Protecting your and your customers data when your organization is still in the initial phases can be a daunting task and may not seem like a priority to your investors or leadership team Not everyone in the company may understand how essential a cybersecurity is or what types of data need to be protected. However, every organization, small, medium or big, should consider building a security program based on industry practices to keep their data and applications secure. Following is some of the recommendations that startups can follow to have the Minimum Viable Security in place:
Train Your People from the Very Beginning
Training is the easiest control Startups can implement but can have a huge impact on securing your organization. Train your employees right from the start. Consider conducting periodic security trainings to explain the basics of security and how to handle sensitive information. Make it part of the process and a regular event so don’t let it be a one-time event.
Account Monitoring and Control
Another critical element of security is managing records of who is authorized to access data and when do they access it. Only approved, authorized, and credentialed users should be able to access sensitive information. Two factor or multi-factor authentication should be implemented to provide an additional layer of security. Managing audit logs of who has accessed data makes it easier to minimize risk and identify potential threats that could compromise precious data.
Security patches and updates are designed to prevent newer security threats by and protecting from vulnerabilities. Organizations should define a process to identify, test and implement patches in a timely fashion. Unpatched systems can potentially expose to known issues, expose them and make it an easy prey for attackers
Follow safe password practices
This has been said in every security post, but we cannot reiterate the importance of establishing and enforcing strict password policy for all applications, systems, servers and end point machines. For administrative accounts, ensure you have strong passwords and if possible two factor authentication.
Scanning for Vulnerabilities
Every application available on the internet is regularly scanned for security loopholes and known vulnerabilities which are caused by developer mistakes, open ports, services and protocols. At a minimum, every startup should periodically scan their code, web sites and any internet facing applications to reassess and ensure their applications are safe and are not prone to know vulnerabilities
Know your Vendor
Just like know your customer that the financial institutions follow, every organization should “Know your Vendor”. Most recent attacks happened not because the organizations did follow the security guidelines but the vendors having access to those organization did not have adequate security controls in place. If you are using third party development firms, managed providers or anyone else who have access to your applications, infrastructure or physical premises, ensure they follow the same security standards as you do.