Posted on

Is your ego making your startup insecure?

It may not come as a surprise to you but there is a high correlation between those people who embark on the entrepreneur path and those of us with well developed egos.

Don’t take offense to this, self confidence is practically a survival skill in a business world that takes people on a fast paced, high risk roller-coaster in which 90% of all that enter, crash and burn.

While this confidence and ego help protect and drive us towards success, they are a destructive force when it comes to keeping our new ventures secure.

Don’t get offended and run away. Hear me out.

Yes, you are a danger to your own systems, your customers and their data but don’t worry, we can fix this.

Five ego-driven myths that might be compromising the security of your business

So let’s take a look at the five most common statements made by startup founders and their team and debunk a few myths.

Myth 1 : We are awesome engineers and naturally create secure systems

Yes I know you chose the best/latest frameworks and have containerised the heck out your entire infrastructure. You hired the best people you could find and you value their skills. You have the best combination of tools and talent available.

These are all great things.

The trouble is, having great tools and talent doesn’t guarantee they can build secure applications and software. Talented engineers don’t naturally have knowledge of secure development practices or how to model threat in their architectures. Tools and technologies often have many options and configuration activities to carry out before they are ready for secure production deployment.

Simply put, your awesome tool and talent combination is a great foundation but they will both need further time and investment to prepare them for the challenges of security.

The key here is to admit this.

Admit that you are vulnerable, continuously learn/improve and accept that your technology is imperfect and needs work.

Myth 2: Our market validation didn’t mention security as a customer need

So you have written ‘Tinder for French Bulldog playdates’.

You did hundreds of market validation interviews with dog owners and discussed the challenges they face when getting playmates for their furry friends.

Not one person mentioned that they cared if their personal and billing details remained private…

Wow. They must not care right?

Security is an implied requirement. People don’t tend to state it as a desire as they will assume that it’s a base feature, that everything that they use should be secure.

Be careful when you validate your ideas that you understand the difference between the features that are unique to your value proposition and the features that are de facto for applications and software in general.

If in doubt about whether security is a requirement for your application… IT IS.

Myth 3: We would know if someone was attacking

This is something that even big companies handle badly.

We are all used to living in a world of tangible physical threat. If a bear was going to try and eat you as a tasty treat, you would hopefully notice it as it lumbered towards you with a happy smile on its face.

The trouble is our applications and businesses are not visible to us all the time.

We have to take 2 conscious steps to turn our security risk into something we can see coming.

Firstly, log and monitor everything. Create audit trails through your applications, find all of those system and application logs and bring them together, configure them well and keep them safe.

Secondly, MONITOR THE LOGS. Really… like all the time.

You cannot hope to see something suspicious or unusual if the only time you check your logs is when you are debugging a functionality issue.

Make your logs prominent, configure alerts and get many eyes over them. Bring them together into dashboards and make them a feature of your development environments.

You can’t see attackers coming if you don’t watch out for them.

Myth 4: Our entire team follows best practice for security, we are immune to threats

I can tell you some horrible facts about your team right now without even meeting you.

  • At least one of you is terrible at password management and has simple, guessable or shared passwords.

  • At least one of your team isn’t using 2 Factor Authentication for sensitive systems such as your domain registrar, your corporate email provider or your deployment systems.

  • At least one password is written down somewhere silly.

  • At least one of your team is using a cloud tool that you don’t know about.

Between systems and data that you aren’t backing up (or testing the back ups for), poor hygiene with accounts and accesses and bad habits with environment access and deployment — startups are normally far from perfect.

Take a look at your own personal practices and be honest. Are you really that good? Are you really perfect?

The horrible truth is it’s much easier to attack a person (such as a founder) via poor account behaviours than it is to attack an application.

Attackers will take the easiest route to their objectives.

Don’t be that route.

Myth 5: We are too little to get hacked

You might be right. Kinda.

Your ‘Tinder for French Bulldog playdates’ app is highly unlikely to be of interest to some cyber intelligence division of a foreign nation state. Hurrah!

Shame about all the other groups and individuals out there who could potentially do you or your customers harm.

From competitors to upset staff/former staff and from the politically active to those amongst us who just want to watch the world burn — there is always someone or some group that could be a threat to you and your organisation.

Motivated by money or personal grievance or political agenda, there is a reason to attack every company and every piece of software and normally more than one person or group with the resources and skills to do it.

Don’t believe you are too small to be hacked or that you aren’t interesting, that’s simply not true.

You just may not have met your attacker yet.

So wind your neck in and get prepared.

Startup life is about survival and your ego might be getting in the way of security survival. Keep hold of this list and if you hear yourself or those around you speak this way… call it out.

Part of succeeding in a small, fast growing business is learning fast, finding your vulnerabilities and addressing them. It’s time for you to do this with your security vulnerabilities.