By Olga Mack, General Counsel at ClearSlide
Data security and privacy concerns are everyone’s challenge because any modern business is dependent on technology in some way. However, security and privacy is not an equal challenge for every business. For established companies, addressing the issue of data security may be a nuisance, but their vast resources can make compliance easier by facilitating the hire of a sophisticated IT security vendor or an experienced data security expert. For cash-strapped startup companies that prioritize growth and getting a foot in the door, these resource-intensive options aren't always an option. What’s a startup to do?
Dennis Dayman, Return Path’s chief privacy and security officer, has been helping startups address this issue for some time now. Dayman has more than 25 years of experience combating spam, managing security/privacy/data governance issues, and improving email delivery through industry policy, ISP relations, and technical solutions. He is always looking to make things happen. He knows how to leverage his experience and key relationships to provide best practices to Return Path and its customers, as well as ensure the compliance of their communications data flows.
In fact, Dayman is quite literally in the midst of privacy and security. He is actively involved in creating current internet and digital communication regulations, privacy/security policies, and anti-spam legislation laws for state and federal governments. He also sits on several advisory boards for internet companies and is a partner, mentor, and frequent investor in startups. While he has been affectionately called a "chief revenue killer" in the past, he believes his job is about being as innovative as he can to maximize his clients’ success while still ensuring a company can still make revenue hitting targets without killing an idea just because there are some concerns with security or privacy, but find a way for it to work for all involved. Drawing from this expertise, Dayman has a few pragmatic suggestions for startups that won’t break the bank.
1. Keep IT Visible and Informed
IT must be aware and visible about what employees are doing with company data, which tools are being used, and where data is stored. A “sync and share” must happen often. It is increasingly difficult to keep track of data because the line between personal and business devices is blurred and mobile devices are everywhere. According to Dayman, “Consumer cloud file sync/share tools significantly increase the risk of data breaches if not implemented properly. As a result, employees often unknowingly introduce risk to a company by simply syncing data across their devices or working with others outside the organization or downloading the next cool and free mobile application.” IT must be proactively involved to prevent these data breaches and address them when they occur.
2. Create a Data Security Policy, Identify Assets, and Minimize Collection
According to Dayman, “At a minimum, every company must establish data security policies that include guidelines for file sharing.” Cyber-criminals target small businesses because many of them do not pay attention to these issues or fail to allocate adequate resources to address them. It is a good idea to take the time to understand where the business’ value is and give it the proper protections because that is what cyber criminal’s target. A company should identify the critical assets of its business and be clear about where they are stored, whether they are encrypted, and who has the keys. Finally, any startup will benefit from minimizing the amount of protected information in their possession. Startups should not collect protected information from customers and employees unless they truly need it for operations. Similarly, information that is no longer needed must be destroyed. As Dayman puts it, “You can’t breach if it doesn’t exist.”
3. Train Employees
The most important thing any company can do to protect itself from a data breach is to spend a significant amount of time and money on training their team to avoid cyber attacks. “It’s cheap and for very small companies, it’s free. Training employees on the dos and don’ts can go a very long way into protecting data,” Dayman says. For example, employee training should include, but are not limited to data loss prevention, social engineering identification, least privileged access, physical security of devices, creating a reliable and secure password, and identify suspicious links and attachments from phishing attacks.
4. Outsource to Established, Cloud-Based, Compliant Experts
A startup should consider outsourcing breach prevention and other functions too established, compliant experts and vendors. According to Dayman, “It is not affordable for most startups to house internal threat intelligence to protect against general and advanced persistent threats. It is certainly not affordable for a startup to house top notch, industrial grade tools.” A simple and easy solution for startups is to store their data on a cloud solution that can incorporate data-centric security as well as application-level security, where the security measures are embedded in the data itself as opposed to protecting only the infrastructure. It makes sense to leverage experts and vendors to get access too sophisticated and compliant tools such as Amazon Web Services (AWS), Dropbox, Box, Salesforce, etc. Startups should also investigate the new small business solutions from Microsoft and Google. These reasonably priced tools offer the backing of big companies with the resources to take data and security privacy seriously. These tools can also neatly scale with a startup’s growth.
5. Encrypt, Especially Your Sensitive Data
One of the most cost-effective ways a startup company can protect itself from a data breach is encryption. And encrypting not just sensitive information — like credit card numbers or social security numbers, which are non-negotiable — but all information like email addresses is essential. Encryption technology is relatively cheap for such a useful investment: even if encrypted information is breached, it will be unusable if don’t with the right standards and strongest encryption available to you and storing the encryption keys on a different server than the secured data is ideal.
6. Conduct Penetration Testing Often and Regularly
Penetration testing is another cost-effective way for a startup company to protect itself from a data breach. “There are a number of penetration testing tools available in every price range,” Dayman says. “It is worth it to spend some money and time to identify your company’s specific needs and find a specific tool that will address its business and be manageable to operate.” After all, it’s a good idea for startups to be able to competently use whatever tools they’ve bought. Despite their limited budgets, startups simply can't afford risking data breaches. Implementing these practical solutions can help startups hold onto their data and their money. Dayman's pragmatic, budget-conscious approach further proves that data security is for everyone — from established mega-corporations, to the next game changer incubating in a Palo Alto garage.
To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer described practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.