10 Security Oversights in Startups [How to Avoid Them]

As a business owner, you are probably here because you faced a security breach. Or not faced one, but all the headlines about the rising number of incidents worried you. Security incidents are costly and cause irreparable damage to your reputation. 

Many businesses take security seriously after their data is compromised. Working with numerous businesses, we found that the culprit, in most cases, are small misses throughout the data ecosystem.

From a lack of access control in a code repo to poor vendor verification process, we have listed some common oversights you must avoid to keep those pesky breaches at bay.

There is no one magical solution, but a combination of knowledge, expertise, and best practices. In this article, we discuss the types of security vulnerabilities, what to do to strengthen your security posture and ensure compliance, and how you can do it.

When you implement these, it significantly reduces the chances of incidents. 

1. Enable MFA on infra, code repo, and email systems

Multi-factor authentication is a basic but effective line of defense against unauthorized access attempts. The traditional user ID and password method often fail to protect accounts as passwords are easy to hack and susceptible to breaches. 

To combat this, you adopt 2FA, which requires users to pass an additional security wall. Users must provide a second piece of evidence, which is  usually any identification data only authenticated users have.

It works using a second factor like knowledge (security questions, passwords), possession (OTP, access badge, USB keys), or inherence (fingerprint, iris scanning, voice recognition). 

With a two-step verification process, you can protect remote devices, networks, and data on the cloud. 

If you are the IT Head of an organization, ensure that all employees have 2FA activated on their work email. It is a practical way to combat common scams such as phishing attacks.

If a hacker mails you a link to a suspicious website that requires Google sign-in, 2FA acts as a wedge between the hacker and your data. Recently, Facebook made 2FA mandatory for high-risk accounts. 

If you are a software developer and your code repository is hosted on the cloud, 2FA can secure your intellectual property from data theft. Each time hackers try to access the code repo, 2FA-enabled devices trigger a request to enter a code sent to an authenticated device.

While this method offers a significant amount of protection, attackers can circumvent this system. A common way that has gained attention is MFA fatigue. The attacker will continuously send account verification notification to the point users mindlessly or, out of frustration, accepts it.

You can protect endpoint devices against MFA fatigue by increasing the time between requests, limiting the number of times someone can request, using the biometric method to grant access, employee education, and creating a super admin role to control devices remotely. 

You can take some additional steps to strengthen your 2FA system. 

• Don’t use the same password for all accounts
• Create complex passwords that are not easy to guess
• Avoid using your birthday, name, number series, or alphabet series as a password
• Restrict the number of times a user can make unsuccessful login attempts
• Use the biometric system as one factor of authentication, as it is not easy to surpass 

MFA requirements for common compliance frameworks:

HIPAA: MFA is not a strict HIPAA requirement. It is suggested that you conduct a risk assessment and identify weaknesses where MFA is an appropriate measure.

SOC 2: You should have adequate and effective measures like MFA to prevent unauthorized access.

PCI DSS: MFA is a requirement if your business has remote access to the cardholder environment.

GDPR: Not a strict requirement. However, you should take appropriate measures to protect sensitive customer data.

ISO 27001: Required for all subscription-based accounts to prevent breaches.

 

2. Peer review process for code deployment

Code review is a process of checking parts of another developer’s code before it is deployed. Some of its benefits are quality assurance, bug identification, discovering logic issues, and improving collaboration across teams.

A 2022 Gitlab survey found that about 76% of developers found code reviews very helpful.

However, the most important logic behind code review is for security and compliance purposes. 

Since developers come from different training backgrounds, it reflects in their coding style. Peer reviews help to maintain the same standard across teams and ensure compliance. 

Peer reviews also facilitate enhanced security. This is especially true for open-source projects where multiple developers contribute. Review by team members allows them to scan for vulnerabilities and alert the developers to fix them before pushing for delivery. 

A good practice is to review code for vulnerability at every stage of the development process – planning, analysis, implementation, and integration. You can gain valuable insights into the entire attack surface and identify gaps. 

Security breaches are likely to occur if your code cannot implement authentication, access control, authorization, encryption, and data validation. 

Also, ensure that your code prevents cross-site scripting attacks and does not contain sensitive data. 

3. Enable screen lock

Locking the idle screen is another basic yet effective security practice. It is a technique that allows you to set the time limit after which the device locks due to inactivity. Since all devices have this system preinstalled; you don’t need technical expertise to set it up or invest to implement it. 

Also known as session management, the importance of this practice extends to more than data security. It prevents unauthorized access, which can tamper or delete your files – deliberately or due to negligence. 

Screen locking is not just a crucial practice in remote work setups but in office environments as well. About 61% of organizations have faced insider attacks in the last 12 months.

Screen lock requirements for common compliance frameworks:

PCI DSS: As per PCI DSS Requirement 8.1.8, if a user is away from a system that contains critical card data for 15 minutes, they must re-authenticate the session to activate it.

ISO 27001: The ISO 27001 clear desk and clear screen policy seek to protect sensitive information. As per this rule, users cannot leave computers without logging off and must protect it with a screen lock. 

HIPAA: HIPAA technical safeguard requires devices to automatically log off after a session of inactivity.

4. Enable anti-malware 

In October 2021, a Japanese hospital had to shut down operations for almost two months. Malicious actors hacked into sensitive medical data of 85,000 patients to extort ransom.

This incident took place after their malware detection system was disabled. While this made headlines, it is not an isolated incident. 

Businesses depend on cloud infrastructure to accelerate workflow but don’t always invest to protect it. Cybercriminals always look for an opportunity to take that advantage – but won’t succeed if you have some threat detection system in place. 

Most devices have some type of antivirus system preinstalled. Traditional antivirus software prevents an array of threats like file corruption, spam websites, spyware, phishing, and more. However, it fails to protect against advanced threats like zero-day and polymorphic attacks. 

This is why you should invest in advanced threat management systems like Endpoint Detection and Response (EDR) solutions. It combines real-time monitoring and data analytics to detect, investigate and respond to risks. 

Most malicious software has a specific signature or pattern which allows an anti-malware system to detect and eliminate it. In a bid to circumvent security systems, malicious actors develop new signatureless tools.

With new types of security breaches arising every day, you must have preventive measures in place. EDR systems protect devices against continuously evolving threats like signatureless malware by analyzing the attack source, threat type, and behavior patterns. 

Here are some EDR platforms you can consider:

Platform	Top Features	G2 rating
CrowdStrike Falcon	Malware DetectionSystem IsolationSystem Isolation	4.7
Sophos Intercept X	Malware Detection Firewall Endpoint Intelligence	4.4
Huntress	Malware Detection Endpoint Intelligence Security Validation	4.9
SentinelOne	System Isolation Malware DetectionEndpoint Intelligence	4.7
Cynet	Malware Detection Application Control Firewall	4.7

Anti-malware requirements for common compliance frameworks:

HIPAA: Security law guidance recommends business associates and covered entities use anti-malware solutions and keep them updated. 

PCI DSS: It is a requirement. PCI DSS 5.1 states that an antivirus system should be installed in all software. Ensure that the solution can detect and eliminate all threats. 

ISO 27001: Annex A.12.2 of ISO 27001 is about implementing controls to protect, detect, prevent, and recover against malware. 

5. Enable device encryption  

Data encryption is the process of encoding plain or human-readable text into a non-human readable format. You can only read it with the decryption key. This key decodes the data into the original, human-readable text. 

Some encryption systems to consider are AES and TLS. 

Advanced encryption standard (AES) protects online data transfer. It is an industry-standard encryption protocol that uses the same key to encrypt and decrypt.

AES encryption keys are of three lengths – AES-128, AES-192, and AES-256. AES-256 is the strongest of the three, as the number of possible key combinations is the highest. 

Transport layer security (TLS) to safely transfer data via HTTPS. This method uses cryptography to secure email, payment card details, messaging, and VOIP. 

Some best practices for using the encryption technique are: 

Centralized key management: If you use hundreds of keys, storage can be tricky. Consider a centralized key management system to process the encryption and decryption. 

Secure storage: Given that malicious actors often target encryption, it is a good practice to implement physical security. Limit access control to critical systems, create a blueprint for disaster management, and regularly check for malfunctions. 

Privileged access: The principle of least privilege is a common practice. It means each employee has access to systems and data they need based on their designation. For example, IT managers and sales operatives don’t need the exact set of information for their tasks. Similarly, developers and designs need access to different systems. 

Encryption requirements for common compliance frameworks:

HIPAA: Mandatory if your risk assessment reveals encryption as an appropriate measure to mitigate the risk. 

SOC 2: This can be a possible control to meet SOC 2 control requirements for privacy and confidentiality.

PCI DSS: As per PCI DSS v4.0, businesses must encrypt all cardholder data transmitted through a public network.

ISO 27001: The objective of Annex A10 is the effective use of cryptography to protect data confidentiality, authenticity, and integrity. 

6. Access removal after an employee exit

On November 11, 2021, an employee of the South Georgia Medical Center quit. The next day, she downloaded unauthorized private data of more than 41,000 patients using a USB. The medical center had to notify the affected patients and provide identity restoration services. 

As previously stated, insider attack is one of the most common causes of data theft. This can happen not only when an employee is a part of your organization but also after they leave it.

The South Georgia Medical Center case is just one of many harrowing real-life examples that highlights the importance of immediate access removal. 

Data theft by departing workers is more common than you think. Many employees believe they have ownership rights over the data they created.

A 2015 survey conducted by Biscom found that about 87% of existing employees take company data with them. You should take appropriate steps to protect your organization’s intellectual property, such as immediately revoking access to all critical systems, networks, and accounts. 

First, create a list of software your organization uses and ask the employee to check the ones they have used. Ask the employee to list whichever software they have used other than the listed ones to discover shadow IT. 

Next, change the password of every tool the former employee used and notify other employees with the updated one. 

Finally, move the data your former employee created to another account and delete it from the existing account. 

Additionally, look for signs when an employee is serving their notice. These include: 

• Unusual increase in the number of file downloads.
• A sudden increase in requests for access to files they previously never needed or opened.
• Detecting unknown devices like pen drives or similar hardware.
• Unusual load in file transfer. 

You can install employee monitoring solutions to prevent data theft. Solutions like DataSecurity Plus prevents data transfer through email or USB devices. It alerts admins when a file is accessed or modified.

It also classifies files based on their sensitivity and detects inconsistencies in permissions. 

Access removal requirements for common compliance frameworks:

HIPAA: Requires employers to remove internal and remote access to protected health information in electronic form at the time of their departure from the organization.

SOC: SOC 2 requires employers to instantly remove employee access after they are terminated or changed employment.

PCI DSS: Requires organizations to immediately remove access of individuals who no longer need it or are terminated.

ISO 27001: As per ISO 27001 Annex: A.9.2.5, user access to internal facilities should be revoked after employee termination or change of job. 

7. Due diligence of the vendors 

When you partner with third-party vendors or contractors, they often have access to your critical systems and data. This adds to data risk in your IT environment. You need to have efficient processes to mitigate risks effectively. These include: 

• Collect all crucial business data such as their legitimacy and check if they meet all compliance requirements.
• Ensure that they have a business continuity plan in case a breach takes place. If your vendor experiences an issue, it will affect customers and your reputation.
• Create a vendor questionnaire as your onboarding process to assess if they have critical processes and practices in place to secure your sensitive data. 
• Revoke access to systems once your contract is over. During the contract period, practice the principle of minimum data; give access to the least amount of data they need to work efficiently. 

Best vendor management solutions:

Platform	Top Features	G2 rating
UpGuard	Centralized Vendor Catalog Monitoring And Alerts Questionnaire Templates	4.5
ZenGRC	Compliance AuditCompliance ProgramRisk management	4.4
LogicGate Risk Cloud	Risk Classification Supplier Scoring Contract Review	4.6
Ncontracts	Team CollaborationVendor ManagementOnsemble intranet portal	4.6
Venminder	Vendor ManagementRisk managementDocumentation	4.8

8. Identity and access management to critical systems

Your IT infrastructure should be set up in a way that facilitates role-based access to administrative and other critical tools. With specialized levels of access based on user account or designation, you can 

To understand this better think of the types of users like IT admins, doctors, and other healthcare staff. They don’t need the same data to carry out their responsibilities. For example, a vendor or third-party contractor with access to sensitive information should be able to view limited data needed to conduct their tasks from authorized devices. 

Therefore, your server should facilitate a unique user id and password for each role and access to the minimum amount of data.

Data minimization is another security best practice; do not store unnecessary data on the server. Collect only the minimum necessary information to function flawlessly. Also, dispose of data that is no longer needed. 

9. Compliance automation software

Now you know the type of security violations, how can you prevent these? One of the most practical ways to eliminate security threats is through a combination of human roles and technology. No matter how advanced technology is, currently, it does not suffice to manage every vulnerability. 

Training your employees and automating processes within your ecosystem is a better, proven way to protect your business, cultivate a security-first culture, and prevent disasters. Platforms like Sprinto help you to train employees, check their progress, and create guidelines to conduct themselves.

It also flags every suspicious activity and assigns someone within your organization to take care of it. You can manage and overlook compliance status from a centralized platform and make changes using an easy-to-use dashboard. In other words, it makes your security compliance a breeze. 

Talk to us about how you can sail through your compliance journey.

10. Sandboxing

A sandbox is a virtual extension of your organization’s network that is a secure digital clone of the real environment. This technique facilitates a secure method of testing untrusted code by running it in the quarantined space to determine if your file, program, or URL is malicious. 

Sandboxing prevents vulnerabilities from inflicting damage on your digital network. This method also eliminates zero-day attacks and offers protection against common, traditional malware.

This feature provides a stronger level of protection than traditional security systems by adding a layer of protection. You can test and analyze software programs or third-party applications before releasing them. Here’s what you should ideally look for in a sandboxing software: 

• It should be able to analyze all suspicious files, such as PDFs, documents, java programs, or other assets within your environment 
• It should analyze content on a web page, such as JavaScript and HTML
• Sandboxing solutions work best when it combines threat testing capabilities with threat intelligence. This will help understand the motivation and type of attack 
• Sophisticated malware can detect if the code is running in a sandbox environment. To avoid this issue, your sandbox solution should have anti-evasion capabilities 
• The sandbox should be able to replicate every granular aspect of your actual environment, such as hardware, system attributes, and more
• It should rescue analyzing time and reduce false positives by filtering the number of analyzing requests based on suspiciousness

You can deploy sandboxing tools on the cloud, on-premise, or as a browser extension. Some sandbox solutions are: 

VirtualBox by Oracle: It is a virtualization solution that enables developers to run code faster on multiple operating systems from a single platform. You can deploy it in Windows, Linux, and macOS.

CodeSandbox: CodeSandbox is a high-speed virtual development platform for web development in the browser. It allows multiple users to collaborate and view changes in real-time. It offers a free version and a paid custom-built plan. 

FortiSandbox by FortiNet: FortiSandbox is an AI-driven sandbox solution that analyzes and blocks malware in real-time without impacting performance. It integrates with a firewall, email, and anti-virus software. Users rated it 4.6/5 on G2.