Chris Castaldo - Start-Up Secure

I've talked about services you might use and the security surrounding them, but you must also consider the security of the devices you use to access them. Desktops, laptops, and mobile devices will continue to be the most likely initial access vector in a data breach along with your credentials. To get your credentials, an attacker must either dupe you into giving your credentials to them, referred to as social engineering, or take advantage of a vulnerability in the computer you are using, referred to as an exploit. Or if you are a high-value target, they may go as far as to gain physical access to your device.

Another primary tenant in cybersecurity is updating and patching; these are critical procedures to achieve balance with confidentiality, integrity, and availability (CIA). That annoying time once a month when you have to close your browser with 50 open tabs or worse, close all your applications, and reboot your computer. The process differs between Windows, MacOS, Android, and iOS but the goal is the same – a vulnerability is discovered, the vendor creates and releases a patch, and then you must apply the patch.

In the early stages of start-ups, it is a very minimal risk to enable auto-updating in your most-used applications and operating system. This doesn't apply to production environments that are used by paying customers, but we'll get to that in Chapter 9. If you are a typical start-up you will most likely use a laptop and mobile phone. We'll focus on laptops first.

Both Windows and MacOS have the ability to download and install security updates with little interaction required from the user. At most, you will be prompted to reboot your computer, which might take only a few minutes of lost productivity out of your day. However, the security gains from applying those patches immediately will help protect you from devastating ransomware, like WannaCry in 2017, most of the time. Nothing in security is 100%, which is why there are so many layers to a successful cybersecurity program. If you are not sure if this setting is enabled you should check in your system settings in either Windows or MacOS.

Besides monthly updates, there are completely new versions of Windows and Mac released about every 18 months on average. It is not imperative to cybersecurity to immediately spend $200 on the latest version of Windows or Mac if the current version you do use will continue to receive updates. To find out how long you will receive those updates you can search for things like “Windows 10 end of life” or “Mac OS end of life.” The results should provide you with the final date on which Microsoft or Apple will discontinue creating security patches. For example, if you are using Windows XP you should immediately buy the latest version of Windows or a new computer, as it is no longer supported by Microsoft and no longer receiving security updates. At the time of writing, the average cost of a ransomware attack on a single system is about $300 to unencrypt your data. Once compromised you can no longer trust the security of that system or the data on that system. In Chapter 7we'll talk more about what to do if your start-up suffers a data breach.

The next layer of security you must be aware of is the applications you might use on a daily basis: Chrome, Firefox, Safari, Office, Slack, etc. All the components you use to create and run your start-up, these too can be vulnerable. I mentioned earlier that stolen credentials are one of the leading causes of data breaches. And those credentials are typically stolen in one of two ways: social engineering or software vulnerability exploitation.

For example, you get an email from a prospective venture capital company looking to participate in your Series A funding round. The email has an attachment with their terms; you open it. This email plays on human emotion and counts on you dropping your guard and best interest for your company to open the attachment. Suddenly you get a popup that says the contents of your computer have been encrypted. You've been hit with ransomware.

You receive a phone call from an individual at a venture capital firm you've been speaking with about participating in your next round. They tell you they're sending an email with a link to their secure portal to access the terms sheet. You get an email a few minutes after you hang up the call, click the link, it prompts you to log in with your Microsoft O365 credentials. Once logged in you try to open the document and get an error. You call the number back and get a message saying the number is not in service. Suddenly you get a frantic text from your co-founder that production is down hard. You've fallen victim to pre-texting and credential compromise. Since your credentials also worked in your cloud provider account the attackers were able to ransom all of the data in your production database.

In these scenarios, both social engineering and vulnerability exploitation came into play. The email enticed you to open it and then open the attachment. The attachment then contained an exploit that gained special privileges on your computer and encrypted all of your data. The phone call made the email you received shortly after seem more legitimate. While there is no software update that can prevent you from opening the email and attachment, you could possibly prevent the opened document from harming your computer.

All of the five applications I mentioned receive frequent security updates, some more than others. These are just as important to apply as the ones for Windows or MacOS. Some applications will have the ability to automatically download and install updates, but most will not. This will require a small amount of effort on your part to make sure your most used applications are up to date. I recommend checking updates for your web browser, like Chrome, Firefox, and Safari, and any productivity applications, like Word, Excel or PowerPoint. And if you use an email client on your computers, like Outlook or Thunderbird. These types of applications should be updated as quickly as possible; vulnerabilities are constantly discovered since they are the easiest way to compromise a system.

You might be thinking, “Well, what about antivirus?” I've devoted all of Chapter 4to this topic because of the volume and complexity of solutions available. I also discuss many options that may require capital expenditure that might not seem so lean for a start-up. Just know if you happen to use pirated software you will not be able to receive critical security updates. You also cannot verify the authenticity of what you've downloaded and could very well have opened a backdoor into your system for attackers. Legitimate start-ups should only use legitimate software.

Open source software, which is a legitimate free option, can also come with risks. Depending on the country your start-up is founded in, you may need to pay close attention to open source software from specific countries and geographic locations. This applies to antivirus software or anything else you use in your start-up.

So, what do they call antivirus these days? Marketing has now rebranded this technology as endpoint detection and response (EDR). While it does have many more features than the popular antivirus software of the 90s and 00s, it still has basically the same functions and keeps your device secure. We'll dive into this more in Chapter 4.

Mobile devices are now woven into the fabric of everyday business – smartphones, tablets, etc., are used to run and secure your start-up. These have the same level of access to critical information as your laptop. Many MFA solutions, which I discussed earlier, run as apps on your smartphone; physical tokens are still the most secure but not as convenient as a mobile app. Our mobile devices are now acting as the keys to the digital kingdom. Nearly all the same security rules we've discussed so far apply to our mobile phones and devices. You must make sure the operating system is up to date; keep installed applications up to date; set a strong passcode, fingerprint authentication, or face authentication; and encrypt the phone if it is not on by default for your make and model. Some of this is not already activated out of the box and is easy to skip over in the setup process.