We asked one of our design partners, Chris Hodson, to chat a bit about what security practices look like for startups. If you don’t know Chris – you absolutely should!
Chris is the Chief Security Officer for Cyberhaven. Prior to Cyberhaven, Chris held cybersecurity leadership roles at Contentful, Tanium, and Zscaler. In addition, Hodson serves as a board advisor at the workforce development platform Cybrary and is a fellow of the Chartered Institute of Information Security. He is also the author of Cyber Risk Management, a number-one bestseller on Amazon.
No matter your company’s growth phase, you should apply the principles of good security. What’s “good security” for one company is overkill for another and inadequate for a third. Good security depends on a company’s risk level and tolerance. Every company must implement the security controls required by location, industry, and other legal obligations. But that’s the minimum. Many companies don’t proactively and regularly assess likely threats and vulnerabilities and determine their acceptable level of risk. Fortunately, compliance frameworks are starting to address this issue.
Implementing basic security measures for a startup does not require a ton of cash or an army of people. It simply requires ruthlessly prioritizing implementation. No founder has time to dig into standards such as OWASP ASVS or NIST 800-53 to figure out what to prioritize. And to make matters worse, the standards have different methods for prioritizing. With cybersecurity being such a broad discipline, where do you start? Is application security more important than infrastructure hardening? When should I think about penetration testing? And…someone please tell me what a purple team is!
Don’t worry! Hopefully, I can provide some very practical guidance for startups to get “good security” in place without breaking the bank or killing the schedule. A lot of this basic hygiene revolves around identity and access management. I’ll summarize the basics into four areas:
- Visibility: understanding your identity footprint
- Authentication: Fortifying credentials with multi-factor authentication
- Controlling: Defining and mapping sensitive data while implementing access restrictions for important systems
- Responding: Monitoring and having a plan for dealing with to security incidents
Visibility – understanding your identity footprint
You’ve got to know who is accessing what applications…and how. This is important for your security and IT team and your finance team will love you for it. In other words, can you identify the credentials being used to access your business applications?
Like everything, visibility is a journey. You can get basic visibility fairly quickly in most of the default dashboards, such as Google Workspace. As a security professional, I am particularly concerned about credentials: Are company credentials being used to log into or used through OAuth/OIDC to grant access to third-party apps and plugins that you are not aware of? If your company uses “login with Google” everywhere, are you sure that users are not accidentally delegating access to poorly configured or malicious services?
Authentication – fortifying credentials with multi-factor authentication
Please ensure that MFA is enabled everywhere. Yes…everywhere. MFA is simple and relatively easy to implement. Why settle for single-factor authentication anywhere? Look at the recent security incident at LastPass, where cybercriminals managed to obtain the vaults containing all the passwords and secrets. The vaults are typically protected with a single factor – password – and now hackers have all the time in the world to brute-force the vault. While I’m sure you’re NOT an average netizen, one that has a weak password that’s reused often, it’s worth a check nonetheless: haveibeenpwned.com/!
The level of security needed for MFA should be based on the sensitivity of the asset or environment. Is SMS-based MFA suitable for securing production cloud infrastructure? No. Is it suitable for personal access to my podcast service? Probably. The bottom line is that don’t make it easy for attackers to access your systems. It’s not worth the risk.
No security solution is infallible. In the case of multi-factor, opting for the lowest barrier to entry is demonstrably more susceptible to being exploited. Time to consider your cyber risk equation. SMS-based MFA serves as an additional hurdle for a would-be adversary to navigate, but one that persistent, capable cybercriminals are becoming more adept at bypassing. Where you can remove cellular networks from your MFA strategy, that’s a good move! For the most sensitive of credentials and system access, try to find solutions that require you to have something physically in your possession – a hardware key, a phone’s secure enclave…something that cannot be stolen by clicking on a carefully-crafted phishing link or delivered to a sim-swapped cellphone! Just give passwords the finger.
Controlling – Defining and mapping sensitive data while implementing access restrictions for important systems
Lots of companies take a set-and-forget approach to data protection. Their information protection strategy is predicated on knowing and defining all their sensitive data repositories and creating clunky pattern-matching rules. Little focus is applied to knowing how data flows or the multitude of identities interacting with information.
To qualify what is ‘good enough’ requires a holistic understanding of the applications, identities, and information usage in your company. What is sensitive, who has access to it and how do they use it? When you know what you’re trying to protect — along with its relative sensitivity and attractiveness to cybercriminals — it is easier to evaluate your tolerance for security-vs-usability.
When working with business stakeholders, try to decompose their business processes into a layered model of applications, infrastructure, and data. From there, evaluate how and where identities are consumed. We’re here today to focus on identity controls but for more on building risk management strategies, you might be interested in some of my other musings.
Responding – Monitoring and having a plan for dealing with security incidents
Inevitably, it happens to all of us – an incident. Ideally, the incident is a detected attack with evidence it’s been thwarted. But sometimes you are concerned that something malicious happened on your watch. It is helpful to have a forensic record that can be used in the event of a security incident where credentials could have been compromised or misused. When you have the option, log, log, log.
Also, have an incident response process defined and make sure it’s tested. When you’re evaluating business continuity plans for your company, try to align scenarios with situations that your executives would care about
My last thoughts
Implementing basic security measures for startups does not have to be a costly or time-consuming process. By understanding your internet presence, enabling multi-factor authentication everywhere, applying granular controls and access restrictions for important systems, and regularly monitoring and having an incident response plan in place, you can significantly improve the security of your company without spending a lot of your well-raised cash.
Security is a practice, not a one-time event. Time to practice the basics!