Knowstartup.com came up with a list of suggestions for startups in the arena of data security and privacy, but after reading it, the list is applicable to anyone, so here is my take on it:
- Allowing security to take a back seat (from the very beginning). Whether it is your beginning or not, sometimes companies think that they can deal with security and privacy later. Except that later never comes and the more entrenched norms are, the harder they are to change. When it is time to make changes – either as a result of customer demands, regulators or, hopefully not, lawsuits, those changes are much harder to make. So designing security and privacy into the culture and the product from the beginning is a good rule to follow.
- Focusing on product development more than security. Every small company (and many large ones) fall victim to this. The boss says explain to me how spending time and money on security helps our sales. The management at Home Depot has been reported to have told the security guys that they were in the business of selling hammers and how did spending money on security increase their sales of hammers. Well, $250 million later, so far, maybe that wasn’t such a good strategy. Everything needs to be balanced. You need to have a viable product, but leaving security for later may mean a complete redesign because the architecture doesn’t support what you need. Your email (including Yahoo and GMail) is a perfect example. There was – and is – no security built into it and changing how mail works would break way too many things, so we are stuck with spam and malware.
- Ignoring the personal and professional borders. Startups especially, small companies typically and even large companies have blurred the boundaries of our personal and professional lives. We use our personal laptop for work. Or our personal phone. And we back that up to the Google or Microsoft cloud. Or whatever. And since it is personal, the company doesn’t control the security. And since it is personal, the kids use it for school. Really. Dad, I just need to write a paper. Oh, and to check my mail and to surf some web site and play a game and and and. Pretty soon that “work” computer is infected and those corporate files are copied to Transylvania. And when the person leaves, those “personal” backups in the cloud – they still own them. They have your data or your software or your customer list. And they just might use it when they go to work for your competitor. The odds of you figuring that out and then successfully suing them is pretty low unless they are stupid or blatant. Set boundaries now.
- No proper exit protocols in place. What do you do when that person leaves? Sure they sign a piece of paper, but do you really think they will delete those files from the cloud or their home computer. Good luck trying to get them to let you check. Cloud backup? No, I don’t have a cloud backup. What’s a cloud backup? You get the idea. Figure it out now.
- Ignoring relevant rules and laws. You accept credit cards but being PCI compliant is expensive and requires us to do things that we don’t have the money or time to do. We will deal with that later. Yes we are in the health care industry (or our clients are and they share information with us), but we have no idea how to be HIPAA compliant. We are too small for anyone to hack and HHS will have bigger companies to check on. We will deal with that when we have more time and money. In addition to HIPAA and PCI there are many more rules and laws that govern what companies do. It can get VERY expensive to defend yourself against an FTC, SEC, HHS or Attorney General’s action. Don’t wait.
- Lack of proper policies for your cloud drive. Just because it is in the cloud does not mean that it is safe and secure, no matter what the advertisement says. Many cloud providers will give you tools that allow you to make yourself safer, but they do not implement themselves. Sure, you don’t have to worry about someone walking in to Google’s data center and stealing a server, but there are lots of other things to be concerned about with the cloud. Including items #3 and #4 above.
- Lack of internal polices and proper structures. Policies are usually the last thing a small or early stage company worries about. This leads to poor cyber hygiene, employees and vendors taking shortcuts, lack of access control to data and other problems. While setting up these policies is a pain now, it will be a bigger pain later and if there is a breach in the meantime, that lack of policies is a dream for the plaintiff’s counsel.
- Not being vigilant about their responsibilities. Just because you outsource something doesn’t mean that you are not 100% responsible for it. You can put your data in Amazon’s cloud, but check your agreement with Amazon. They will not pay your legal fees in case you are breached. And, your customers will be coming after you with a pitchfork if you set their data loose. Don’t even try to blame Amazon – it won’t fly. So, you need to make sure that whether you insource or outsource your operations, you have your data safe and sound and legally compliant.
- Collecting too much data. This one is hard for startups to get. Just because you CAN save some data does not mean that you should save it. Uber, for example, collects all kinds of data from the app on your phone. Whether you are hailing a ride or not. This year many regulators asked them for that data and they complied. If you don’t have the data, it cannot be breached and you cannot be compelled to cough it up. Fight the urge to save data “just because”.
As I said, this article is geared towards startups, but it really applies to everyone. Even if only 7 out of 10 apply to you, consider what they say and what you are doing. And take action. Now!
Information for this post came from Knowstartup.com.