Author: Terry Kurzynski, ISO 27001 Auditor, CISSP, CISA, PCI QSA
The Internet of Things (IOT) and Cloud Computing has provided business and consumers with unimaginable tools and functionality, not to mention immense entrepreneurial opportunities. Along with the connectedness of these solutions comes increased security risks that many entrepreneurs, start-ups, and venture capitalists need to be aware of before either launching into the tech industry or investing in a tech business.
But few things can be as crippling to a new venture as missing a critical business requirement; that your services and systems must be secure. In 2014, data breaches accounted for $445 billion in damages, and over $300 billion in intellectual property that was stolen by China. Tech buyers are getting savvy and unforgiving about security in the systems they buy. How can a small start-up think and plan for these risks proactively? Here are a few suggestions:
- Solution Security Testing: Have you done thorough security testing to see if your product, software or solutions is “Hacker proof?” Nothing is 100% but your organization should make sure you are not the easy target.
- Development Lifecycle Security Review: The product development lifecycle including software development is where vulnerabilities are introduced. Proactively reviewing your lifecycle and building in security practices can help reduce the number of vulnerabilities that have to be fixed post production.
- Intellectual Property Security Review: Follow the flow of your intellectual property from inception through final design and beyond. Who is harmed if your intellectual property is breached? You will lose advantage to your competitors, but if that IP is misused, could it create further harm down the road?
- Use Case Security Review: Your product/solution was intended for a specific purpose, however, there may be an opportunity to misuse your product and cause harm to the public putting your organization at risk or holding the liability.
- Vendor Risk Management: Do you utilize trusted 3rd parties to perform operations, hosting, development, data analytics, or any other function? If so, you share responsibility with your vendor to secure your information. What security controls do they have in place? What contract language do you have to hold them accountable? What is your vendor review process including initial onboarding and annual reviews.
- Supply Chain Risk Assessment: Sometimes the components we buy from others to build into our products are vulnerable to security breaches. Sometimes, those components are built to spy on their users. Do you use components for your product that are manufactured overseas? It is prudent to assess the motherboard and component manufacturing process to identify risks of backdoors. What flaws may exist in the supplier including quality and security assurance, reliability, counterfeit parts, and financial viability?
Building security into your business from the start is the key to smart cyber security, and is mandated by various laws and regulations. Companies that ignore information security will leave their businesses open to a variety of malicious attacks and potentially jeopardize its very existence. Invest in information security to prevent expensive rebuilding later.