Every startup today should be thinking about its approach to security. This is especially true for companies with access to sensitive information about individual consumers.
Sumit Agarwal, Co-Founder and VP of Product at Shape Security, addressed this issue at a recent KPCB 12-200 CEO Workshop. “If you’re like most of the people I talk to, security is a little bit like getting in better shape,” he said. “You know what you need to do – but that’s not going to happen, not this year.”
Agarwal told the audience that he would give them concise and actionable advice: the “five very best things I picked up at Google, in the Air Force, the NSA, and the rest of my career that will give you the best bang for your security buck.”
Here’s his list:
1) Ditch Microsoft Office
If you use Microsoft Office, Agarwal said, you will end up spending millions of dollars on security gear as well as people to run that gear. In contrast, the amount of money that Google invests for you – if you switch to their free Google Docs platform – is much larger than most other companies can afford to invest. The people they bring to bear, the reputation they have at stake, and the general infrastructure that they have built cannot be matched by a growing company. So rely on the pros if you can.
2) Dedicate a Computer for Online Banking
Though this step sounds radical, it’s actually very simple. If all members of your finance team use only one computer to log into the company bank, and that one computer is not used for anything else, it’s much less likely that the computer or the account will be compromised. Most finance teams need to interact with the corporate bank account only a couple of times a week. Using a dedicated computer reduces your vulnerability to the bank account breaches that cost companies so much money.
3) Use Two-Factor Authentication Everywhere
Two-factor authentication is extremely valuable. You should enable it on every major service that you use. The approach is especially valuable as we continue to transition to mobile. The additional friction for your employees will be, at most, an extra ten minutes a month.
4) Perform Background Checks on 100% of New Hires
This point may be a bit controversial in Silicon Valley, but it is important to run background checks on every new hire. Doing this will provide protection against threats from insiders, which is a difficult thing to control for in security. Large organizations spend lots of money trying to address this issue, often with little effect – so it is an excellent idea to minimize risk from the get-go.
5) Create a Culture of Security Awareness
If your staff spent just a tiny bit of their time each day taking a heightened security posture, the company would get a much better outcome than millions of dollars’ worth of security gear could buy. Encouraging your people to be a bit more suspicious about the strange email that arrives in their inboxes or the individual who piggybacks behind them through the door can make a big difference.
How do you create a culture that fosters this? At Shape, Agarwal says, the culture is built on having fun, encouraging pride, and employing a little bit of good-natured humiliation. For example, if an employee walks away from a workstation, laptop, or other device, someone can grab it to see if it’s unlocked. If it is, that person might send a note to the team that says: “Hey, I just got back from a business trip and have these amazing new beers for you to try – come by my desk on Thursday at six.” The duped employee can then either admit that they left their device unlocked or buy a bunch of beers for the office. This certainly creates a heightened sense of general awareness.
Another Shape tactic is to hire a company that phishes Shape’s employees. At random intervals, a group of employees will receive a well-crafted email that attempts to deceive them and that allows the company to track who opened, clicked on, or reported the spam. The potential embarrassment of this exercise reduces the number of people who fall for spam over time.
Taking these five steps should go a long way in helping a company improve its security quickly, cheaply, and effectively.