Cybersecurity for startups – top 10 practical recommendations
Cybersecurity for startups – good and bad recommendations
Providing generic recommendations in the area of cybersecurity for startups is not an easy task. This is because every company is different, has a different structure, and protects different assets. On top of that, I’ve seen articles with very bad recommendations, which may be more harmful than useful.
Additionally, very often articles cover just the surface of cybersecurity for startups leaving readers with a knowledge gap. This forces them to either hire a company or implement the generic concepts by a trial and error when searching for more information on the Internet.
That is why I decided to create a series of articles covering practical cybersecurity recommendations for startups.
!This is the first post of the series “Cybersecurity for startups” aiming to help increase the cybersecurity of startups by going through every security recommendation step-by-step.
In this article I’ll present the Top 10 Practical Cybersecurity Recommendations for Startups with a limited budget:
- Practical Security Recommendations for Start-ups with Limited Budgets
- Top 10 practical cybersecurity recommendations for startups – Infographic
- A clever way to approach cybersecurity recommendations for your startup
- Who is after your startup?
- Most common cyberattacks
- Follow the most important cybersecurity recommendations for your startup
- Cybersecurity for startups – Checklist
- Generic cybersecurity recommendation
- Beyond the cybersecurity recommendations
Practical security recommendations for start-ups with limited budgets
The inspiration for this series is the article created by Alex Chapman featuring Practical Security Recommendations for Start-ups with Limited Budgets.
Alex is an IT security professional and recent Startup founder, which allows him to look at cybersecurity from both perspectives.
His recommendations are indeed practical contrary to some other articles therefore, I highly recommend reading Alex’s article.
In this series, we will look at cybersecurity for startups from a bit different perspective and expand on the topics mentioned in Alex’s article.
Top 10 practical cybersecurity recommendations for startups – infographic
To make things easier we created the infographic featuring 10 practical security recommendations for startups presented by Alex.
That way you can easily visualize all the recommendations and quickly remember the most important ones.
A clever way to approach cybersecurity recommendations for your startup
Instead of diving into specific recommendations, I would like to start from a different angle. There is always something to be done in the area of cybersecurity. No matter how much you secure yourself, no one can guarantee that you are unhackable. I briefly write about it in the article about penetration testing reports: 3 things that you will not find in a penetration testing report. Because no solution secures your startup against all cyberattacks, it makes sense to focus on the most important areas first. But the most important ones for you, not for others.
To know what is the most important for you, you can ask yourself three following questions:
- What valuable assets does my company have?
- What types of threats exist that aim at my assets?
- How much will it cost if any of the threats materialize themselves?
By assets, I mean everything valuable to your company such as:
- Company know-how in form of documentation, procedures
- Sensitive company data in form of documents, emails, source code
- Sensitive customers’ data in form of databases, credentials, personal information, and financial documents
- Services supporting your startup such as email, document storage, task management systems, network devices
The second question I’ll expand on in the next section of this article.
The answer to the last question does not have to be very precise at the beginning. It can be an estimate of the time and money required to handle a potential attack of defined threats to your assets.
It is important to write all of the answers down and sort them in the order of perceived importance.
Who is after your startup?
When defining threats that can pose some harm to your startup they can be categorized in the following sections:
- Criminal groups – Organized cybercriminal groups with financial motives. They more often use wide attacks targeting multiple organizations using the same technique rather than focusing on a specific company.
- Individual criminals – Cybercriminals with lower budgets and skillset than criminal groups. Often their main motivation is also financial or political.
- Malicious insiders – An employee, or an ex-employee who wants to gain additional profits out of the company values, damage the organization for personal reasons, or to conduct cyber espionage.
- Terrorist organizations – Criminal organizations that main goal is to influence a political decision, damage economies, or cause physical harm to citizens.
- Nation-State Threat Actors – National agencies with huge financial support, significant technical capabilities, and additional resources are focusing on specific targets. Those targets are usually big companies and critical organizations, and the goal is to achieve a very precise intelligence or counter-intelligence advantage over a defined “enemy”.
I sorted the above threats in order of importance for the typical startup.
Because let’s be honest. Regardless of whether you have just one or twenty employees, you will not be able to effectively protect against Nation-State Threat Actors with billion-dollar budgets and access to the core cellular or Internet national infrastructure. Even huge corporations very often fail to do that. It is definitely possible to make it much harder for these types of threat actors but it’s just not practical as there is very little chance that you are a defined target for such an organization.
Cybercriminals groups that target a wide audience, or individual criminals targeting organizations with lowered security are much more common, and the effort required to protect against them is incomparably lower.
However, the sad truth is that you may still be an indirect victim of Nation-State Threat Actors in so-called supply-chain attacks. In these types of attacks, an attacker compromises an organization, whose infrastructure serves as a proxy for other attacks. The supply-chain attack is also used by individual cybercriminals and organized groups. They sell access to the organization’s infrastructure or even specific services such as Distributed Denial of Service (DDoS), spam, or proxy attackers on the black market.
The Verizon team in the Data Breach Investigation Report 2020 summarizes it in the following way:
The simple fact is this: If you leave your internet-facing assets so unsecured that taking them over can be automated, the attackers will transform your infrastructure into a multi-tenant environment.
Most common cyberattacks
Since you already know what types of threat actors exist, it is also important to know what are the most common attacks that those threat actors utilize. As previously mentioned Verizon’s team every year creates a report describing data breach statistics. The Data Breach Investigation report 2022 includes eight incident categories that reflect the most common attacks.
Some of the categories may not be easy to understand so here is the list of those categories with their quoted descriptions:
- Basic Web Application Attacks – These attacks are against a Web application, and after initial compromise, they do not have a large number of additional Actions. It is the “get in, get the data and get out” pattern.
- Denial of Service – Attacks intended to compromise the availability of networks and systems. This includes both network and application layer attacks
- Lost and Stolen Assets – Incidents where an information asset went missing, whether through misplacement or malice.
- Miscellaneous Errors – Incidents where unintentional actions directly compromised a security attribute of an information asset. This does not include lost devices, which are grouped with theft instead.
- Privilege Misuse – Incidents predominantly driven by unapproved or malicious use of legitimate privileges.
- Social Engineering – A psychological compromise of a person that alters their behavior into taking an action or breaching confidentiality.
- System Intrusion (7013 incidents) – Complex attacks that leverage malware and/or hacking to achieve their objectives including deploying Ransomware.
- Everything Else – This “pattern” isn’t really a pattern at all. Instead, it covers all incidents that don’t fit within the orderly confines of the other patterns. Like that container where you keep all the cables for electronics, you don’t own anymore: Just in case.
CEO, Cybersecurity Expert
Let’s talk about securing your web application
Book a chat with me
Follow the most important cybersecurity recommendations for your startup
You have your valuable assets defined. You know what cyber threats exist and what attacks they use. You estimated the damages of a successful attack on each of your assets. You also know what are the typical cybersecurity recommendations for startups. Now it’s time to connect the dots, choose the recommendations for you, and prioritize them. To help you with this process I assigned typical attacks (incident categories from Verizon’s report) to recommendations that should minimize the risk of a successful attack. You can also see what type of data will be protected after implementing a specific recommendation.
It is important to note that this assignment is subjective, and other experts can do it differently.
Recommendation title | Technical Ability | Impact | Incident categories | Number of incidents |
---|---|---|---|---|
Use a Password Manager and Two-Factor Authentication | Low | High | Social Engineering, System Intrusion, Basic Web Application Attacks | 14 013 |
Develop with Modern Frameworks | Medium | Medium | Basic Web Application Attacks, System Intrusion | 11 764 |
Configure an Edge Security Service | Low/Medium | Medium | Denial of Service, Basic Web Application Attacks | 13 207 |
Enable HTTP Security Headers | Low/Medium | Medium | Basic Web Application Attacks | 4751 |
Apply Security Patches | Medium | High | Basic Web Application Attacks | 4751 |
Backup User Data and Source Code | Medium | Medium | Lost and Stolen Assets, Basic Web Application Attacks, Social Engineering, System Intrusion | 14 898 |
Centralize All Logging | Low | Medium | Privilege Misuse, Lost and Stolen Assets, Basic Web Application Attacks, Social Engineering, System Intrusion | 15 173 |
Recruit the Good Hackers | Low | High | Miscellaneous Errors, Basic Web Application Attacks, System Intrusion | 12 479 |
Service Containerization | High | High | Basic Web Application Attacks, System Intrusion | 11 764 |
Deploy Canary Tokens | Low | High | Lost and Stolen Assets, Social Engineering, Basic Web Application Attacks, Social Engineering, System Intrusion | 17 147 |
Cybersecurity for startups – checklist
It is good to know about all of it but the knowledge is useless if no action is taken. To make the action even easier for you we created the document containing the checklist of recommendations to implement. This will help you keep track of what you plan to implement and what is already implemented. That way you will not forget about anything:
Generic cybersecurity recommendation
All this may seem complex and lengthy but the general approach is quite simple.
Think of the most valuable thing in your startup. This is your valuable company’s asset. Think how much time, effort, and money would you require if this asset gets destroyed, stolen, or corrupted.
Once you have that, think of the potential ways the bad actors can get to it. We call them “attack vectors”. Subsequently, focus on limiting the attack vectors and protecting those valuable assets first.
This process is a bit longer than a typical “read and apply” approach, but in the long run, it can save time and resources by focusing on the most valuable assets and most probable attack vectors.
Moreover, if you do it right and document everything on the way, increasing cybersecurity in your startup will be easier in the future as you will already have the basis. Whenever your company grows, you will need to add new assets and reprioritize the list.
!The next article will shed some light on our first security recommendation for startups: using a password manager and two-factor authentication (2FA).
Beyond the cybersecurity recommendations
Implementing the above recommendations automatically puts your start-up on another level in terms of security. The most mature startups conduct a verification of the security mechanisms implemented.
If your start-up is one of those mature start-ups where you value cybersecurity and would like to verify if all the mechanisms were implemented correctly contact us.
We help in verifying and increasing cybersecurity for startups by conducting penetration testing, vulnerability assessment, red teaming, and other types of cybersecurity services.
Is this article helpful to you? Share it with your friends.