Did you know:
46% of cyber breaches target startups globally.
The average global cost of a data breach is $4.88 million (2024).
In Singapore, cyberattacks increased by 145% year-on-year in 2021, with the average cost of a breach reaching SGD 1.7 million, the highest in Asia-Pacific.
Startups like ShopBack have paid SGD 74,000 in fines for a data breach
Nearly 40% of cyberattacks in Singapore target SMEs.
I have reviewed several startup architectures, and many had no security strategy due to funding constraints or not prioritizing security as they are "Too small to be a target." However, the decision not to have a security strategy could snowball into an immense technical debt that could become a full-blown security incident that will cost a fortune.
Why Security Matters for Startups
Having worked at multiple early-stage startups, I understand the founders' position. Startups often focus on delivering features quickly to meet customer demands and grow revenue. However, neglecting security can lead to significant financial and reputational damage in the long term. To help, I’ve compiled essential and actionable security practices that I’ve learned from my experience and fellow cybersecurity professionals and CTOs. These steps require minimal effort and cost but can make a huge difference.
1. Implement penetration testing
As a startup, you should ideally be performing manual penetration testing after every release to identify significant security vulnerabilities in your code base or architecture. The pentest report will help accelerate the integration process with enterprises or banks.
However, manual penetration could cost around USD 5K to USD 30K. The penetration testing provider usually charges based on the number of APIs or resources. A cheaper alternative would be to have automated penetration testing in place. Tools like intruder.io are free and very easy to set up. You can perform free scans on your applications. Some companies accept the report from this tool as proof for security testing during due diligence.
Note: Automated pen tests are not meant to replace traditional manual pen tests. It is better to have some security than no security.
2. Enable protection against automated scanners
Major online attacks involve automated bots that constantly spam and scan your application for weak spots.
Can you guess how long it will take for a hacker to identify your resources, such as hosted IP and domain when they become online? If your answer is less than 30 minutes, then you are correct. Hackers seem to constantly scan the IPs and domain names of different cloud providers. I noticed this when I created a new EC2 instance from Amazon and noticed the login attempts.
To avoid these, I usually recommend startups to implement the following:
Enable OWASP Top 10 protection: OWASP is a non-profit organization created to improve cyber security. It compiles and publishes the top 10 threats commonly faced by applications worldwide. You can say this is a Spotify chart but for cybersecurity specialists. All the trending hacking techniques will be published here.
Rate-limiting: is a method of blocking traffic from a specific IP address after certain attempts. It reduces the attempts to overload your servers with spam requests.
Both of the above can be implemented using Cloudflare. You can sign up for Cloudflare's free account and import all your domain settings.
Enable Cloudflare proxy in the main dashboard -> DNS tab
Enable rate limiting from the main dashboard -> Security -> WAF. Then, set these values.
3. Block traffic from high-risk countries
Suppose your startup is based on regulated industries such as healthcare or financial technologies. I recommend restricting your application to a particular country to reduce the attacking risk from high-risk countries.
Here's the list of high-risk countries
"But can't they use VPN to circumvent the system?". That is true, but we are preventing automated scanners that might not be aware of these setups.
If you have a consumer-oriented application that targets multiple markets around the world, then you should at least block access from high-threat-risk countries.
4. Make regular backups and test
Most ransomware could have been averted if the backups had been tested at least once a year.
You can activate automatic backups on cloud provider-managed database services like AWS RDS or Mongo DB Atlas. There are two types of backups: real-time and daily. I recommend startups set up daily backups for three days. The backups should be performed during the night when the traffic is low.
The most important exercise is a disaster recovery exercise, in which you shut down your database and check whether you are able to restore the backups and run the application without any issues.
5. Add an automatic dependency scanner + updater
Finally, you must ensure that your application dependencies are updated regularly with security patches. You can activate tools like Dependabot that are integrated with GitHub. Once you activate, Dependabot starts scanning your software packages for security updates. After it finds a new update, it pushes it back in the form of Pull Requests. A seamless integration will save you a lot of time managing your application security.
Conclusion
Investing in basic security measures is essential for startups to avoid costly breaches and build trust with customers and partners. Implementing the practices outlined above can significantly reduce risks while keeping costs manageable.
Are you looking for a cost-effective security review? Please provide your contact information in the form below, and I will contact you.
コメント