this knowledge for free.

This also highlights the importance of having skilled engineers who are well-trained in security protocols and practices. While the knowledge may be easily accessible, it takes a certain level of expertise and experience to effectively implement and maintain security measures. Companies and organizations that prioritize security and invest in their engineers' education and training will ultimately have stronger security infrastructure and better protection against potential threats. It is also important to foster a culture that values and prioritizes security so that all employees are aware of the risks and their role in maintaining a secure environment.

Myth #3 - If somebody will decide to hack us, they will make it happen anyways.

Myth number three about hacking suggests that if someone decides to hack you, they will inevitably succeed. While this may be true for governments and major targets where the cost of an attack is not a concern, it's a different story for businesses, especially startups. The reality is that for most businesses, a hacker needs to invest a significant amount of time and resources to successfully breach their systems. This means that investing in proper cybersecurity measures can go a long way in preventing potential attacks, or at least making them much more difficult to carry out. The key takeaway is that while no system is completely foolproof, it's important to take the necessary steps to mitigate the risk and protect sensitive data.

Reality #3 - It’s true only for governments and targets where the cost of attacks is not important. For the rest of businesses, it’s about how much they should spend to hack you.

It is important to understand that for larger corporations or government institutions, the cost of a cyber attack is not a deterrence as they have significant resources to invest in security measures. For small to medium-sized businesses, it's all about finding a balance between investing in cybersecurity measures and managing the cost. Therefore, businesses should be aware of their security risks and implement the necessary measures to protect their assets from potential cyber-attacks. This includes implementing firewalls, encryption, and access controls to secure their networks and sensitive data. In today's digital age, the cost of not investing in cybersecurity can be significant and result in reputational damage and financial losses. Therefore, it is crucial for businesses to take proactive measures to protect themselves from the growing cyber security threats.
Myth #4 - Since we are a small company, it’s not that important if somebody hacks us. It will not affect our business or the damage will be minor

However, this is just a myth. It is not true that hackers only target large corporations with high financial value. Small businesses, especially startups, are also vulnerable to cyber-attacks. In fact, hackers often target small companies because they are easier to breach. The impact may not be immediately visible, but the damage can be catastrophic in the long run. It can result in a loss of customer trust, damage to your brand's reputation, and even legal liabilities if customer data is stolen. Small companies must take security seriously, invest in appropriate measures, and educate their employees on best practices to ensure that they do not become the next victim of a cyber-attack.

Reality #4 - It will be valuable when you become bigger. All the cybersecurity incidents, data breaches, hacks, etc will affect your business even after several years.

The risks of cyber-attacks and data breaches are increasing day by day, and businesses need to take every precaution to protect themselves. Not only can these attacks result in lost revenue and damage to a company's reputation, but they can also result in legal liabilities. As a company grows, the amount of data it generates and stores increases, making it a more attractive target for cybercriminals. Therefore, investing in cybersecurity early on is essential, as it will help businesses stay protected in the long run. In today's digital age, it is better to be proactive rather than reactive when it comes to cyber-attacks.

Scary story #1 - The game was hacked prior to the launch. Attackers sold all the assets to competitors and were able to launch it before the official release.

This scary story highlights the harsh reality of cyber attacks on startups and the importance of cyber security measures prior to launching a product. Hackers will stop at nothing to gain access to lucrative digital assets and information. It is essential for any startup to prioritize cyber security measures and implement safeguards against potential attacks. The consequences of cyber attacks can be detrimental to a startup's success, from loss of assets to loss of consumer trust. The lesson learned from this scary story is that prevention is key to protecting valuable digital assets and launching a successful product.

Here are some high-profile cases of game hacks that occurred prior to the release of the games:

1. "Gwent: The Witcher Card Game" - In 2017, CD Projekt Red confirmed that pre-release assets of Gwent were stolen and leaked online.
2. "Watch Dogs" - In 2014, a group of hackers claimed they had obtained an early copy of Watch Dogs and released the game's data onto torrent sites.
3. "Halo: Reach" - In 2010, several copies of Halo: Reach were stolen from a shipping warehouse and illegally distributed before the game's official release.
4. "Call of Duty: Modern Warfare 3" - In 2011, a group of Russian hackers stole an early build of the game from Activision's servers and leaked it online.
5. "Half-Life 2" - In 2003, the source code for Half-Life 2 was stolen by hackers and leaked online months before the game's scheduled release.

Scary story #2 - Dating website/app was hacked and then never recovered due to loss of customer confidence.

Dating apps and websites have become increasingly popular in recent years, connecting people from all over the world. But with this convenience comes the risk of cyberattacks. In one such case, a dating platform was hacked and the customer data was compromised. The company's inability to restore the trust of its users resulted in a significant loss of customer confidence.

The unfortunate incident was a clear reminder that, in today's digital age, data security should be a top priority for all companies. The hackers were able to exploit a weakness that the company had not taken seriously, leading to its downfall. As a result, customers who were once loyal to the brand were now looking for alternative dating sites that possessed better security measures.

The story highlights the importance of investing in robust security strategies and protocols to protect the data and privacy of customers, particularly in industries like online dating that are highly vulnerable to cyberattacks.

Here are the names of five dating websites/apps that suffered a hack and were unable to recover due to loss of customer confidence:

1. Ashley Madison - In 2015, the dating website for married people, Ashley Madison, was hacked, resulting in the leak of personal information of over 30 million users.
2. Adult FriendFinder - In 2016, the dating site Adult FriendFinder, which is used for finding sexual partners, was hacked, resulting in the theft of personal data of approximately 340 million users.
3. BeautifulPeople.com - In 2016, the dating site BeautifulPeople.com, which is designed for attractive people, was hacked, resulting in the theft of data from over one million users.
4. Zoosk - In 2018, a data breach was discovered on the popular dating website Zoosk, with hackers stealing information from over 3.8 million user accounts.
5. Mate1 - In 2019, the dating site Mate1, which is used for serious relationships, was hacked, compromising the data of over 27 million users.

Scary story #3  SaaS B2B project was declined at the procurement process / RFI because of the data breach that happened 2 years ago.

In story number three, we are introduced to a software-as-a-service B2B project that was declined during the procurement process due to a data breach that had occurred two years prior. Despite the fact that the company had failed to provide any information about the incident during the RFI, the procurement team had uncovered the breach and used it as a basis for declining the company. Unfortunately, this type of scenario is not uncommon and businesses run the risk of finding themselves in similar situations. In fact, it is advisable to regularly check online bug bounty platforms and open vulnerability registries to identify any potential problems and to ensure that all customers, including potential customers, are informed in a timely manner. Ignoring such occurrences can have dire consequences and lead to lost business opportunities and a damaged reputation.

Here are some high-profile cases:

1. In 2017, Booz Allen Hamilton stopped using its internal online platform after it was discovered that the system had been compromised.
2. In 2017, Equifax, an American consumer credit reporting agency, suffered a major data breach that impacted its reputation and led to a decline in profits.
3. In 2019, Blackbaud, a company specializing in software for financial and customer data management, was hacked. As a result of the incident, hackers gained access to the company's customer databases, which contained confidential information about donors and donations. In addition, credit card and social security numbers of customers were also compromised. After the announcement of the hack, major Blackbaud clients such as Oxford University and Jashak Boxa decided to terminate their cooperation with the company. Despite Blackbaud taking steps to protect customer data and informing relevant authorities about the incident, many customers lost trust in the company and decided to switch to other solutions.
4. In 2020, Blackbaud, a provider of SaaS solutions for non-profit organizations, announced a hack that led to the exposure of confidential client information. Several organizations, including universities and charities, decided not to renew contracts with Blackbaud due to the data security breach.
5. In 2021, Ubiquiti Networks, a supplier of wireless communication and networking devices, reported a cyber attack that compromised customer data. Several customers using its SaaS products abandoned their services due to the data security breach.

Keys to unlock security for your startup

• Do things early. If you have 10 people onboard already, then it’s probably too late
• Split security to clear processes
• Implement only that processes which are mission critical
• Don’t implement more than 1 solution for every single process
• Be absolute in all of the things above, means no excuses
• If (when) excuses happen, count them as risks 

Starting a new business is like bringing a child into the world, as it requires endless attention and care. One of the most important aspects of founding a startup is ensuring its security. From cyber-attacks to data breaches, modern-day entrepreneurship requires strict security measures to keep a company safe from harm. One of the first keys to ensuring security for a startup is to start early. Waiting until you have too many employees on board can result in leaving potential security gaps. By being proactive and implementing security measures early on, businesses can avoid potential risks before they become dangers. 

Another essential step is to split security into clear processes. This means that companies should clearly define what things need to be secured by coding clear procedures for each process. By breaking down security measures into manageable procedures, startups can ensure that no aspect of the business is left unprotected. Furthermore, it is advisable to implement only mission-critical processes. It is all too easy to try to secure every aspect of a business, but this can be a costly mistake. Understanding what aspects of a startup need to be secured and what don't is crucial in proper implementation. 

It is important not to implement more than one solution for each process. This will minimize the risk of confusion, inconsistencies, and communication problems, which can lead to critical errors. By keeping things straightforward, it ensures that everyone is on the same page, and measures can be taken to eliminate potential risks. When implementing these security measures, it is essential to be absolute, meaning no excuses. If there are any unimplemented measures left, they should be considered risks that need to be addressed. 

By following these key steps, startups can proactively secure their businesses, providing a safe and secure environment from potential cyber threats. Starting early, ensuring clear security processes, implementing only mission-critical processes, and not implementing more than one solution for each process are all essential steps in proper security protocol for startups. However, it is important to stay vigilant in case incidents occur despite security measures being in place, ensuring that the appropriate protocols are taken immediately. By following these steps, businesses can look forward to a thriving future in today's modern security-conscious world.

5 security parts we have to have in place

#1. Authentication and user management

• The simplest way is to use G Suite and not allow any local and cloud-based services that don’t provide SSO (Single-Sign-On)
• Otherwise, you will buy IdM (Identity Management System) one day
• Some excuses happen anyways like LinkedIn (should your sales reps use corporate emails or can you control their private accounts?)

Authentication and user management are critical components of any business, particularly for startups looking to establish a secure and efficient system. The easiest way to manage users is through G-suite, which is widely used by 90% of startups. However, it is essential to ensure that other services do not interfere with G-suite's single sign-on feature. In the absence of a single sign-on provider that can connect these services, it could result in expensive and complex identity management systems.

Even if an organization opts for G-suite, it may encounter issues such as employees using their LinkedIn accounts to access Salesforce, which could pose a significant risk. Organizations need a clear policy that highlights the risks associated with using private communication channels and directs employees to share work-related data only. Minimizing the use of personal communication channels and setting up clear policies are critical steps in ensuring that data remains secure.

#2. Infrastructure isolation. Means data

• Everything internal should be internal. You have a choice: VPN and/or SSO
• Instances should talk to each other, but not everyone to everyone
• Mistakes caused a requirement to reinvent infrastructure from scratch
• Start your network isolation with the data flow diagram. It helps a lot

We can protect our infrastructure and data by implementing strong access control measures. This means limiting access to sensitive data only to authorized personnel, and ensuring that all individuals accessing the data are properly authenticated and authorized. Additionally, implementing encryption and regularly backing up data can provide an extra layer of protection against potential data breaches.

It's important for startups to prioritize infrastructure isolation and data protection as a fundamental component of their cybersecurity strategy, rather than as an afterthought. By taking proactive steps to secure their infrastructure and data, startups can better safeguard their business and customer information from cyber-attacks and potential data breaches.

#3. Patch management

• Vulnerabilities happen. But patches happen as well
• The goal is to apply patches right on time and don’t block it by dependencies, legacy code, or architecture problems
• There are a lot of open-source and free tools to make it happen
• Basically, you need to care about two things:
• For versions for packages in your dependencies, use pip/bundle/other managers
• OS package updates
• If you are 100% serverless, you won’t have this problem at all

The security of a system's code relies heavily on patch management. Although no code is completely immune to vulnerabilities, patches, and fixes can minimize these risks. Effective patch management requires timely updates, unimpeded by legacy codes or architectural constraints. There are various free and open-source tools to assist with patch management, but many are not commonly known.

Operating systems offer tools to manage packages and monitor software updates, and it's important to also maintain third-party dependencies using package managers such as Python or node.js. Serverless computing is gaining popularity due to its automated approach to patch management, making it essential for organizations to prioritize this task to avoid security threats.

#4. Monitoring and backups

• Think about technical monitoring in the same way as business metrics
• If you have some sales and marketing metrics that you are monitoring, why should you skip technical monitoring metrics?
• Don’t think about alerts as a “technical mess for CTO”, but as a fair metric of the quality of your product
• The first thing for a business perspective monitoring system is to know clearly how many customers and for how long they were not able to achieve your service in full
• Monitoring coverage is the deal breaker for cybersecurity
• 99% of security incidents that happen could be registered by monitoring systems with no additional cybersecurity products. Yes, it’s not about prevention
• During the building of the monitoring system, use the same data flow diagram as we used for infrastructure isolation
• Be sure, that you have monitoring that covers at least all the lines on a data flow diagram as separate events
• Keep backups outside of the main infrastructure, this is the rule. Even if your cloud provider guaranteed 100% SLA

Monitoring and backups are crucial components for any startup. Just like tracking business metrics such as sales and marketing, it is important to monitor technical metrics and alerts from tools like PagerDuty. This helps understand the quality of the product and infrastructure in a fair way. Additionally, from a business perspective, monitoring helps assess the mission-critical metric of service availability and understand the kind of SLAs that can be provided.

Building a monitoring system that works not only helps detect and monitor security incidents but also helps organize cybersecurity efforts substantially. Using data flow diagrams for infrastructure isolation can help in identifying components that require backups, and implementing it effectively helps minimize data loss in crisis situations. Thus, monitoring and backups ensure better quality control for code, infrastructure, and mission-critical service.

Monitoring and backups are critical aspects of any business or project, especially when it comes to cyber security. It is essential to monitor all the lines that we draw as separate events, and by doing so, we can ensure that the data flows fluently and everything is working as it should be. Monitoring should not be considered as a debugging task for developers, but rather as a means to understand what is happening under the hood of the project. It is crucial for founders to have a high-level understanding of what is going on in their business and to ensure that data flows are not broken.

When it comes to backups, it is essential to remember not to store them in the same infrastructure as the project. This is a rule that should be followed even if cloud providers offer a 100% SLA. It is important to use different providers to store backups, as this ensures that they are safe and secure. Centralized login also plays a critical role in monitoring and backups, as it allows for the search of features, correlation of events, and identification of trends. Overall, monitoring and backups are critical aspects of any successful project, and their importance cannot be overstated.

#5. Centralized logging

• Centralized logging allows for searching features, correlating events, investigating issues, and understanding what’s going on
• Keep logs outside of the main infrastructure, this is the rule. Even if your cloud provider guaranteed 100% SLA
• In the case of a security incident, you have a higher chance to keep logs uncompromised. 
• If you AWS, keep logs Azure, etc

Emphasize the importance of centralized logging in today's world where cyber threats are constantly increasing. By keeping logs outside of the main infrastructure, you have a more secure system that is less vulnerable to attacks. In addition, by using a cloud provider like AWS, you have access to various services that can help you manage and monitor your logs more efficiently.

It is important to remember not to keep logs in the same place as your services since this increases the risk of losing all your data in case of a security incident. By following this simple rule, you can protect your data and ensure business continuity even in the face of cyber attacks. Therefore, centralized logging is not only a good practice but an essential one for every organization today.

Top 10 mistakes:

1. Allowing all the services to talk to each other (0 isolation)
2. Making ACL/VLANs with no data flow diagram in place
3. Don’t monitor business-related service health, like outages
4. Storing logs at the same machines as application services
5. Using more than one SSO provider for internal services
6. Locking by code requirements for outdated frameworks and environments
7. Storing backups at the same instances as services
8. Count logs as developers’ debug outputs
9. Storing sensitive information like PII in logs
10. Spending money for cybersecurity before understanding processes and risks

These mistakes include allowing all services to talk to each other without any isolation, not creating a data flow diagram before setting up ACL/VLANs, failing to monitor the health of business-related services such as outages, storing application logs on the same machines as the services themselves, using multiple SSO providers for internal services, locking by code requirements for outdated frameworks and environments, storing backups on the same instances as services, counting logs as a developer debug outputs, storing sensitive information such as PII in logs, and lastly, spending money on cybersecurity measures before fully understanding the processes and risks involved.

As such, it is essential for organizations to be aware of these mistakes and implement best practices that ensure that their systems are secure at all times. With the continued rise in cyber threats, it is crucial for businesses to prioritize cybersecurity and be proactive in their approach to mitigate risks.