Start-Ups: Data Security by Design from the Start
Updated: Mar 29, 2021
If you label your organisation as a ‘start-up’ you will find this article useful; please read-on.
As I seek to expand and evolve the UKDataSecure business, we are attracting significant interest from ‘start-up’ businesses and SME’s seeking to develop new technology in the form of apps and new websites, across all types of industries.
The mantra we advocate is simple; design and build data security in from the start as it's so much cheaper and less intrusive than retrospective refit when the realisation hits that security should have been addressed much sooner.
We provide the following as a check-list for start-ups, and offer our range of packaged services to support implementation of security by design from the start:
Cyber security for a start-up doesn’t need to be too complex or costly; simple measures are defined within the National Centre for Cyber Security website https://www.ncsc.gov.uk/ and will get you moving in the right direction. Putting some basic controls in place will be a great start.
It’s always a good thing to include Cyber Security in your overall business plan and roadmap, so that it is not overlooked.
At the very least complete a short risk assessment; only a few hours needed, to make sure you are aware of who might target you and what data they might be after, and the likely type of attacks you may be subject to, then you can determine the high level impact on your start-up business and therefore the proportionate budget you should allow for data and cyber security.
No organisation is too small to hack and there is no such thing as 'security by obscurity'; the criminals are highly organised and will look for newly formed companies on Companies House, and look for companies raising capital, and will often use machine driven tools to sniff around the internet looking for these companies and their vulnerabilities.
Make sure you’ve put in enough data and cyber security at the start, so that in a few years-time when looking for further investment or to sell off the business retrospectively refitting security does not require a fundamental re-engineering of the business, its systems architecture or the culture of the business.
Use the most up-to-date technologies with the newest security measures build in as standard and updated frequently.
Understand inherent security built into your chosen cloud or web-site hosting platform and make sure you have externally certified and auditable assurances of security by design from the provider.
When you design and build your new platform document data flow and the entire methodology of the proposed solution, the full eco-system and all the moving parts so that you know data needs protecting from malicious intrusion.
Employ capable developers using recognised industry standard/best practice secure coding techniques and practices to ensure vulnerabilities are not allowed to be built in.
Include security by design during requirement definition, design, analysis and testing so that security vulnerabilities are not inadvertently or maliciously built in.
Maintain segregation of duties and code reviews by individuals other than the originating code author and knowledgeable in code review techniques and secure coding practices, to ensure independent and objective review, to eliminate the possibility of code which allows malicious exploit.
External code review and vulnerability testing is essential; assume the role of a malicious hacker to try to ‘break’ the solution, to allow error correction before code is deployed into a production environment and released as a customer ready solution.
Please don’t be one of the many organisations we talk to who say things like:
‘we haven’t built the back-end yet, let alone the front end so we don’t need to worry about data security yet’, or
‘its okay, everything is in the cloud so it’s secure’, or
‘not a problem, my developer looks after security’.
If you are one of these organisations, please come and talk to us; you are highly likely to be building yourself a problem for the future which could lead directly to a data breach which could in turn destroy the viability of your start-up business.
We have successfully helped a number of start-ups avoid the mistake of leaving security by design too late and are in conversation with numerous others who are seeking our input.
If you would like to talk to us about how we can help your start-up business to get security right first time please book a call today using https://bit.ly/ukdsbookacall.
If you would like to know more about the services we provide, that could help your start-up enterprise please follow these links:
No-cost and low cost consultation workshops https://bit.ly/UKDSLEWorkshop
Low cost out-sourced data security as a service https://bit.ly/UKDSCISORemoteLite
I look forward to talking through the details of these services as soon as we can, and I look forward to working with our new start-up clients to achieve appropriate data risk management and information security governance and compliance from the start.
Stuart Golding - Founder and CEO
Credits for this article – Crossword Cybersecurity and ZeroDayLab