SECURITY EVANGELIST

How do you ensure maximum security for your users’ data when you have the limited resources of a startup?

We asked ourselves this questions, because startups play an important role in the tech and social ecosystem nowadays.

They make headlines daily, either for investments or new product releases, and Internet users flock to adopt the newest and most improved way of doing a number of things.

So the small startup team, fueled by enthusiasm, has to devote its resources to building the product, getting funding, building a community, getting the press and the do list can go on.

Where does cyber security fit in within the priorities list?

As an early adopter, you may be concerned about how your data is handled and stored.

As a founder, you may experience some sleepless nights because of the news about cyber attacks that you read on a daily basis.

As an investor, you may fear that a cyber attack could make your money go to waste before ever seeing ROI.

So how is cyber security for startups really handled?

Because we’re strong believers in facts above all, we interviewed startup founders who happen to know more than a bit about the roles that information security plays in developing a successful product.

To our delight (which we can’t hide), we observed that these founders are not only aware of cyber security issues, but actively integrate them as an essential part of their product and strategy!

Their answers are a great source of actionable advice and real-world scenarios where cyber security becomes an asset and a source of credibility for customers. Irrespective of the size of an organization, these recommendations are a course of action that is not only encouraged, but necessary.

Meet the founders:

alexandra anghelAlexandra Anghel, Co-founder & CTO @ Appticles.com

Alexandra has a technical background, mostly in backend programming, and she has previously owned an outsourcing company. She’s passionate about startups & entrepreneurship and likes to get involved in various activities to help women get into programming/coding.

Appticles.com is a platform that helps bloggers, publishers and other content creators to package their existing content into cross-platform mobile applications.

dragos musetescuDragos Musetescu, Co-founder & CEO @ RESTACK

Dragos is a long time web developer and startup founder, who is now building a full-stack platform for connected devices.

RESTACK is the universal interface for connected devices, offering debugging tools, privacy features, analytics, a cloud backend and a customizable frontend fit for hackers, makers, tinkerers and other tech enthusiasts.

 

mile rosuMile Rosu, Co-founder & Sales Manager @ Presslabs

Mile enjoys spreading the word about Presslabs and making customers’ sites work and rank flawlessly.

Presslabs was founded in 2011 and offers WordPress hosting services dedicated to publishers all over the world.

 

robert knapp cyberghostRobert Knapp, Co-founder & CEO @ CyberGhost

Robert and his team have created one of the best known VPN suppliers worldwide. CyberGhost consists of over 20 employees who established in an extremely short time an extraordinary service with millions of users worldwide.

Founded 2011 in the Land of no Data Retention, Romania, CyberGhost is one of the most known VPN supplier in Germany and Western Europe. The company is specialized in offering the best and most effective way of Internet security: anonymity!

 

sorin vanatoruSorin Vinatoru, CTO & Co-founder @ RenderStreet

Sorin has been a serial entrepreneur since 2001 and is interested in using technology to help companies grow. He has successfully applied his experience and principles to companies in various growth stages.

RenderStreet is the next generation render farm for Blender, providing a complete set of features for professional Blender and V-Ray rendering.

 

tudor basteaTudor Bastea, Cofounder & CTO @ 123contactform

Tudor is the brain behind 123ContactForm. At any given time of day, he is able to pinpoint any function within the code in seconds.

123ContactForm is a service founded in 2008, which has become a worldwide top class online form and survey builder.

Cyber security and startups – founders share their experiences

1. On users’ concern over their data’s privacy or security.

Alexandra Anghel, Appticles:
Of course, privacy and security are important for everyone, but the level of concern is relative to the size of their business. For example, a blogger that is just starting out and hasn’t yet established a readership will be less preoccupied about security aspects. By comparison, a professional blogger will be much more interested to learn about security and privacy because he can’t afford the risk of using improper tools and losing both readers and money.

Dragos Musetescu, Restack.io:
Yes, questions about security are always asked first.

Mile Rosu, Presslabs:
Yes, of course. Security is a daily subject, being discussed with new customers that are migrating to us after being hacked, or when reviewing changes to the code written by our customers’ dev teams in terms of security, or even when managing security updates to the open source code that makes it into our platform.

From my point of view, hosting is very similar to banking. We are the safe keepers of our customers’ assets for which we need to provide security guarantees. Surveillance cameras are replaced with real-time software monitoring systems, audio alarms become monitoring and alerting systems, turning notifications into actions.

Robert Knapp, CyberGhost:
Our users do that by default as we run a “Privacy as a Service” business. They ask a lot of questions about how we store data, how we process it and so on. That’s why we are very transparent regarding these topics (and of course, in general): we make the way we deal with data public, both in our FAQ and our Transparency Report.

Sorin Vinatoru, RenderStreet:
Data security and especially privacy are always very important for our users. This is because many of them are working on visualization for products that are not yet built. A leak in this case of the product images would be disastrous for them and their customers. We have been asked many times about our privacy policy and have signed NDAs with some customers as well.

Tudor Bastea, 123contactform:
Yes, it is a topic our Support team frequently gets asked about, because it’s a natural concern of many. Most of the questions revolve around data encryption, server stability and privacy.

2. On cyber security as an asset for a startup, the added value that cyber security creates for customers and making data protection a selling point.

Alexandra Anghel, Appticles:
Let’s put it this way – cyber security for a startup is mandatory. Poor security can have very unpredictable consequences and really damage a startup’s reputation.

Strong security practices do add value to products and services, but it is not the kind of value that is usually flaunted in front of the customers. That is because they already expect strong security, so emphasizing it as a selling point doesn’t make much sense. Also, our customers are mostly non-technical, so most of the time they will not have the time and patience to understand why our security practices are better than those of our competitors.

Of course, this doesn’t apply to startups where the end product is a security tool, like an antivirus, malware scanner, etc., where better security can be the main added value.

Dragos Musetescu, Restack.io:
There are startups and products that should start with security first and then the features of the product. For example, in IoT, security should be the first thing to add to your product and then the rest. It will create value for your product, your customers will trust you.

cyber security and startups interviews (5)

Mile Rosu, Presslabs:
A security track record for a startup is vital. For customers it is essential to see how a startup deals with security vulnerabilities and how they communicate about it. Honesty builds trust.

As I previously stated, security is a hot-word in the WordPress ecosystem. Being mostly open-source, everyone gets to deal at a certain point with critical security updates. Once our future customers get to realize the scale of their project and especially the technical and security challenges, they refer to hosting providers like us.

Robert Knapp, CyberGhost:
Let’s put it like this:

Cyber security can be the USP for European companies that offer user data driven services – this by comparison to US-based companies.

After the Edward Snowden revelations and the shutdown of companies such as Lavabit in the US, it is pretty obvious that it is not possible to run a user data driven business in the US without serving up backdoors to the NSA – and that means implementing security vulnerabilities into a secure system by default.

If European startups understand this situation and start to focus on data security while offering great services, we could indeed gain a big advantage over US-based startups or existing companies.

As we run a service that provides security, privacy, and freedom, cyber security is our focus and CyberGhost VPN’s growth from zero to millions of active users shows that we create value for our customers. And not only are we growing in terms of number of users, we have been operating bootstrapped and profitable since forever. So yes, cyber security seems to be a good business.

Sorin Vinatoru, RenderStreet:
When you just start a business, reputation is one of the most important aspects of it. For us at least, word of mouth and customer recommendations were the main ways of reaching more customers in the early stages. Imagine what bad reputation would do to word of mouth advertising. In terms of security being an asset, it is definitely, at least in terms of reputation.

If you have an attack on your servers and customer data gets in the wild, you may get away with it once, if properly handled. More than once and customers would start complaining in their gathering places (forums, Facebook, Twitter, etc.), leading to bad press about the business.

Strong cyber security can definitely create added value, at least for us. We have in development a version of RenderStreet which will emphasize data security, everything running in customers on premise servers or their own secured cloud VPC. One of the main selling points of this solution would be a very strong security.

Tudor Bastea, 123contactform:
From our point of view, it’s a triple “Yes”.

Essentially, any startup regardless of industry vertical, needs to establish a connection based on trust with their target public.

When we think of online-focused startups, cyber security is a must. Our security and data protection measures often proved a selling point. For instance, when asked how do we encrypt data transferred within forms, we advise our clients to use our native SSL feature.

Regarding server security, the notion that we are hosted on Amazon Web Servers turns most customers around. And last but not least, a good Terms of Service and Privacy Policy is golden – we usually give the link to our customers who are worried about the fate of their data submitted within forms, as a confirmation we never disclose their data to third parties.

3. On BYOD environments in startups and managing company information securely.

Alexandra Anghel, Appticles:
Yes, we are a BYOD device environment. However, the development and production environments are completely separated and developers don’t have access to the production servers. Each person has a different level of access depending on his/her role in the development process. Access levels are quite easily managed since our infrastructure is set entirely in the cloud. We use Amazon Web Services and they have a lot of tools for managing user roles, groups, access to different resources, etc.

When we make a release, new features are pushed to production only after they pass testing (both on the development environment and staging) and the code is reviewed.

Mile Rosu, Presslabs:
It’s a bit different, but here is an analogy. Customers bring their own code. So let’s call that a virtual device. What we do is surround the codebase with a set of strict rules which largely reduce the number of attack vectors and wrap it in a controlled networking environment.

Robert Knapp, CyberGhost:

Our company has been ISO 27001 certified since its early days. That means that our internal processes are compliant with the latest best practices, controls, and industry standards regarding cyber security. So no, there is no BYOD environment at CyberGhost.

Sorin Vinatoru, RenderStreet:
Being a startup, we are very open about BYOD. Since we are not a large team, we have an open policy about bringing smart phones and tablets in the office. The only requirement about this is to access business process related information only through our officially provided means. That means our own customer management sites as well as our third party ticketing system.

Both these systems do not expose critical information or customer data, just enough for us to be able to manage the business. So our main way of keeping data secure is being very careful about what we expose to the internet and to other devices.

Tudor Bastea, 123contactform:
No, it’s not. We have strict security policies in this respect.

4. On cyber security’s importance for boards or investors.

Alexandra Anghel, Appticles:
We rarely discuss technical aspects with our investors (LAUNCHub), our talks usually stay in the business area. With the rare exceptions of having a security expert in the board, I believe that managing cyber security in entirely the founders’ job.

Dragos Musetescu, Restack.io:
We haven’t talked about it.

Mile Rosu, Presslabs:
Security topics come first in board meetings, and this says it all.

Robert Knapp, CyberGhost:
It’s where the very heart of CyberGhost beats 😉

Sorin Vinatoru, RenderStreet:
It is important, in the sense that they want to know it’s being considered in everything we do and it is not taken for granted. So this is a constant concern and it permeates all our actions and decisions while we develop our product.

Tudor Bastea, 123contactform:

It is a matter of great importance to them, especially having regular backups and preventing data loss.

cyber security and startups interviews (1)

5. On how startups should allocate and manage resources dedicated to cyber security and protecting their users’ data.

Alexandra Anghel, Appticles:
I believe that cyber security should always be a part of development and operations. After all, a new feature should never see the light of day unless it was properly tested and secured.
We also periodically hire experts to test our plugins and platform for any vulnerability, so we can properly fix it.

Dragos Musetescu, Restack.io:
Security always comes first.

Mile Rosu, Presslabs:
It is hard for startups, including us, to evaluate the right slice of the budget to spend for security. We’ve seen this at our customers too. After they have been hacked, they have decided to move to us and spend considerably more for managed and secure hosting.

In our company, we spend a lot of our work time designing, implementing and reviewing our infrastructure. So the security-related expenses are built within our core R&D budget.

Robert Knapp, CyberGhost:
At least one guy in the team should take on the “security officer” role and be the one to implement and oversee standards such as access control, password management, physical security and so on.

As the company grows, he should have more and more responsibility and aim to get the company compliant with current industry standards.

Sorin Vinatoru, RenderStreet:
It depends on what the startup does and at what stage they are. In the very early stages, my personal opinion is that getting the product out the door and having a few customers on board is what matters. So shortcuts can be taken, including in the data protection, as long as some minimal measures are put in place. It is important to be aware that these shortcuts were cut and to pay the debt and fix them as soon as possible.

I think it’s important to mention that mature programmers will have the data privacy and application security in mind while implementing the product, so they are unlikely to take too many shortcuts. So be sure you have mature programmers in the team.

Tudor Bastea, 123contactform:

In order to avoid the 7 deadly sins of startup security, cyber protection should be a module of itself in the startup’s development process. Treat it seriously, regardless of whether you have a security department of its own or not.

cyber security and startups interviews (2)

6. On training startup employees to become aware of cyber security threats and know what to do about them?

Alexandra Anghel, Appticles:

As our employees are mostly developers, it is very important to explain to them what it means to write secure code. There are several standards that we follow, but I believe that the most important rule of thumb is to never trust the input coming from a user or external API. XSS exploits and database injections are not anything new, so it’s quite amazing how many CMS’s and plugins have huge security holes just because they failed to implement some basic security rule.

Mile Rosu, Presslabs:
Yes.

We do have clear internal regulations and procedures packed with access levels which we explain and train to new employees.

They get access gradually, no matter their previous experience, so that they take the time to realize their responsibility and understand in a hands-on manner the logic behind our rules.

At the infrastructure operations level, we are wired to the information sources reporting the open-source zero-day vulnerabilities, which we analyze and cross-check.

Robert Knapp, CyberGhost:
Yes, that’s all part of the ISO27001 process.

Sorin Vinatoru, RenderStreet:
Since we are a small team, it is not the case. In the past, I had informal training done with the employees, making sure they are aware mainly about the threats they can create themselves through careless programming on the products developed.

Tudor Bastea, 123contactform:
Yes, we perform regular internal checks and we organize meetings with the development team for discussing the new vulnerabilities that may emerge and establish ways to avoid them proactively.

7. On experiencing a cyber security breach and preparedness to deal with cyber attacks.

Alexandra Anghel, Appticles:
No, we never had a security breach. One of our plugins had a vulnerability that was fixed and properly announced, but it wasn’t related to user data or anything like it.

We have not yet become a target for cyber security attacks, but we’re aware that as our platform grows, we might be targeted, so we’re doing everything that to anticipate that moment. I guess you can say that you’ve truly made it when you have your first DDoS attack. 🙂

cyber security and startups interviews (3)

Dragos Musetescu, Restack.io:
No! You can’t be prepared 100% for a cyber attack, but you can try to be with one step in front of the attacker.

Mile Rosu, Presslabs:
Not to this date. We are dealing daily with breach attempts covering a large range of attack vectors–from SEO spamming to DoS, software vulnerabilities, brute force attempts, and so on.

Robert Knapp, CyberGhost:
Every company that runs an online service has security breaches. There can never be 100% security. There are, for example, zero day exploits and nobody can see those coming.

Good cyber security management is knowing how to handle these breaches.

When we had to deal with the Heartbleed security bug disclosed in April 2014 in the OpenSSL cryptography library, we immediately informed our customers and fixed the bug within a 24h shift – way faster than any other company. So I think transparency and speed are very important in dealing with data leaks.

Sorin Vinatoru, RenderStreet:
Never had one, even though we had hack attempts in the past.

I think such events should be welcome by the startups, especially if they manage to find them while they are attempts and before they become breaches.

In our case, it has allowed us to see in real-time what the attacker was trying and making sure our software and servers are tightly locked and not accessible via those attack venues.

Tudor Bastea, 123contactform:
No, we did not. We do our best to prevent such events.

cyber security and startups interviews (4)

8. On plans to keep user’s data protected and safe, as cyber security and privacy concerns increase.

Alexandra Anghel, Appticles:
We will continue to use the same tactics that we have applied so far and expand them. I believe that most cyber attacks can be prevented if you go to the trouble of following the rules.

As history tends to repeat itself, we can also learn from other startups that have already been targeted by cyber attacks and are more than willing to share their story.

Dragos Musetescu, Restack.io:
Security is part of our road map and I can’t provide more details right now.

Mile Rosu, Presslabs:
We learn a lot from every failed attempt. In addition to the continuous review of our internal security processes based on these attempts, we are planning to establish a program to reward white hat external testing of our platform.

Robert Knapp, CyberGhost:
The best security for user data is to simply not store any. That’s why we don’t keep any user records or logs. We just store the data that we need in order to run our service and that is by no means user data. From them [our users], we just need an anonymous user name and a password and that’s it.

Sorin Vinatoru, RenderStreet:
One of the things we are going to do will be to release a version of the product where the customers has full control of the server environment, so we can address one of the main privacy concerns we have seen so far. Other than that, we will make sure security is always kept at the forefront of our thinking while we build our product.

Tudor Bastea, 123contactform:
We constantly optimize the tools and methods of monitoring our application: server monitoring, antivirus seals, SSL encryption.

The truth about cyber security and startups

1. Founders are not unaware of cyber security issues. Moreover, they’re keenly interested in them and have the knowledge to incorporate them into the startup’s strategy.

2. Building a secure code and security features into your product from day one is mandatory.

3. Investors do care about cyber security and will hold founders accountable for potential losses in case of a cyber attack.

4. Product users are not only aware of security challenges, but expect to have their confidential data protected and safely managed.

5. Startups are not exempted from cyber attacks or breach attempts, so that’s why it’s essential to protect the users from the very beginning.

6. Internal rules and employee education about information security are essential in a startup environment, either it’s BYOD or not.

7. When planning your development, include security-related expenses from the start.

8. Strong cyber security instills trust in the startup itself and in the product it makes. That relationship is essential for customer acquisition and for sustaining growth.

9. Showing concern for information security issues and transparently demonstrating users what’s being done for their protection and privacy is an important selling point.

10. Being prepared for all kinds of cyber attacks is crucial, especially for a startup whose business can be broken fairly easily by a security or privacy faux-pas.

Conclusion

Being a startup founder is extremely challenging. You have to be aware of all things that happen within your company, small as it may be, and that’s no easy task.

On top of product-related decisions and business plans, you have to make sure that your users are safe and that their data’s privacy is respected fully.

Cyber security is not a “maybe” for startups, it’s a “definitely”.

Are you a startup founder who’s dealing with cyber security issues?

We’d love to hear from you and see how we could help.


data leakage
2016.09.08 INTERMEDIATE READ

All About (Concealed) Data Leakage for Users Like You and Me

Cyber Security Tips for Bloggers
2015.07.07 INTERMEDIATE READ

Insider Advice: 12 Cyber Security Tips for Bloggers

Cyber Security Tips for Gamers
2015.06.04 INTERMEDIATE READ

Time to Unlock 18 Valuable Cyber Security Tips for Gamers

Comments

Great article! As a founder I like the focus on all the different areas that might impact cyber security, very comprehensive and a good resource!

I also found a similar article, although it doesn’t go into quite the same depth, it gives a nice bitesize approach for busy founders: https://intruder.io/blog/posts/i-m-a-startup-what-should-i-do-about-security

Thanks for the suggestion, Craig! I’m glad you found the guide helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
175 queries in 1.278 seconds