Security Awareness as Company Culture
Roger Ruttimann, CTO Reactful, Inc.
Security breaches affecting small and large companies are now so common that only big and dramatic breaches (Equifax, Yahoo, Target, etc) make the headlines.
This should not obscure the real issues: Hackers are constantly stealing online data, compromising systems, and affecting online commerce through their malicious actions.
This is a real threat, and affects every business. Even startups. Period!
Emerging startups and established companies engaged in creating online services in any domain or vertical space need to first build a secure, stable and well-performing application.
What comes next is how to make sure that every aspect of the business, from customer data handling to financial transactions is handled securely.
Project delays, cost overruns and shifting project priorities often pressure companies to take short cuts, delay implementation of security policies, and to not update processes.
This can create weak spots that will be exploited by malicious hackers. No one should be surprised that the Equifax breach happened on systems that were not updated for a known security issue for over 6 months (Lily Hay Newman, Wired (09/14/2017))
Create a security centric vision
Startup companies have the unique opportunity to build the company culture from scratch around security awareness, and have a head start over established companies that may have to work much harder to change established practices.
The advantages of integrating security awareness as part of the company culture are many, for example:
- Greater focus on the integrity of the core business, since security will be part of the process.
- Creation of a trusted work environment not constantly threatened by a possible crisis.
- Handling security issues builds skills that will be of value to the company, and benefit the staff throughout their careers.
- Saving the company money by reducing the need to fix problems later.
While building new teams or creating a new startup, security awareness should be the cornerstone of every product decision, indeed every decision, including the onboarding process and business and partner transactions.
Where to start?
Creating and defining the company (or team) security policy is the first important step.
The policy is a constantly evolving document with feedback and input from all employees in a never-ending process.
It should really cover all aspect of the business:
General conduct of business
The basics of creating a secure environment can’t be neglected in day to day operations, and the policy should cover them.
- Encrypt the disk on your laptop and have automatic login disabled
- Use a password manager for all credentials. No word docs on Google Drive!
- Use secure email services
- Security Training program for all employees
- Location, access rights for sensitive documents (contracts, customer lists, invoices, etc.)
- Share sensitive documents on as needed basis
- Location of presentations, marketing material that can be shared
- Where to store your own personal data
3rd party services access
Many sensitive operations (payroll, storage, compute infrastructure, publisher, website content, etc) are handled by external services. Accessing these services require credentials that should not be shared among employees.
In addition, each employee that has access to an application that manages sensitive business information and data should be required to enable 2 Factor Authentication (2FA) to verify that changes are made by authorized people only.
This is an area that gets a lot of focus and attention. Deservedly so, since a company’s application is often the biggest exposure to possible hacking and attacks.
The company policy should cover basic rules for the engineering team, such as:
- Process to handle and address security issues as they become known
- Process for roll out of patches/updates for security issues
- Backup and data retention policies
- Issue tracking and escalation process
- Location and Access rights for source code repositories
- Best practices for implementing security in applications (Credential handling, Require 2FA option, API security requirements)
More specific engineering security policies for development need to be put in place to cover the more technical aspects of security such as:
- Management of data Encryption, encryption key management
- Evaluation of third party libraries prior to inclusion
- Configuration data (IP addresses, DB credentials,..) should not be stored in the repository.
- No default users and passwords should be pre-configured in the software
- Deployment and update procedures and processes that maintain security
- No customer data used for QA testing
If application support involves access to protected systems, the policy should be specific as to when and how this is to be permitted.
- Specify the machines and network segments that are allowed such access (i.e. not from the company’s core network)
- Specify the VPN technology allowed, and not allowed
If people are not aware of, or don’t know what the policies are, the security awareness culture does not exist.
Training when onboarding new employees, making security a topic during company meetings, regular brown bag meetings around security and documenting security measures will encourage all employees to be more aware of the topic of security.
This process never stops, and the training must be ongoing.
Where to go next?
If every employee knows that security is core to the business and acts accordingly, you will have a culture that is security-aware.
The path is long, but startup companies have the unique opportunity to start from the beginning.
At Reactful we recognize the importance of security for our business at all levels and every employee is involved to define and implement the policies to make security awareness part of the company culture. We all agree is a must have for the company’s success.