Start Now: Why Startups Must Address Security (and Privacy) Immediately

Yevgeniy Vahlis | Security, Security First

Very few things are certain in (cyber) security. Having said that, there is one absolute truth: The earlier you address security issues, the less they’re going to cost you. That’s because even if your vulnerabilities haven’t been exploited by an attacker yet, the complexity of unwinding whatever bad security decisions you made that led to the situation will be greater than if you’d just designed a more secure system in the first place.

Perhaps one of the best examples of a company putting off meaningful security considerations until late in the game, and then paying significantly more as a result, is JPMorgan. In 2014, the company suffered a major data breach and has been fighting an uphill battle to address security issues ever since. The cost has been enormous with its already expensive cyber security budget doubling to a massive $500 million per year between 2014 and 2015.

Other examples of post-breach costs are well documented in the media, including lawsuits, reputational damage and in some cases the inability to provide service. In extreme situations breaches have resulted in the complete and permanent loss of the entire company, as in the case of Code Spaces.  

Do It Right the First Time

Unfortunately many startup teams think that their first (and sometimes only) focus should be on shipping features. As a result, they put off security considerations to a later date when they think they’ll have more time and budget. It’s time to challenge that thinking and design for better security early on.

The best companies build security thinking into their organisational and engineering processes from the outset. For example, when building software the leading teams ask — both at the design review and the coder review stages — what the security implications of the proposed functionality are.

The worst companies, by contrast, do nothing, take the bare minimum compliance approach, or wait until the product is built (and sometimes shipping or even breached) before they start to think about privacy and security. If they’re lucky, those companies will get the opportunity to go back and revisit all of the decisions that they made that impact security but that they didn’t consider at the time. The unlucky ones, however, will just shut down or have their valuations reduced.

Architecture Matters

One of the key decisions that needs to be made early in the lifecycle of any software startup is what type of architectural approach it’s going to take. Some companies will take a monolithic approach to code if it’s what they have done before and it’s a quicker way to roll out features than taking a more componentized approach such as micro services. The bad news is that it’s very difficult to get security right in a monolithic architecture. For example, user authentication code may end up being spread in multiple places in the code base, making it nearly impossible to enforce consistent use of it among your programming team.

The costs of revisiting the entire product architecture will be significant as it requires a complete redesign, rewrite and roll out of the new architecture, all while keeping existing users happy and quickly adding new users to meet growth targets. In almost every situation it would have been less costly to take a componentized approach in the first place.

Another example of a good design decision early on in a startup’s life relates to what data the company keeps and how it stores it. Avoid collecting personal user data that isn’t required and use data management techniques such as differential privacy that help prevent the identification of individual user information in the event of a breach or other type of data disclosure.

Business Models Matter

In the worse case scenario a company may develop its entire business model around assumptions for privacy and security that are incompatible with the market or regulator. For example, Google and Facebook both have aspects of their business models that are incompatible with regulator and consumer sentiment in Europe. And it’s not just the big consumer companies that are waking up to find that baseline assumptions in their business don’t sufficiently address security and privacy considerations. Many startups also take the approach of vacuuming in data, i.e., trying to grab as much data on consumers as they can and then not looking after it particularly well.

The issue is that as legislation (e.g., Europe’s GDPR) and consumer sentiment continue to shift toward wanting more control over data and better security, those companies may find themselves not only having to re-engineer how they do things, but also having to change aspects of their business model. At Georgian, we believe that the shift will continue to be toward more user control of who has access to their data, and that markets will respond with better privacy and security controls to protect data.  

Didn’t Start Early? Start Today.

The longer that organizations leave before addressing security concerns the more risk and cost they will incur. And spending money after the fact to fix already complicated and compromised systems doesn’t guarantee success. In fact, as cyber security budgets continue to rise, so will the scale and cost of major data breaches. More fundamental changes are required than just adding new tools and technologies to try to shield us from the attackers.

Software systems are highly complex environments that are easy to break and expensive to fix, especially when already in production and supporting rapidly growing businesses. Startups would be much better off asking themselves the right questions up front than scrambling after the fact. Putting security off to another day also leaves you vulnerable not just to hackers, but also to any competitors that get security and privacy right from the start.

Putting security first isn’t just about reducing risk and cost, over the next few years security and privacy will move even further up the list of business and consumer priorities. Companies that don’t address security and privacy will underperform their peers that do, which just yet another reason why you need to start now.