A startup’s security

0 Comment

A widely held opinion: losing a business through technical means is not possible. However, in the last 2 years I’ve seen a start-up fall apart and get destroyed by technology 4 times.

Story #1. Security and the reputation of a business..

Everything was starting out well. Able developers created a financial startup and a site that handled transactions. All the money was being invested into the site’s development, usability and marketing. The approach was paying off: clients were flowing in. Flaws in the site’s security weren’t a concern: it was functioning, there were clients, bank was being made. Glorious.

One day, the site got hacked and all funds that could have been taken through it disappeared. Unfortunate. Budgeting allowed to pay-off the clients and to keep going. Holes were plugged.

A week later, another break-in. Once again, money was lost and had to be repaid out of the start-up’s pocket. And finally, after getting hacked a third time, the owners decided to turn to an IT security specialist. I ensured security, but the business’ reputation wasn’t coming back.
С третьим взломом сайта владельцы решили всё-таки обратиться к специалисту по информационной безопасности. The project slowly died off: clients prefer to not lose money once a week.

Now these guys have launched a psychology-based project. The founders aren’t technical people, so they have hired a number of devs. Once again, disregarding security. I wish them luck, while my experience tells me the odds of falling into the same hole are high.

Story #2. Investor: friend or foe?

Startups draw in investors. Sometimes a legal contract outlines the relationship, other times not. Founders do consider legal protection of their baby; however, the odds of an investor taking over the project through technical means seem astronomically low. Nevertheless, that’s a scenario I witnessed unfolding a year ago.

The investor was not only funding the project, but also outsourced his own developing team, moved production to his server, and was part of the startup’s technical operations. Disputes began when the funding stream ran dry. The investor wanted more, while the owner wanted to leave for Bali.

So when it was clear that a peaceful resolution to the conflict is impossible, a hostile takeover took place: the investor rebranding the business, moved everything to his private domain and so on. The founder was left without access to his own project: no password, data or servers.

And obviously, backups he did not have.

Story #3. A sysadmin’s revenge.

This employee pressure model has been known a long time. Project founders hire developers and admins. Sooner or later the disputes arise (code quality, pay timings etc. Sometimes, even blatant blackmail).

In spite (or in calculated mean spirit) the employer purges everything that he has created, and whatever else he can get his hand on. Uploading pornography to web pages is of the least harmful ways this can go down. In acts of revenge crucial passwords are being changed and the business’ owner is often left without servers that contain data and the source code.

A startup’s technical security.. How does one make his startup secure?

All these stories has a common point: the security of an internet-business was not given enough thought ahead of time. Had there been an IT security specialist – they’d be success stories.

In a push towards making MVP (Minimum Viable Product) and starting to make money as soon as possible, startupers often underestimate reputation risks. For some projects there are insignificant, while for others a loss of reputation signifies the death of a business. In this case, one cannot disregard the importance of what a security specialist can provide. Beginning at the design stage, he’d be working side by side with the devs, signing off on corners to be cut, and those you don’t touch with a ten foot pole.

Startup looking for an investor? A developer? Try a security specialist.

First of all, secure a security guy (even better if he’s an admin at the same time). He’s the one who can and will prevent you from losing control of your project.

What stops a security person from taking over your business?

Reputation risk is of utmost importance for an IT security specialist. Thus, under no circumstances a sane specialist (I hope you find a sane one at that) will give away client’s data.