You can find about a million tips on how to keep a startup afloat on the Internet. Usually advisers draw attention to the issues of business planning, marketing strategy, attracting additional investment and so on, but articles rarely talk about the problem of building a solid cybersecurity system. However, the lack of a clear understanding of threats can cost a startup a potentially successful business. We decided to talk about most typical cybersecurity mistakes and, more importantly, how to prevent them.
Source of the problem
Here is a typical start-up story: you and your friend come up with a brilliant idea, you discuss it with your inner circle, you gather a group of enthusiasts, and the dream team is ready. This is how the stories of Airbnb, Pinterest, Twitter, Uber and many other famous projects famously started.
However, problems arise when a startup moves from an initial idea to building real workflows and hiring additional staff. At this point, the small group of like-minded people expands and becomes a team of random people with different views on life and different life experiences. In such a team, employees may have very different understandings of what information should be considered as confidential and how to keep it secure.
Here is an example: one employee decides that it would be convenient to write the password for an online service on a chalkboard — their thinking is, everyone who needs it can find it quickly and easily. Another member of staff posts a selfie in the office on a social network, writing “who would write something confidential on the chalkboard, where everyone can see it”? This kind of misunderstanding is one of the reasons why young startups can run into cyber-security issues. The problem can be solved only by developing a corporate cybersecurity culture.
At the same time, people who come to work in startups are often enthusiasts and adventurers – they quickly fall in love with the idea, and can often quickly change their interests and leave. In addition, quite often modern startups depend on IT specialists who generally tend to move from business to business over the course of several years.
The combination of these two facts can create high employee turnover. In such conditions various mistakes can easily multiply, especially cybersecurity related ones. Therefore it is easy to overlook a cyberthreat that can easily be avoided.
Typical cybersecurity mistakes
Let’s imagine: you hadn’t noticed how your small startup became a fully-fledged business. What cybersecurity mistakes could you have made so far?
Excessive access rights
Often when a startup employee needs access to corporate resources or services, he immediately gets administrator rights. The person who shares those access rights usually thinks it’s easier to give access to everything once, without understanding the real needs of a particular employee and his responsibilities, than get new requests for access every week. But the more access rights an employee has, the chance of an error grows. If you want to minimize the number of cyberincidents, each workflow participant should have only those access rights that are necessary for their tasks.
Lack of information storage system rules
In general, this is bad for any business. But in a startup, due to the above-mentioned staff turnover, one day you may simply not be able to find important work files. Most likely they exist somewhere, but where exactly is the mystery. A developer or marketing intern knew about this once, but left the company recently without telling anyone.
Another common problem is forgotten passwords for corporate social networks or other rarely used services. Perhaps a new staff member sets up a Facebook or LinkedIn account to help promote the business, but fails to share the account details with other members of staff, then promptly leaves for another role – the login credentials have gone, with little chance of recovery.
Some people may think that with high turnover it may be a good idea to use shared accounts. But the more people know a password, the more likely it leaks due to phishing, negligence or malicious intent. In addition, it greatly complicates the investigation of an incident, when it happens. Let’s say it turns out that someone has gained access to an account – the experts suspect that the password was intercepted by malware and wants to check the computer of an employee who had access. Only to find that everyone had!
Passwords in cloud services
Another password-related mistake is to store them in some file in Google Docs, as incorrect setup means it’s usually accessible by anyone with the link. The obvious advantage is that it is very convenient to transfer the necessary information to all employees, it is enough to put all the necessary passwords in one document and send a link. However, such Google documents can be indexed by search engines. In other words, the file with all your passwords could potentially fall into the wrong hands.
Lack of two-factor authentication
Some of the problems associated with passwords would be less dangerous if startups did not neglect two-factor authentication on work accounts. This allows you to protect important data from various theft methods, such as phishing. First of all, two-step protection should be put on all financial services, such as Upwork.
Universal cyberthreat prevention tips
To avoid the ‘typical’ mistakes that many small businesses and start-ups make, try to follow these tips:
- When it comes to granting access to resources or services you should follow the least privilege principle. That is, an employee must have the minimum set of access rights — enough only to perform their tasks.
- Know exactly where your startup’s important information is stored, and who has access to it. From this, develop guidelines when hiring new employees, including clearly defining which accounts are needed for each employee, and which ones should be limited only for certain roles.
- Mature corporate cybersecurity culture helps to prevent many cyberthreats. You can, for example, start with creating a cybersecurity manual for employees so that everyone is on the same page. Here’s a good example for new employees.
- All passwords must be stored in a secure password manager. It will help your employees not to forget or lose them and also to minimize the chance that an outsider will get access to your accounts. Also use two-factor authentication mechanisms wherever possible.
- Advise your employees to lock their computer when they walk away from the desk. They should keep in mind that an office can be visited by all kinds of third parties, including couriers, clients, subcontractors or job seekers.
- Consider installing antivirus software in order to protect devices from viruses, trojans and other malicious programs
A large number of threats can be prevented with Kaspersky Small Office Security. This solution not only protects your employees’ devices from ransomware and other common cyberthreats, it also includes a password manager.