Yesterday at the RDS the Smart Business Show 2015, Runa Sandvik, a privacy and security researcher, who is also a Forbes contributor, gave a workshop on Starting up security: what you can learn from Sony and Lenovo. She gave some great invaluable hints and tips interspersed with some great examples of bad security, some of which you can read about below.
No matter how big or small your business you should always identify threats, even unrealistic ones and always evaluate associated risks. Always define acceptable risks as well as defining a policy that matches and create a policy that encompasses both.
You should invest in your developers and teach them security. You also need the best brains to look at their code to make sure it’s secure. If your company is small, train your developers to be more security conscious so that anything developed is more secure.
Build a strong culture of strict code review so that you don’t get any unexpected surprises, and have someone else independently go over all code created.
Think about launching a bug bounty program. This is where you give security testers any software you develop and they find any weaknesses which they report to you.
Manage your secrets and don’t do what Sony did. When Sony got hacked, their hackers hit pay dirt when they found a file called passwords.txt on their public share directory.
Never have shared passwords, make sure each user has their own unique password.
Start using 2 factor authentications, that way if someone manages to get your username and password they can’t use them.
Focus on authorisation, and go on a need to know basis and least access. This means only give people access to what they need and not what they don’t need. Why should somebody in accounts have access to your website?
Start using patch automation with continuous integration, this means that employees can’t postpone Windows or other updates on their computers.
Keep your eyes and ears open, make sure you know if you have been hacked or are being hacked. There is nothing worse than finding out in the media or online that you have been hacked or are being hacked.
Put system and application logs somewhere centralised, so that you can see if anything has been tampered with i.e. email logs. This will give you an overview of how your system is working, if any changes were made and who made them.
Centralised management keeps home & work life separate, using the same computer at home and work is more likely to have security issues and viruses. Only allow issued laptops which you have control over, i.e. apps, browsers and software can only be installed if the I.T department gives you permission.
Help employees manage passwords by making it easier for them to create and store passwords.
Understand your consumers and their wants and needs. Lenovo did not do this when the Superfish scandal broke, and as they failed to understand what their customers need it could cost them future sales. They offered their customers a free tool which they could download and use to remove Superfish but it did not work for everyone who used it.
As your company grows, so should your security. If your company grows from 10 employee’s to 100 employees, make sure your security can adapt and grow to take care of the extra 90 employees.