- A startup will be held to the same standards as a big company; it should act like one
- A few basic steps like two-factor authentication and automatic data encryption can go a long way
- Don’t overlook human behavior; innocent mistakes are often the major source of vulnerabilities
Everything from networks and devices to human behavior has become harder to monitor and control
By now, Christina Cacioppo is used to the quizzical notes from employees she’s been getting since the start of the pandemic. “Did you actually send me that email?” goes the typical inquiry. No she didn’t. It was the work of spammers and scammers.
“Employees get emails that appear to be from me asking them to do crazy things, like transfer this money to this account,” Cacioppo says. It’s a good thing that Cacioppo is CEO of Vanta, a fast-growing startup whose software helps other startups make sure they’re in compliance with certain industry standards, including data security protocols. “Because we’re a security and compliance company, we do security and compliance training,” she says. No one at Vanta has fallen for the scams yet.
Vanta isn’t the only potential victim: Startups have always been a target of cybercriminals who hope to steal everything from passwords, to intellectual property, to cash from newly-funded accounts. Since the pandemic began and pushed virtually everyone to remote work, young companies are more at risk than ever. Distributed workforces are more vulnerable to attacks for a number of reasons, including weaker network and device protections, and operational challenges inherent with being distributed. As a result, attacks against them — and indeed, against businesses of all types — have skyrocketed.
In April, Google announced it was seeing 18 million malware and phishing emails every day with messages specifically related to COVID-19. The announcement came on the heels of reports that phishing attacks had more than tripled between January and March. Meanwhile, coronavirus-related spear phishing attacks were up more than seven-fold between February and April, according to security firm Barracuda. Ransomware attacks have also risen sharply, as have malware attacks.
It’s a safe bet that many startups are not as well equipped as Vanta to fend off threats.
“We’re all at home on our own networks, which means we don’t necessarily have the same level of security as if we were sitting in our office,” says Kelly Wulff, general counsel of Vouch Insurance, a startup that sells insurance products to other startups. “We don’t have the same set of social cues, because we’re not sitting next to our colleagues. We don’t have the same social context, and that makes use more vulnerable. And it’s also easy to overlook some basic hygiene when it comes to security, things you might do when you’re at the office but aren’t doing now.”
This lack of security hygiene can have serious consequences for startups. “If you experience a security breach early as a company, that could make the difference between making it and not making it,” Wulff adds. “You’ll lose the confidence of your customers, your employees and potential investors.”
So what should startups do to protect themselves — in general, and in a work-from-anywhere world? Here are four places to start.
Act like a big company
Startups sometimes delay implementing even basic safety protocols. Often, they lack resources like an IT staff, or the team is singularly focused on getting an enterprise off the ground. Sometimes, it’s due to the mistaken belief that because they’re small, they’re not likely to be a target or have little to lose.
But a lack of security will affect just about any startup, even if it doesn’t suffer a breach.
“Having a good security program is now becoming a first-tier question for any partnership, financing round, acquisition, vendor agreement,” says Kirk Nahra, who co-chairs the cybersecurity and privacy practice at Wilmer Hale, a global law firm. “I’ve seen deals tank because of privacy and security.”
Indeed, it’s often the prospect of partnerships or customer wins that force startups to step up their security posture. It’s that insight that led Cacioppo to found Vanta.
Vanta’s software works to automatically check that a startup complies with an often-used industry standard called SOC 2, which defines criteria for managing customer data and focuses on aspects like security, privacy, confidentiality, availability and processing integrity. “When your customer asks you to be compliant with security standards, it works as the carrot that drives a lot of companies to invest in security,” she says.
Get the basics right
While a SOC 2 audit will check a long list of items that range from the setup of a company’s AWS, GitHub, or data storage accounts, to the configuration of laptops, and the existence of written data privacy and security policies, Cacioppo says a few basic steps can go a long way toward protecting any startup.
“Put two factor authentication on everything,” she says. By everything, she means not only email, but commonly used tools like Slack, Asana, Dropbox, AWS or any other the company uses. “It nearly takes away the ability for someone malicious to break into an email account,” she adds. “It’s a small amount of friction but it pretty much neutralizes all phishing attacks.”
Additionally, she advises companies to configure all laptops to automatically encrypt all data — a step that requires no additional software. That, along with screensaver locks and timeouts will virtually ensure that even if a laptop is lost or stolen, it’s data will be safe from prying eyes. Cacioppo also says startups should keep track of who has access to what accounts, so that access can be disabled when employees leave the company.
Mike Banic, vice president of marketing at Lookout, a mobile security company, says startups should make sure that whatever protections they have for computer and web services accounts extends to mobile devices. That’s become critically important during the Covid-19 crisis, as phishing scams are increasingly targeting smartphones via text messages. The texts are often aimed at stealing log-in credentials by luring victims to click on links that direct them to fake pages.
“On a mobile device, it’s very hard to discern the difference between a fake login page and a real one,” Banic says.
Adapting to work from anywhere
While protecting your startup during normal times requires a constant review of best practices, new technologies, new types of attacks, and operational changes, the pandemic has forced a rapid reevaluation of just about everything. “Covid has added a bunch of layers,” Nahra says. “The protections that you have in an office information system don’t typically extend to your home.”
Fortunately, help is available to startups who know where to find it. At Vouch, the top-to-bottom review of security practices began with a call to the company’s IT provider. “We asked what we should be doing to secure our network,” Wulff says. What resulted were some infrastructure changes that included more robust antivirus software, and additional employee training on privacy and security, with a special focus on raising awareness about phishing. Startups can often find similar advice on best-practices talking with their law firms, board members and investors.
The most common weak links in a work-from-home set up are wifi networks and portable devices. Experts recommend to not only keep data on devices encrypted, but to have separate devices, whenever possible, for work and personal use, and to avoid sharing your work device with household members.
When it comes to securing networks, there’s plenty of information available on best practices, but companies should ensure that employees follow them. And they should consider beefing that up with an enterprise grade VPN.
At Vanta, Cacioppo decided to equip all laptops with software that could be used to remotely wipe employee laptops. The company has grown to 40 employees — from 20 at the start of the pandemic — and she wants to make sure she’s prepared for when employees take a new job. “In the pandemic world, I won’t have your machine the day you leave,” she says. “Maybe you mail it in. Being able to wipe it clean beforehand is really helpful.”
Humans make mistakes
While securing devices and networks is critical, an-often overlooked vulnerability is human behavior. In a remote work environment, it’s harder than ever for startups to keep an eye on what their employees are doing and to nudge them toward safe practices.
“The majority of the issues I see are operational issues,” Wulff says. “It’s how people move data from one system to another, or when a customer-facing employee has multiple windows open and cuts and pastes the wrong information and sends it to the customer. All of a sudden you have a data incident.”
Similar problems can creep up when someone is sharing a screen on a Zoom call and inadvertently exposes sensitive data or private messages, or when someone forgets a printout with sensitive data after working in a coffee shop. With employees under increased stress and facing more distractions because of the pandemic, they’re increasingly prone to such errors.
Vouch has sought to address some of these issues with additional training. “We’ve retrained people on how to report concerns,” Wulff says. For example, remote employees are encouraged to report everything from questions about what to do about passwords for shared accounts to suspected phishing emails to the legal department, where it gets triaged and escalated quickly, when necessary.
“A lot of it is cultural change,” Cacioppo says. “When you are 15 people and they’re all remote, getting all of them to encrypt their drive is like cat herding. The trick is when you hire new employees to train them well so they act responsibly.”
At Vanta, the focus on training seems to have worked. The company has had only one security incident since Covid started. Someone forced a lock to break into its office in San Francisco. No one was there, and no computers or data were in sight.
Aside from the obvious macroeconomic challenges posed by the pandemic, COVID-19 is exposing startups to a new set of risks. They include the challenges of maintaining a cohesive culture in a remote work environment, ensuring safety and security of work-from-home tools and procedures, and reopening offices safely. This three-part series, produced with our partners at Vouch Insurance, offer practical advice for mitigating these risks.