When you reach a certain point in your career as an entrepreneur, you tend to get asked, “What would you do differently if you had to start another company all over again?”
For me, the answer is clear: I’d take a smarter approach to IT security from the very beginning. When you’re starting a new digital business, it’s easy to focus exclusively on getting the product your company is based around to work properly. Only then do you worry about making it secure. But to borrow a hackneyed saying of Benjamin Franklin’s, “An ounce of prevention is worth a pound of cure.”
That’s never been truer than it is today. In our digital world, preventing the theft of your data and your customers’ data is much, much easier than trying to recover from an actual breach.
In the ’90s, many of the smartest countercultural nerds were connected in some way or another to the security community.
One of my own first projects was a search engine for the security community called Nethernet. This project spurred the creation of one of my first companies, Netherweb, that Roland (another of our cofounders here at Olark, our current company) and I started in 1998 with strong roots in freedom of speech.
Working in this space exposed us to a lot of threats very early in the history of the web, especially since we were such a big target. And back then few people were using SSH, or shadowed password files.
It’s funny (well, now it’s funny–at the time it wasn’t), but those vulnerabilities taught us a lot in the early days of running a hosting company about how to set things up right in the beginning, like strong firewall rules, VPN, Public/Private key access, and other precautions.
As a founder, you don’t want to end up in a lawsuit. Worse, you don’t want to have to explain to your customers and investors why you cut a corner that ended you up there.
Entrepreneurs are great at taking risks, but most successful entrepreneurs take calculated risks. Ignoring security because you don’t understand it, or don’t think it’s important, is a bad idea. Ignoring security as a calculated risk is acceptable.
We’ve spoken to a number of digital startups that had their AWS keys downloaded off a public GitHub repository. Thankfully, those startups survived, but you can imagine the weeks they spent apologizing to their customers and trying to mitigate the fact that hackers had both run up huge bills on their Amazon account as well as downloaded all their customer data.
Tinfoil Security‘s Michael Borohovski said it best in an email exchange I had with him recently:
Too many entrepreneurs, in the interest of building the product as quickly as possible, think that security is a “freeze all the code, do an assessment, and write all the policies” project they can do later. It isn’t. Think about security from the very beginning. It’s actually not that hard to anticipate what needs you’ll have to deal with in the future.
His point was that security is iterative and should continue to develop as your company grows. And it’s true–there are so many examples of little things founders can do when starting out to prevent certain types of attacks:
- Get laptops for your remote team, and use two-factor authentication wherever possible to protect yourself when laptops get stolen.
- Use encryption like TLS or SSL when storing customer data.
- Run a web application scanner to find and fix vulnerabilities easily.
- Use strong firewall rules to keep attackers from scanning your servers for known vulnerabilities, even if you aren’t actively using the software.
“Over time,” Borohovski told me, “you can integrate tools into your CI/DevOps workflow. All of these things are iterative, continuous, and can always be improved. Starting earlier and improving slowly over time helps keep you from getting breached.”
Here at Olark, we’ve since augmented our security by encrypting data on disk and implementing one of the first responsible disclosure programs. We even brought on an employee dedicated solely to security (thanks, Aaron!).
The responsible disclosure program was actually one of the best things we’ve ever done for security. It took a lot of work, but one major upshot was that it created a sense of urgency around security issues within the organization. We now have a well-established culture around security reviews to scrutinize virtually everything we do for risks.
Losing your customers’ trust due to lapses in security can kill your business. Getting caught in a lawsuit due to damage caused to a customer’s business could kill also your business.
If you’re just starting out, take time now to assess your risks–or hire someone to assess risks for you–then take steps to secure what you have now, and plan for how you’ll secure what you accrue later. The plans you put in place right at the outset will scale much easier than they will after one, two, five or 10 years in your business’s life.
Ben Congleton is CEO and cofounder of Olark Live Chat. He learned security through trial by fire at his first company, and thinks security is one of the keys to having happy customers.