From 2013 to 2014, Yahoo was breached by hackers and over 3 billion user accounts were compromised. Three billion. The fallout from these security breaches was estimated to have knocked off $350 million from Yahoo’s sale price when it was ultimately acquired by Verizon in 2017. While most businesses won’t find themselves victims of data breaches of similar magnitudes, every single startup company should still be concerned with information security.
Moreover, one Ponemon Institute study shows that, on average, each stolen record containing sensitive and confidential information costs $148 per record. The total cost, worldwide, was $3.86 million in 2017, according to that same report. And attacks are more common than you might think: according to Wombat’s 2018 State of the Phish report, more than 76 percent of organizations surveyed reported phishing attacks in 2017.
Shifting businesses and data models to cloud solutions makes startup businesses, which usually can’t afford private or dedicated cloud solutions, more prone to things like phishing attacks and malware. This is especially important if your business handles consumer data.
On top of the legal and financial ramifications that come with a data breach, consider the damage your business’s reputation will also take. A data breach is costly, and a smart entrepreneur would take every step possible to ensure that it doesn’t happen.
Here are seven tips to help you get your (security) ducks in a row.
Adhere to basic IT security principles
When it comes to IT security, start with the basics. Use complex passwords, don’t open emails from suspicious addresses and don’t open links from sources you don’t recognize. While it may sound basic, even, the U.S. Department of Homeland Security talks about the importance of something as simple as using complex passwords.
Hackers will often look for the simplest ways into any system—and they start with these basics first. Firms may invest millions in sophisticated computer systems, outfitted with top-of-the-line antimalware systems, yet at the same time, the company will have an admin account that uses “123456” as their password.
Train your employees
As stated above, a majority of businesses suffer from phishing attacks. These refer to instances when targets are contacted by thieves looking to steal valuable information. These often come in the form of emails, and these hackers can make themselves appear very real to recipients.
All employees should be trained on IT security and coached to never hand out sensitive information to anyone they don’t recognize.
This goes double for senior level executives. A common form of phishing, referred to as “spear phishing,” involves targeting a high-level employee with a lot of access to sensitive information. Unlike regular phishing attacks, spear phishing can be a harder to detect. That’s why it’s crucial your employees are trained on how to detect such attempts.
Use two-factor authentication
Don’t settle on just having a single username and password combination. Take it a step further by using two-factor authentication. Users will be tasked with a secondary authentication sequence like confirming an email or inputting a code sent to their phone. This can be used for both employees and consumers.
Know that two-factor authentication isn’t foolproof. Again, training is crucial, and without it, two-factor authentication can fail. For example, an employee might see a request for access in an email and blindly click the link—allowing a fraudster to gain access.
Encrypt, encrypt, encrypt
Data encryption is key for sensitive information. Encryption simply means changing data into an unreadable state. Take it a step further by having encrypted data and keys on different servers. A startup most likely won’t have an in-house encryption expert, but there are plenty of technology solutions that will encrypt data for you. Companies like IBM will often provide affordable prices backed with the expert of a large IT company that takes data security seriously.
Make penetration testing part of your security routine
Another tool available in the market is penetration testing. Tools that perform these sorts of tests will be able to identify weakness and vulnerabilities in your IT security measures. The comprehensiveness of these tests will vary as there are different price points for different companies.
We highly recommend that these risk assessments be carried out on a regular basis. Be sure to check industry guidelines, since some industries (like the health-care industry) are required by law to conduct risk assessments on a regular basis.
Install software updates
Operating on an outdated version of software can be dangerous. Don’t ignore software updates when they’re rolled out, as they can contain security patches to vulnerabilities that hackers exploit. The older the system is, the more serious this issue is.
For example, it probably won’t be too much of an issue if you miss the latest update for Windows 10, but if you’re still running on Windows 2000, we’d recommend you upgrade immediately.
When possible, use cloud solutions
As a startup, you likely won’t have the capital to construct an entire on-premise IT infrastructure. This is why most businesses house their data and information via cloud solutions. However, we recommend that businesses choose their cloud hosting solutions carefully. Cloud solutions are typically more prone to security breaches than on-premise solutions.
If hosting your IT infrastructure on a cloud-based solution isn’t right for your business, and you absolutely need 100 percent availability at all times with no down time, you’ll have to utilize on-premise solutions. However, carefully consider the costs of on-premise solutions. Ignoring the space and energy consumptions costs, the physical servers themselves can get quite expensive.
These security measures might seem overblown to some entrepreneurs, but we do stress the importance of them. Protecting your information is crucial to the survival of your business, and when measured against the cost of closure, we’d say these costs are pretty small.