Security is government IT's No. 1 priority, but startups like to "move fast and break things." At the TechCrunch Disrupt conference, three security professionals gave advice on how tech companies can reduce risk.
SAN FRANCISCO — Government, a notoriously risk-averse type of organization, is already a little wary of working with startups that by definition don’t have much of a track record.
So with hacking becoming a bigger issue for government, how can startups ensure to themselves and prove to the public sector that they won’t be a cybersecurity risk? At the TechCrunch Disrupt 2019 conference, a panel of experienced cybersecurity professionals from the private sector shared some recommendations about how companies growing up in the modern ethos of “move fast and break things” can avoid breaking trust.
Startups are an attractive target to hackers because they don’t think (or know) that what they have is valuable and don’t think much about security. But they hold the data of customers, and must protect it.
The remedy, then, is thinking about security.
And though security, from a financial standpoint, is more about preventing the loss of money than it is about making money, it can also help pave the way for the future, according to Jennifer Sunshine Steffens, CEO of the security firm IOActive.
Especially when it comes to companies that want to sell to government.
“The sooner you start thinking about the security, the less expensive it is in the end, not just in terms of being breached, but as you grow, as you start selling into different industries … adding new technology and stewarding different types of data, if you’re not prepared for the type of risk and regulations you’re going to face, that catch-up can be excruciating,” she said. “I know I experienced it earlier in my career when we were just building, and it was all ‘Go to market, go to market, gotta go to market.’ And we knew we were going to be selling to government, and when we had to get through FIPS compliance, it was a beast. And had we just known it and thought about it, and been doing that documentation all along, it would have been very simple. Instead it was a quarter of a million dollars and like three months of our life.”
Young companies might not have much in the way of funding to hire dedicated cybersecurity staff. But a startup doesn’t necessarily need that in order to reduce the risk of threats. Something anybody can do is sit down at a table and talk.
“There’s one thing that comes for free … it’s not really free because it’s your time, but you don’t have to go buy something, and that is just preparing,” said Heather Adkins, director of security and privacy for Google. “What is the worst that can happen to you, and does your company have a plan? And that is a relatively small investment.”
Beyond that, Dug Song, who founded Duo Security before selling the company to Cisco, said that reducing risk isn’t necessarily about buying anything. It’s about paying attention to what the company is and isn’t doing on a daily basis.
“When you, for instance, have non-employees granting other non-employees access, when employees leave, as they do in startups, and you forgot to shut the door behind themâ — there’s just a lot of really basic things that people get wrong because operationally they’re difficult.”
That said, startups can often avoid many of the pitfalls that more established organizations face every day simply because they don’t have old technology.
“Arguably, if you’re using modern consumer devices — iOS, Windows 10, Chromebooks and so forth — you’re better off than most, probably 90 percent, of large companies out there,” Song said. “And that’s why there’s a few strategic advantages you actually do have as a smaller … organization that doesn’t have a lot of legacy: You can do things better from the start.”
One of the most “basic” things companies should do is talk to their employees about cybersecurity, the panelists agreed. Remembering to revoke access to systems when an employee leaves is one thing, but what about teaching employees not to fall for phishing emails?
That’s why it’s important for company leaders to build security into the way the company does business.
“A lot of these big breaches that you hear about tend to be, you know, somebody clicked a link or a receptionist let somebody in the door completely unknowingly,” Steffens said. “This isn’t necessarily their fault; they didn’t do an evil, malicious thing. They thought they were doing their jobs, but they didn’t have the coaching and training to know that security was part of their jobs. So I think that culture is key.”
However, it can be easy to create the wrong kind of cybersecurity culture: One where people are afraid of the consequences if they do something wrong.
Because ultimately, security is never going to be a solved problem. Just look at Google, one of the largest companies on the planet.
“We do red team testing, this is taking very talented hackers and asking them to hack us and learning from that,” Adkins said. “They’ve done tests against our security team that are successful. So we know that there are techniques that work, and we need to remove the shame of being a victim.”
Toward that end, the panelists recommended rewarding employees for reporting things quickly. After all, a delay in knowing about a breach could make the situation worse.
“You’ve got to make it very open, because the fastest you know about it, the better,” Steffens said. “And it is very easy to create that culture of fear where they hide what they’ve done. Many of us did it as kids.”