they've written. Ensuring you've enabled all security settings in regard to user access is critical, as you are relying on the service to protect the data once it is on their system. Basics such as making sure you have a strong passphrase set and have enabled multi-factor authentication; making sure your repositories are set to private; and storing things like credentials and keys in a proper secrets manager and not hardcoded in your source code, are essential. Secure development will be discussed further in Chapter 9.
Using SaaS products are not necessarily more secure but they do reduce cost and enable start-ups to remain as lean as possible for as long as possible. Additionally, many of those SaaS platforms will scale with your business, and pricing models adjust accordingly. At some point though, you must use a computer to actually access those services, whether it is a desktop, laptop, or mobile device. For those services to be useful you need availability.
A benefit to using an SaaS platform is a far higher availability rate than if you tried to duplicate the services in your own data center. While the risk can be reduced, you cannot completely outsource risk. If you are negligent with sensitive customer data, like credit card data, you can still be held liable even if you don't host any part of your product in your own data center. This is also referred to as the shared security model.
I've talked about services you might use and the security surrounding them, but you must also consider the security of the devices you use to access them. Desktops, laptops, and mobile devices will continue to be the most likely initial access vector in a data breach along with your credentials. To get your credentials, an attacker must either dupe you into giving your credentials to them, referred to as social engineering, or take advantage of a vulnerability in the computer you are using, referred to as an exploit. Or if you are a high-value target, they may go as far as to gain physical access to your device.
PATCHING
Another primary tenant in cybersecurity is updating and patching; these are critical procedures to achieve balance with confidentiality, integrity, and availability (CIA). That annoying time once a month when you have to close your browser with 50 open tabs or worse, close all your applications, and reboot your computer. The process differs between Windows, MacOS, Android, and iOS but the goal is the same – a vulnerability is discovered, the vendor creates and releases a patch, and then you must apply the patch.
In the early stages of start-ups, it is a very minimal risk to enable auto-updating in your most-used applications and operating system. This doesn't apply to production environments that are used by paying customers, but we'll get to that in Chapter 9. If you are a typical start-up you will most likely use a laptop and mobile phone. We'll focus on laptops first.
Both Windows and MacOS have the ability to download and install security updates with little interaction required from the user. At most, you will be prompted to reboot your computer, which might take only a few minutes of lost productivity out of your day. However, the security gains from applying those patches immediately will help protect you from devastating ransomware, like WannaCry in 2017, most of the time. Nothing in security is 100%, which is why there are so many layers to a successful cybersecurity program. If you are not sure if this setting is enabled you should check in your system settings in either Windows or MacOS.
Besides monthly updates, there are completely new versions of Windows and Mac released about every 18 months on average. It is not imperative to cybersecurity to immediately spend $200 on the latest version of Windows or Mac if the current version you do use will continue to receive updates. To find out how long you will receive those updates you can search for things like “Windows 10 end of life” or “Mac OS end of life.” The results should provide you with the final date on which Microsoft or Apple will discontinue creating security patches. For example, if you are using Windows XP you should immediately buy the latest version of Windows or a new computer, as it is no longer supported by Microsoft and no longer receiving security updates. At the time of writing, the average cost of a ransomware attack on a single system is about $300 to unencrypt your data. Once compromised you can no longer trust the security of that system or the data on that system. In Chapter 7 we'll talk more about what to do if your start-up suffers a data breach.
The next layer of security you must be aware of is the applications you might use on a daily basis: Chrome, Firefox, Safari, Office, Slack, etc. All the components you use to create and run your start-up, these too can be vulnerable. I mentioned earlier that stolen credentials are one of the leading causes of data breaches. And those credentials are typically stolen in one of two ways: social engineering or software vulnerability exploitation.
Example 1
For example, you get an email from a prospective venture capital company looking to participate in your Series A funding round. The email has an attachment with their terms; you open it. This email plays on human emotion and counts on you dropping your guard and best interest for your company to open the attachment. Suddenly you get a popup that says the contents of your computer have been encrypted. You've been hit with ransomware.
Example 2
You receive a phone call from an individual at a venture capital firm you've been speaking with about participating in your next round. They tell you they're sending an email with a link to their secure portal to access the terms sheet. You get an email a few minutes after you hang up the call, click the link, it prompts you to log in with your Microsoft O365 credentials. Once logged in you try to open the document and get an error. You call the number back and get a message saying the number is not in service. Suddenly you get a frantic text from your co-founder that production is down hard. You've fallen victim to pre-texting and credential compromise. Since your credentials also worked in your cloud provider account the attackers were able to ransom all of the data in your production database.
In these scenarios, both social engineering and vulnerability exploitation came into play. The email enticed you to open it and then open the attachment. The attachment then contained an exploit that gained special privileges on your computer and encrypted all of your data. The phone call made the email you received shortly after seem more legitimate. While there is no software update that can prevent you from opening the email and attachment, you could possibly prevent the opened document from harming your computer.
All of the five applications I mentioned receive frequent security updates, some more than others. These are just as important to apply as the ones for Windows or MacOS. Some applications will have the ability to automatically download and install updates, but most will not. This will require a small amount of effort on your part to make sure your most used applications are up to date. I recommend checking updates for your web browser, like Chrome, Firefox, and Safari, and any productivity applications, like Word, Excel or PowerPoint. And if you use an email client on your computers, like Outlook or Thunderbird. These types of applications should be updated as quickly as possible; vulnerabilities are constantly discovered since they are the easiest way to compromise a system.
ANTIVIRUS IS STILL NECESSARY BUT GOES BY A DIFFERENT NAME
You might be thinking, “Well, what about antivirus?” I've devoted all of Chapter 4 to this topic because of the volume and complexity of solutions available. I also discuss many options that may require capital expenditure that might not seem so lean for a start-up. Just know if you happen to use pirated software you will not be able to receive critical security updates. You also cannot verify the authenticity of what you've downloaded and could very well have opened a backdoor into your system for attackers. Legitimate start-ups should only use
