"Technology has the potential to keep changing the world for the better, but it will never achieve that potential without the full faith and confidence of the people who use it." - Tim Cook, Apple CEO
In an age where there seems to be a fresh data security breach every other week – New Zealand customers are demanding higher than ever standards from the organisations they share their personal information with.
• Hack attack puts health details of one million New Zealanders at risk
• Hackers steal photo ID and tax codes from 26,000 Generate KiwiSaver customers
• Premium - Crisis management: Firms losing victim status in data hacks
• NZ Institute of Directors' website defaced by hacker, passwords at risk
This quote from Apple CEO Tim Cook highlights the critical importance of ensuring customers have confidence in your ability to keep their personal data safe from harm and companies doing this well can trade on the currency of trust.
To me, security should never hinder the growth of an organisation. In my experience, it provides an organisation with effective guard rails – offering reassurance that we can move swiftly, while keeping our information assets safe.
That said, the task of building a balanced and effective cyber-security function – one which serves to both protect the organisation from threats, while also enabling the business - is a thin tightrope and can often seem impossible.
These are some tips that you should be mindful of when starting this journey.
The double-edged cloud
The overwhelming majority of start-ups in 2020 will be organisations born in the cloud using major providers such as Microsoft Azure, Amazon Web Services and Google Cloud Platform to build out their technology infrastructure. Adoption of the cloud has allowed companies like Prospa to scale rapidly with minimal capital outlay upfront. It has proven an invaluable resource to many early-stage companies.
In almost all cases, the security provided by large cloud providers is generally enterprise-grade and very robust.
However, they also offer a broad catalogue of both customisable security services and options for customers to further secure their resources and services. This kind of self-service IT infrastructure means the responsibility for setting up a secure cloud service inevitably falls to the customer, who may not necessarily be an expert – opening up possibilities for failure.
In a 2019 report on cloud risk, Gartner predicts that by 2025 99 per cent of cloud security failures will be the customer's fault, and 90 per cent of organisations that fail to appropriately control their public cloud will inappropriately share sensitive data.
Knowing your threats
Before you start looking at how to protect your organisation in the cloud, you should first build an understanding of the level and type of threats your business is likely to face.
Each organisation is different – as are the types of threats they'll come up against, and therefore how much they'll need to invest in security.
A start-up that stores payment and credit card data for a large customer base will be a far more attractive target to a hacker than a start-up mobile app which lets users edit photos with filters.
Understanding the value of the assets your organisation stores is a great place to start. Assets that tend to be most attractive to hackers are generally financial in nature (e.g. cash deposits, credit card data) or sensitive personal information (identification documents).
These could either be hacked and sold on the dark web, or simply encrypted and held for ransom by ransomware attacks.
Look to the future and don't accumulate tech debt
In software development, taking a shortcut approach early in the development process can cost you down the track, creating a need for additional spend to rework solutions. This is known as technical debt.
Technical debt is sometimes a necessary evil to enable rapid execution for early company growth goals. Always bear in mind that when you need to scale, these solutions will not only come back to bite from a resourcing perspective, but are also likely to increase your ongoing risk of security threats.
When purchasing or building out technology solutions, even at an early stage, always be mindful of future compatibility and how easy it is to transition to new and improved services in the future. The last thing you want is to fall into the temptation of a shortcut, only to be locked into a sub-par service that slows you down later.
Don't hinder your employees, guide and watch over them
Data moves just like a flowing river. And just as moving waters will always find the path of least resistance, users (and data) will always find a way to access their preferred applications – those they find most convenient and effective.
You could attempt to block employees from using services you don't approve of – but in most cases, the users will simply flow around the barrier.
In our experience, the best option is to provide controlled but open access to a variety of tools that have been pre-vetted. There are systems out there that can tell you what your users like to use most – heed your employees, and where appropriate, allow them to access these systems, while making sure you enforce minimum security controls such as multi-factor authentication and logging.
Providing a channel for the water to flow is an effective way to make sure it goes where you want. If you force unwanted tools on your employees – you risk impacting their productivity, motivation, and can also cause friction between security and work.
Apply security controls where they matter
In a cloud-based environment, security controls need to be applied in the cloud. Until recently the most basic security tasks would be to configure an appropriate firewall for the office, or install anti-virus software. Nowadays with remote working and decentralised networks, ensuring you configure your cloud environments correctly is just as important (if not more so) for protecting your systems and data.
Look to your major cloud applications and ensure the configuration is correct. Nearly all major providers have documentation with simple checklists to follow that would enhance your security significantly. For example, you may want to consider restricting the ability to share documents with people outside of your organisation unless the documents are encrypted with a password – small settings but with large impact. While you're at it, you should enforce multi-factor authentication on all your users to protect their logins.
Wash your hands (e.g basic security hygiene)
There are a number of absolutely vital security basics that should be performed diligently no matter the size of your organisation. They don't take much time out of your day but could be the difference between preventing a data breach or not.
Many lists are available online, but here are some examples:
• Reviewing which users have access to your systems regularly
• Staff education around security
• Patching your laptops and desktops
• Encrypting sensitive documents
• Applying multi-factor authentication
• Taking backups (and testing them!)
• Review your third parties and their security
Building an effective cybersecurity strategy can be a daunting task for a start-up – but it's critical to invest the time and energy into getting it right, to ensure you're future-proofed for growth. The above tips are a great starting point for any business taking its first steps towards building a cyber-security function, which is becoming increasingly important every day, both in New Zealand and around the world.
- Charn Tangson is head of cybersecurity at Prospa, the New Zealand small business lending specialist.