By May 7, 2021

A Programmer’s Guide To Securing Their Startup

securing startup cyberattacksProgramming is one of the best professions when it comes to founding a startup. Programmers’ knowledge of developing applications makes them ideal candidates for being technical co-founders, and if you combine this technical knowledge with some business acumen, you can have a great CEO in the making.

For those of you who will go on to build your own applications and start your own businesses, it’s important that you learn about all of the business aspects required to be successful. One of these issues is cybercrime. It’s estimated that there is a cyberattack every 39 seconds, which means it’s no longer a matter of if but when your startup company will be targeted.

Startup companies are especially vulnerable to any financial shocks, as the average data breach costs $3.9 million to a business. In the United States in particular, that number jumps to $8.19 million per data breach. About 60% of small to medium-sized businesses that experience a data breach goes out of business within six months.

Therefore, it’s extremely important that startup companies take the proper steps to protect themselves from being hacked.

Understandably, many startups are more focused on developing their product, marketing, and hiring new employees to expand the business. They simply don’t have the time, money, or desire to invest heavily in cybersecurity. But worry not, as I’ve put together a list of simple ways to improve cybersecurity for your startup company. Let’s take a closer look.

Secure Code Practices

As a CEO or technical co-founder, your first security-related priority should be to create a secure product. Creating a secure product means focusing on secure coding practices to ensure that your application is not vulnerable to being hacked.

Veracode’s state of software security report found that 76% of all software applications have at least one security flaw. Much of these security flaws can be rectified if you take a few simple steps.

Firstly, you want to do some research to find out if any of the third-party libraries that you are using are known for being insecure.

Secondly, you should use industry standards to understand what the common web application vulnerabilities are and how to prevent them. One great resource is the open web application security project, which provides a lot of free information and resources for securing web applications.

Thirdly, you should perform code reviews of your source code. Source code reviews can be done manually by an expert. Or you can use static application security tools that can test your code for vulnerabilities without executing it. Another option is to use dynamic application security tools, which test your code for vulnerabilities at runtime.

Secure code practices are important throughout the entire software development lifecycle and should be a priority of any startup founder.

Protect Your Company’s Intellectual Property

As a startup, your Intellectual Property (IP) is your lifeblood; it’s important that you protect it. Protecting your IP means protecting it from people outside the company as well as insider threats.

Many times co-founders or employees who are hired early on may think they can execute on your idea better than you can, and they may try to steal your idea and form their own business. There are many examples of this, including the social media platform Facebook. To prevent this, there are a few things you can do.

Firstly, use the proper legal protections. This includes things like patents and trademarks to ensure that you are the only person with the legal right to use your IP. IP can include source code, designs, inventions, and pretty much any unique idea your company has. To find the right form of legal protection, you can consult this article.

Secondly, you need to make sure you obfuscate the code you use in your web applications so that other people cannot easily reverse engineer your work. Obfuscating your code makes it difficult for a human to read, therefore significantly slowing down any effort to reverse engineer it.

Monitor Your GitHub

One overlooked aspect of GitHub is the number of developers who accidentally commit passwords, usernames, IP addresses, access keys, or other things that can be used to hack into your startup.

You want to make sure you educate yourself and anyone else working on your business’s code on the importance of not posting this information to GitHub. A study of 13% of all GitHub repos by North Carolina State University found over 100,000 repos with leaked API tokens and cryptographic keys, with thousands of new secrets being leaked everyday.

Have a Password Policy

securing startup cyberattacksAccording to a Verizon report, weak and reused passwords accounted for 81% of data breaches. Therefore, an extremely simple yet effective change that you can make is to have a good password policy that should include the following points:

  • Strong Passwords: Passwords should be 12-16 characters in length, with upper and lowercase characters, at least 1 number, and at least 1 special character.
  • Password Rotation: Passwords should be changed every six months. The longer a password is in use, the more likely it will be exposed.
  • No Password Reuse: Passwords that have previously been used should not be used again once they have been rotated.
  • Use Two-Factor Authentication (2FA): If at all possible, you should always use 2FA on any business account that you have. It creates an extra layer of security for your account and makes it much more difficult to hack.

If you have trouble getting people to follow these guidelines, the simplest way is to use a technology solution to enforce these rules. If you provide your employees with laptops or you have an admin account on the platform that you use, often you can change settings to make sure that these rules are followed on lower-level accounts.

Have a Schedule for Data Backups

It’s important that you are prepared for the worst. Employees make mistakes, files are accidentally deleted, and things get lost or overwritten. There are many reasons why it’s a good idea to keep regular backups of important information for your company.

One such example is a ransomware incident where someone hacks into your company, encrypts your information, and charges you money to try and get it back. If you have a good offsite backup, you can recover fairly easily, but if you don’t, then you are at that person’s mercy.

Backups should be done as frequently as needed to keep your business covered. If you update your information every week with important information, then you may want to have weekly backups. It’s important to look at your business processes and decide on the best backup plan to fit your needs.

Use Bug Bounty Programs

If you have a web application and you’re worried about whether or not it is secure, you don’t need to figure that all out yourself. Bug Bounty programs allow you to crowdsource your security worries by working with security researchers across the globe.

One of the best features of bug bounty programs is that you pay them only if they find a relevant security issue in your application, which makes it very cost-effective for a startup.

Update Your Software

The next tip I will give is pretty much free but extremely important: Update all of your software. I’m sure we’ve all had that experience where we get a pop-up on our computer talking about a software update, but we click “remind me later” because we can’t be bothered.

Postponing updates on your personal machine may not be that bad an idea, but for a business it is a very dangerous habit. Many times important security issues that were found within the application are fixed in these updates, so you need to make it a habit to resolve these as soon as they pop up.

Only 50% of cyberattacks are zero-day, which means 50% of those attacks are the result of vulnerabilities that could have been patched.

Secure Your Startup

securing startup cyberattacksHaving poor cybersecurity causes billions of dollars worth of damage every year and has become the most profitable illegal business in the world. Startup companies are especially vulnerable because they lack the security controls and maturity that larger companies have.

To protect your business, it’s important that you look at all of the different elements of cybersecurity. This means having secure coding practices for building secure applications, protecting your Intellectual property, investing in protecting your employees’ user accounts, and being proactive in getting rid of security vulnerabilities through proper patching and security testing.

The average cost of a data breach in the U.S. is over $8 million, and this is why it’s important to think about how you can make your startup secure from the beginning so that you don’t end up having to spend a large amount of money fixing these issues later on as your company develops.

About the author

Shimon Brathwaite

Shimon Brathwaite is a cybersecurity professional, entrepreneur, consultant, and author at securitymadesimple. He is a graduate of Ryerson University in Toronto, Canada, and has worked in several financial institutions in security-related roles as a consultant in incident response and is a published author with a book on cybersecurity law. He can be found online at securitymadesimple.org.