Risky Business: Managing Cyber Security Threats and Product Risks
Cybercrime is on the rise, and Software as a Service (SaaS) startups are especially vulnerable. Rajat Kongovi, Vouch’s Chief Product Officer, explains that cyber security and product risks often go hand-in-hand: “With the proliferation of 3rd parties in tech stacks and open APIs, there’s more attack surface.” Unfortunately, many businesses underestimate the likelihood of an attack. The resulting data breaches and product failures can scare away customers, shake investor confidence, impact revenue, and open you up to financial liability.
Building and maintaining cyber security infrastructure and investing in cyber insurance can help protect you, your product, and your customers. In fact, investing in cyber security can help prevent a business ending event. While tech giants like Google can absorb the financial impact, 60% of startups and small businesses close less than half a year after a cyberattack.
Christina Cacioppo, founder and CEO of Vanta, which provides security and compliance software, understands the difficulty of keeping track of every detail. “In a small, quickly growing company, there’s a lot you need to do.” She explains, “When you’re onboarding several employees a week, and there’s so much going on, multi-factor authentication is one item on a checklist of a hundred, and not everything gets checked off.”
If you weather the initial monetary damage from lax cyber security, Kongovi cautions that,
The real problem is that you are not taking care of your customers. That violates their trust and has long lasting consequences to your brand and your reputation.
For startups, reputation and word of mouth are everything. If people think your company is unreliable and your security is lax, you can tank your public image before you’ve gained customer traction, brand loyalty, and trust.
So what can you do to help your company reduce the attack surface and avoid these issues?
One of the first steps to building cyber security infrastructure is understanding the points of vulnerability. Brian Haugli, Managing Partner at SideChannel, a virtual CISO and consulting firm, often says, “You can’t defend what you don’t know exists.” The longer you wait, the harder this essential step becomes. He elaborates, “Because if something is inside of your environment that you don’t know exists, it’s susceptible to become legacy, to not get patched, to not get addressed, to not be protected in some way.”
Data collection and retention
Reducing your attack surface starts with how you gather, store, and maintain data. For example, Cacioppo advises, “Don’t store more customer data than you need to provide your service.” This includes deleting old customer data. Handling a breach is challenging, but it’s even more challenging when you are responsible for leaking the information of a customer who stopped using your product or services years ago. Given the importance of data in tech, some of Cacioppo’s advice seems counterintuitive but holding on to “dark data” increases the attack surface that a hacker can exploit.
Avoid storing the same data in multiple parts of your databases, especially customer data. Use cross-references like a unique customer number instead.
The less data you have, the less there is to steal.
Basic security methods
There are plenty of advanced cyber security tools, but Haugli suggests you “Focus on the basics and implement those really well before you start buying any of the shiny new objects that everyone else is selling.” If you buy tools and fail to utilize them, they become “shelfware,” which can become a security issue because of a false sense of safety or a lack of software maintenance.
According to Haugli, some of these basics are multi-factor authentication, email security, and app security.
Multi-factor authentication adds a layer of security by requiring more information than just a username and password to access your system. The most commonly used form of multi-factor authentication is a code randomly generated by a security token or app.
Increasing email security goes beyond avoiding malicious links and attachments. Haugli also warns against replying to emails without removing sensitive information and using your email as a “pseudo file repository.”
As for app security, he says, “If you’re making a service—a product, a software platform, a SaaS, whatever it is—publicly available for consumption, you need to keep up-to-date with patching code, reviews, code security—the application itself.”
A few other basic steps are encrypting hard drives, backing up data, and unique passwords for every separate service you log into. Random strings of numbers, letters, and symbols are best, but those can be difficult to memorize. To help, utilize password managers and single sign-on—like G Suite.
These steps help secure your system, but there is always the human element to consider.
Building a security conscious team
Everyone at your company should understand their role in cyber security. Kongovi says, “Your whole team needs to be trained: if they see something, they should say something.” You can’t accomplish this with just a seminar or tutorial.
“It’s about cultural change and behavioral change in organizations.” Haugli adds,
Configuration changes and implementing processes is easy, but getting people to accept change and then make the change takes time.
Because success makes you a tempting target, you and your employees must be vigilant. For example, after reports of Vanta securing $50M from Sequoia Capital, hackers targeted Cacioppo’s employees with an increased number of phishing emails posing as her asking them to click a link. “That link would get that employee’s email password, and their information could be used to get unauthorized access to the system.” Good cyber security practices saved the day.
Testing your security
To ensure that you have effective cyber security, you need to test it. Many customers and investors require a Service Organization Control (SOC 2) audit. There are two types of SOC 2 audits—a Type I and a Type II.
Cacioppo explains, “In a Type I, we check a hundred different things to see if they’re in good shape, but we check them one day of the year.” She continues, “In a Type II, we check a hundred things, at least once an hour, and we run those checks over months.”
If you’re trying to balance cost and security, Cacioppo and Haugli both suggest you let your customers and investors be your guide. If they only require a Type I audit, start there. However, there are other financial considerations at play. Many insurance companies, like Vouch, offer better insurance rates if you have completed a more thorough Type II audit. But these are just the basics and shouldn’t stop you from continuing to build up your defenses.
Effective cyber security measures and proper employee training significantly reduce the risk of cyberattacks. This builds customer trust and investor confidence, making cyber security an essential investment.