So you’ve put together a team, figured out a prototype for delivering an innovative solution to society’s most pressing problems, and have started winning pitches across the globe. But before things really take off, could your business already be compromised?
Cybercrime could be a more pressing concern for startups than you’d think. Imagine finding a similar product already launched by some other company, in a foreign market, packaged using your logos and designs, with nearly identical patents already filed before you can even submit your own applications — all because the entire time, your systems had been infiltrated and someone had access to your paperwork drafts, your R&D, and even your email exchanges.
Even if you aren’t necessarily a tech startup, the vulnerability of your web applications means the volatility of your assets. As a startup CEO, you might already be wearing many hats, but getting up to speed with web security basics isn’t just reserved for the CTO, it’s also one of your responsibilities. Hone in on critical areas, know what to automate, and maximize what you can outsource for little to no cost.
Here’s an easy-to-follow eBook that lays out the essentials of web security, but if you’d like to skip straight to recommendations you can implement right away, here are three web security services to help you steer your business to safety and protect sensitive data.
1. Web Application Firewall (WAF) — Shield Against Hacking and DDoS
First and foremost, set up solid perimeter security. This one step eliminates the bulk of threats coming in through the web.
Web Application Firewalls help inspect all inbound and outbound website traffic to detect and block malicious visitors to your site. Automated attempts to crack your website’s admin account password, malicious inputs to your form fields that compromise your database, spam traffic aimed at exhausting web resources and bringing your site down — all of these exploits by hackers can be fended off with a single shield. The mighty WAF is a big first step to securing the giant attack surface that is your website.
In fact, sophisticated DDoS attacks are evolving to target the web application layer, blending both application and network attack techniques. Even if you shell out money to engage a dedicated DDoS mitigation solution, the provider will have to possess the same capabilities of a WAF in profiling HTTP/HTTPS traffic to distinguish what belongs to a legitimate visitor from what belongs to a DDoS bot. This is because there are two parts to DDoS mitigation — controlling traffic volume and inspecting traffic quality. A WAF is especially equipped to tackle DDoS attacks targeting the applications layer (Layer 7) with its granular traffic inspection capabilities for detecting malicious behavior.
Hence if you’d have to pick just one web security service, go with the WAF, which provides protection against attacks that your website faces on a daily basis, on top of advanced DDoS attacks. Better yet, get a WAF that provides additional DDoS protection across both network and application layers (Layers 3,4 & 7).
2. Site Scanners — Weed Out Existing Damage
Don’t just take your developer’s word for it, utilize site scanners to keep track of the health of your website. While a WAF is an active, preventive web security service, it doesn’t do anything for a site that’s already infected. Therefore, while having a firewall to keep new malware from getting in, it’ll be a great time to thoroughly clean out existing traces of hacking on your site.
Qualys’ vulnerability and malware website scanner, FreeScan, is one of the most popular tools to get that done. By testing websites for the OWASP Top Risks and even scanning your local network, you can quickly obtain an overview of current security threats to get started on fixing them.
Noticed a drop in visitor traffic? Perhaps you’d want to check if Google has labeled your site “malicious” and your search results are showing “This site may harm your computer.” Simply use Google’s free site checker.
There are also free tools available online to assess not just the quality of your code but also some security aspects of it. Microsoft has recently released a free “linting” tool for weeding out bugs in your website’s code — the sonar.
3. Encryption — Protect “Data At Rest” and “Data In Transit”
If you’ve managed to get SSL on your site — which is a breeze with Cloudbric’s free SSL service — great job! This ensures that data exchanged (“data in transit”) through your site stays secured from man-in-the-middle (MITM) attacks. However, you’d also want to ensure that data residing in your databases remain secure even if hackers manage to sneak in. So consider implementing a database encryption solution to also secure “data at rest”.
If you’re storing sensitive information like customer banking information, or even simply maintaining a newsletter mailing list, you have a liability. According to a study by NetDiligence, data exposure involving Personally Identifiable Information (PII) comprised 40% of all types of information stolen in data breaches, with organizations making more than $50 million in revenue accounting for nearly half of all cyber insurance claims. By encrypting your data, you minimize its value to data thieves as compromised data remains unreadable to those without the right decryption keys.
One of the most popular open source database management systems is MySQL, which is the default database of a number of website-building platforms like Drupal, Joomla, and WordPress. And while MySQL provides enterprise-level encryption capabilities, it is a premium feature with the $5,000 annual subscription for MySQL Enterprise Edition. A more affordable, alternative MySQL encryption solution that also works for PostGreSQL, MariaDB, and Percona databases is MyDiamo, which can perform advanced partial encryption and comes with access control and audit capabilities. Free licences for MyDiamo are available to encrypt up to 5 columns. However, if your startup happens to be a non-profit, you may even be eligible to get the unlimited free licence.
Take Control and Start Out Strong
These three kinds of web security services cover the bases of defense, damage control, as well as reinforcement — and most are free to use! As you can see, protecting your business from attacks by nameless cyber adversaries is absolutely necessary and simultaneously feasible. The important thing is that it needs to be done before your business scales.
To learn more about what to look for when choosing web security services, check out our “Newbie’s Guide to Security as a Service (SECaaS)”.
Editor’s Note: This post was originally published in June 2015 and has been updated for relevance and comprehensiveness.