Many of the role models in IT security are tech giants known for being at the cutting-edge of technology. The preconditions for security work at these companies and small businesses are very different. As a small business you can adjust more easily and do not have to deal with office politics, but at the same time you also lack access to the same kind of resources. Despite these differences, there is a lot you can learn about security from larger companies. We have listed four security tips (and one cautionary tale) inspired by tech giants and a Swedish startup.
Google was early to realize that doing everything yourself is impossible. Not even they, with almost infinite resources, would be able to hire all the world’s IT experts to secure their systems. The problem is obvious, but what is the solution?
They set up a Responsible Disclosure program that allowed ethical hackers to search for vulnerabilities on their own behalf, report them to Google and get some money for each reported security vulnerability. This way Google did not have to hire all the world’s security experts, but could instead just pay them when they submitted something of value. Many freelancing security researchers were attracted by the concept and over the years it has resulted in a large number of resolved security issues. Now, security experts from across the world, are able to contribute to Google without necessarily being employed by them.
If you choose to implement this yourself there is no need to initially offer any monetary compensation for each submitted report. Step one would be to publish a proper way of contacting you (e.g. firstname.lastname@example.org) and show appreciation when someone does. To increase the incentive to help, consider publishing a list with the names of everyone that has contributed, a so-called “Security Hall of Fame”. For many security researchers, that kind of recognition is enough to motivate them.
Invite help from the outside and give recognition to those who contribute.
When you work with IT security, processes and procedures will overtime evolve and improve. You learn from your mistakes, come up with more efficient work methods and perhaps even develop your own tools.
Make sure to share this knowledge. You have probably learned from others and now there are many out there waiting to learn from you. In exchange, you will receive feedback on what you are doing. It is more a rule than an exception that someone will share improvement suggestions when you publish your own solution.
Netflix is very good at this. They publish many of their own internal tools free on the internet and regularly update their blog with insights into their operations. In all fairness, many companies are good at sharing their data and tools, but Netflix stands out.
Blog about your solutions and tools, both to get feedback but also to help others.
Security is no longer something a separate department can alone be responsible for and Swedish health tech startup Kry is a great example of a company that succeeded in building an organisation-wide security mindset.
This is especially important amongst developers; it is often more efficient to make a product safe from the beginning than to patch security holes later. With that said, security is not only a key element of the development process. It does not matter how secure the IT system is if employees use weak passwords. By being clear on how they work with security early on in the recruitment process, Kry are setting the right expectations from the start.
Build secure products from the beginning. Share your expectations on employees and their security mindset. Everyone should have security in the back of their mind, not just the IT department.
If someone discloses a serious security vulnerability in your product, does this automatically mean a PR catastrophe is about to unfold? Not necessarily.
One example of PR done right is when a serious security issue was discovered in Slack last year. By quickly acting on the report, Slack’s team was able to turn the incident into something positive and their security work was praised in the media.
Gitlab is another similar example. In early 2017, they experienced a big data loss, which is bad news for a service for programmers that stores programming code on the internet. They decided to act very transparently about the problem and how they planned to resolve it. Their reaction turned the situation around thanks to prioritizing transparency and focusing on resolving the issue instead of trying to conceal it.
A potential PR catastrophe can often be averted by transparency and prioritizing resolving the actual problem. Something good can come out of a bad situation.
The story of Yahoo is a cautionary tale that can help you avoid making the same mistake. While doing a risk analysis it is often hard to put a number on a security breach, which in turn leads to not prioritizing the risk adequately. The cost potential data loss and hiring an IT consultant to fix the issue is one thing, but how do you calculate the loss of customers’ trust? Yahoo experienced a security breach that showed just how much a company’s reputation is worth.
During the process of being bought by Verizon, a hacking attack against Yahoo became public. After information about the breach reached the public, Yahoo had to lower the price that had previously been decided on by 350 million USD.
This kind of sum is of course hard to relate to as a small business, but it is a clear example of real damage.
Even if it is impossible to know exactly how much trust is worth, it is something you need to consider. A poorly managed crisis can result in great financial losses.
How to make these tips your own
See this post more as inspiration than absolute rules. Some of the tips are applicable to your own business, while others contribute with a new perspective. Big companies are their own category of business, but there is no reason you cannot copy what they do well. Look up how your own role models work with security and adjust their methods to your business. The most important thing is that you start working actively with security today!