The sole purpose of a startup is to build something – really anything – that people want. It is your job to give them what they need on top of it. There can be great debate about what people truly need, but one part of this debate is settled. They need the data that you collect about them to be secured.
The good news is that you have this in common with your customers: You need it too. We live in the age of data, where storage is a cheap commodity and data is of endless value. This means that you are going to store the relevant information you need, some additional data to prop your company up for whatever it wants to build later and everyone is generally ok with it. This abundance of data, collected largely by companies that don’t know how to store it properly, is why the news has a story about a major breach every month.
What you don’t realize is that this happens a lot. Probably every day from companies that aren’t newsworthy. That doesn’t mean that your data is any less valuable. That doesn’t mean that a breach isn’t incredibly damaging for you.
When a big retailer is breached, they immediately lose trust with their customer base. Remember the big Target breach? They still haven’t fully recovered from their in-store credit card data getting stolen. And now to salt the wound, they are part of a class action that will likely cost them somewhere in the 8 figures. If this happened to your startup, what would it cost you? Can you afford a class action like this? Can you afford to lose the trust you worked so hard to build with your customers? You, like most startups, probably cant which is why most startups don’t recover from chaos like this.
This leads to a problem. Most startup founders are not security oriented. Even tech founders usually don’t have much experience in security code, servers and data. More importantly, most founders don’t even care about security until they already have a strong foundation of customers.
This is a potentially fatal mistake. The decisions you make in the first round of building your company can effect your next funding round or that big exit that you’ve been dreaming of. I know of this first hand when a company I was working for had a breach right when we were working through the details of an acquisition. Even though no customer data was stolen (or even seen,) it cost us a fortune in opportunity costs and monthly revenues. Think this is just problems for the startups with a big funding round? Think again. Even if you just run a small blog for now, this can happen. Go Googling for a bit. Type in “wordpress hack” and see what you see. I’ll bet it scares the crap out of you.
With all of this doom and gloom talking, there is a silver lining. It is pretty easy to get a basic level of protection on all of your digital assets from day one.
First lets talk about the most valuable piece of data for a hacker: PII. PII, or Personally Identifiable Information, is exactly what it sounds like. It is what ties your customers names to a phone number, email address, home address, etc. This is the first thing that should be protected. Generally, it should be obfuscated (hidden) as much as possible. This can be done by encrypting, hashing if you only use the data for verification, or NOT STORING IT if you don’t need it! If you block this sensitive information out, a hack is more or less worthless. Unless you are using credit cards to transact….
Payment information is a veritable gold mine as well. Those stolen cards can be used a few times before they get flagged, and people generally get away with it. The good news? There is no reason to store credit card information. If you use PayPal, Stripe, BrainTrust, ANY major processor, they will take this burden away from you.
If your valuable data is safe from being used if stolen, you are looking good. To look great, we need to make sure your servers can’t be breached at all. This involves security your code as well. In order to secure your code, you need to lock down the common vulnerabilities. The simplified basics are:
XSS (Cross Site Scripting) Attack
This attack is when someone is able to inject some code straight into your database or onto your server. That would be horrible. Think: dropping all data, getting all of the users, setting up a bitcoin mine (I saw this one first hand working for a major media company, it happens.)
CSRF (Cross Site Request Forgery)
Basically, this is when someone steals a form off of your page and submits it somewhere else. A gateway to letting customer data get stolen.
Another ugly one. When you are logged into a site and someone can take your session and steal it – letting them remain logged in as you.
If you are using WordPress, you’re in luck! There is a plugin called BulletProof Security (BPS) that solves all of this for you. If not, get a pro to scan & fix these issues for you asap – they are serious. There is also a pretty handy tool called CloudFlare that will stop many of these attacks before they ever reach your servers. I always recommend both where applicable.
Now blocking these attacks will likely block anyone from accessing your servers through your code, which is great. Still, think about your server security as if it were your physical office. Don’t let anyone with a computer connect to your servers. Make sure your firewall is only allowing inbound and outbound traffic to places that make sense. Think about swapping passwords for private keys. Make sure your software & packages are up to date. This is pretty common sense stuff, but it makes a world of difference and is frequently overlooked at all stages of company life.
Getting your data, code and servers locked down early will save you from a world of hurt when it counts later on down the line. What are you doing right now to make sure your hard work isn’t taken down from some faceless hacker?
While nothing is foolproof, following through on these few points is generally enough to thwart most hackers. Even if you do everything right, there is still some savant hacker out there that will break through anything, so don’t even worry about that. Just be ahead of the game until it is time to revisit and become the steel vault that your customers deserve.