How startups can take a risk-based approach to network security

You have a great idea for a startup. You come up with a solid business plan. You pitch it over and over and over. You get funding. Everything is in place. Off you go!

Then the data breach happens. Your customers aren’t happy. Your investors aren’t happy.

What went wrong?

Before I dive into what went wrong, let’s talk about what a startup actually is.

A startup is a company that is typically:

  1. Expected to scale dramatically
  2. Five years or younger
  3. Pre-revenue

For most startups, security isn’t a priority. Security teams and budgets are small, if they even exist. Getting a product or service to market in the shortest amount of time is priority number one. They need to start generating revenue as soon as possible. Implementing effective network security controls often delays the process.

Startups cannot afford to have any kind of extensive change management process. The ability to continuously deploy code to production with minimal QA and peer review has become part of the code deployment process, and there is often no time to perform any type of secure code review. It’s very important to develop a secure coding framework, such as OWASP (Open Web Application Security Project), depending on the underlying technology.

In the world of startups, things often move extremely fast. The ability to quickly identify any potential vulnerabilities and fix them is paramount. Startups need to create an environment where employees are motivated to identify security incidents and report them without worrying about any repercussions. Security awareness is extremely important in startups. They have to look for creative ways to educate employees about security breaches and incidents. New vulnerabilities turn up almost daily, and it is critical that they identify them with scanning tools and fix them in a timely manner. These tools should be able to do the following:

  • Run vulnerability scans on a regular basis to identify any anomalies.
  • Categorize known vulnerabilities based on a risk rating scheme.
  • Suggest remediation steps, if any exist.

Startups should try to use the least number of tools to accomplish as many things as possible. When done correctly, one may be able to address any security issues with a single tool that provides integrated results. This is critical for startups, because they have limited budgets.

It is also very important that startups understand potential business threats before they can protect their data. Implementing risk analysis frameworks, such as Open FAIR, can certainly help to:

  • Perform risk assessments.
  • Assign threat levels.
  • Evaluate any appropriate controls.

Last but not least, the quickest way to reduce an attack surface is too close unneeded services and protocols. If you don’t need them, shut them down immediately.

Information security doesn’t have to be difficult or expensive for startups that use a risk-based approach to security. They can implement increased security in a cost-effective manner by targeting well-known risk areas from the start. By performing an analysis and focusing on high-risk areas, startups that have limited budgets and teams can still create strong security.