SecureState recently performed INFOSEC Assessments for two small, but rapidly growing businesses. An INFOSEC Assessment provides an organization with a clear view of the current state of its entire security program. Controls are precise and carefully designed not to distract attention from running the business. The recommendations provide essential and useful information, and ultimately add value to the business. This approach specifically reviews the design and with validation efforts addresses the effectiveness of controls and denotes missing or broken controls.
While in entirely different industries, with their own unique issues, from an information security perspective, these two businesses looked all too similar and familiar. These engagements confirmed what we see often: small to midsize companies who feature an aggressive growth model are usually bad at security. They don’t take the time to create formalized policies and procedures, and they quickly outgrow what little infrastructure they take the time to put in place.
Perhaps it should not be surprising that small companies focused on growth tend to neglect security. But just because it isn’t surprising doesn’t excuse this glaring weakness. In fact, we hear a lot of (bad) excuses from companies like these.
1. We’re funded by venture capitalists, and they expect their money to provide ROI.
Is the investment secure? If you are putting significant money in, then you really should be looking to security. While venture capitalists aren’t averse to risk, it is just good business to protect your investment. If the company has a breach, or a loss of information, it could basically put a startup out of business.
2. We’re spending our money on the development side.
Security needs to be imbedded into the organization. It is more cost effective to integrate security when a company is small and in the development stage, rather than try to fit it in once it becomes more complex. Minimal investments in infrastructure and developing sound policies and procedures can pay off big in the long run.
3. We share space with other businesses, and don’t own our building. Security is out of our control.
Incubator space is always a struggle. While the cost of rent is low, the risks are high. The best practice is to ensure that critical data is not stored on site. Use cloud storage solutions and make sure back office operations have limited access to that critical data.
4. Our business model is very focused, so we don’t have very complex or dynamic environments.
This excuse is especially bad. Just because you have a small attack surface doesn’t mean you can’t be compromised. All it takes is one threat to decide to target what are usually pretty extreme vulnerabilities, and the resulting breach could leave your company out of business before it really gets off the ground.
Additionally, companies with a focused model tend to have just one regulation with which they need to comply. So it is much less expensive and time consuming to help them achieve regulatory compliance.
The bottom line is that protecting company and client information and securing systems should be an important concern for any business, and anyone invested in that business. And if it is important, it is almost always a good idea to bring someone who can show you how to do it the right way. Because that brings us to our final excuse:
5. We didn’t realize we were that bad.
Information security is not the core industry of these small businesses. Nor have they typically yet invested in the IS staff necessary to properly implement a cohesive security program. This lack of understanding about how bad off they are often comes to bear at the closing meetings after our engagements are complete. The CEO of one of these companies was so upset by what he heard about the shortcomings of his security, he stood up, said “Fuck!” and walked out of the meeting.