10 Cybersecurity Tips For Startups From A Top VC

Taking The Steps

Bessemer Venture Partners is in the business of nurturing startups, with a keen interest in those involved in cloud computing. The company has invested in more than 80 cloud businesses, seven of which ultimately went public.

Byron Deeter, a partner at the oldest VC firm in the country, recently presented a State of the Cloud report based on the company's latest research to executive leaders of companies in Bessemer's portfolio.

The cloud market, now with a total cap of $180 billion, has grown by 10 times over six years, and should double again in the next two years. Deeter predicted total cloud market cap will hit a half-trillion dollars by the end of the decade.

In his presentation at the Bessemer Venture Partners & Salesforce Ventures Cloud CEO Summit, Deeter also offered a "10-Step Plan to Surviving in Cyberspace."

Pick Your Battles

"You can't secure everything. Quantify the monetary damage, likelihood, and mitigation cost of each threat to prioritize your time and resources," reads Bessemer's State of the Cloud report.

Solution providers call this data classification and segmentation.

Unisys Vice President of Security Tom Patterson recently told CRN: "By segmenting off the crown jewels, you are able to withstand a breach by containing the loss. Today, segmenting is done easily and effectively with micro-segmentation tools, and they work in data centers as well as clouds."

Establish A Security Culture

"Show your team that security is important through communication and example. Provide periodic training, pen testing, and password management tools," according to Bessemer.

A recent report from Verizon highlights the importance of fostering such a culture. Insider misuse, Verizon concluded, accounted for more than 10 percent of corporate breaches and more than 20 percent of total incidents.

The culprits of such insider misuse ranged from cashiers to executives, according to the Verizon study.

Speaking specifically about the federal government, DLT Solutions' Chief Cybersecurity Technologist Don Maclean told CRN he recommended "doubling down" on user training, including making sure that users, technical staff and executive staff are getting comprehensive training on cybersecurity.

Pick Secure Platforms

"Select compute platforms with strong security, such as Linux, Chromebooks, iOS, Google Apps and open source systems," Bessemer Venture Partners advises startups.

Solution providers told CRN that as trusted advisers to their clients, they are responsible for guiding them to safe and secure platforms that are best suited for their businesses' unique needs.

Email Is The Key

"Control an inbox, and you control a life. Your email service should enforce multifactor authentication, malware/phishing filters and encryption. Use SPF and DKIM," the Bessemer report recommends.

Sean Stenovich, partner and owner of M&S Technologies in Texas, recently told CRN that email security typically falls midway down the wish list of his customers, with demand typically a bit higher from midmarket companies.

"I don't have customers beating down my door for email security," Stenovich said. "At the same time, it doesn't mean it's low on their totem pole."

Your Website Is The Front Door

"Protect your storefront and customers with a Web Application Firewall, anti-DDoS service, Device ID and payment API," according to Bessemer's report.

A recent Symantec study on web security concluded: "Web threats got bigger and much more aggressive in 2014 as holes in commonly used tools and encryption protocols were exposed and criminals made it harder to escape their malicious clutches ...Vulnerabilities and new variants of malware underlined that website security deserves full-time, business-critical attention."

Secure Coding

"Bake it in now—retrofits won't work. Hire a DevOps security expert. Train your coders to avoid traps, and use code analysis tools and third party security APIs," reads the Bessemer Ventures State of the Cloud report.

Awareness of these kinds of procedures has grown tremendously over the past few years, according to Emmanuel Benzaquen, CEO of Checkmarx, a security startup that recently closed an $84 million Series D round.

"I think when we talk about hackers and application security, everyone understands today when even just three to five years ago ... people didn't know what security was at the application layer. Today it's starting to become best practice and widely understood," Benzaquen recently told CRN.

Control The Internal Network

"Track every IT asset. Install securely configured images on all computers. Lock down all Admin accounts. Use a DMZ Proxy and light SIEM. Automate patching. Encrypt and test your backup systems," according to Bessemer Ventures.

It’s the lack of timely patching that led to some of the most severe recent data breaches, including at Home Depot and GlobalSign.

Unisys Vice President of Security Tom Patterson told CRN: "Every single facet of the enterprise should be patched obsessively, despite it being a pain. Most false entry is still gained via well-known weaknesses in software and configurations, and patches are being created in realtime to address them, but they don't do any good if they are not applied quickly."

Physical Security

"Easy win. It's now cheap to equip offices with buzzers, badges and surveillance," states the Bessemer Ventures State of the Cloud report.

Solution providers told CRN that to maximize effectiveness, physical security and information security should be integrated.

"Enterprises are still too siloed in their approach to security, with logical [cyber] security separated from physical security," Patterson told CRN. "Today’s attackers are exploiting that gap, which informs a new defensive strategy that unites the two towers."

Plan For Failure

"Breaches are inevitable, so don't wait. Understand your legal obligations and business risks. Prepare a plan to investigate, report and mitigate breaches," Bessemer Ventures advises its affiliated startups in its State of the Cloud report.

Notifying the appropriate parties following a data security breach is often a delicate process, according to the Ponemon Institute's 2012 Consumer Study on Data Breach Notification. More than half of the 2,800 consumers surveyed by the Ponemon Institute said they wanted to be informed only if the organization is certain that they are at risk. Fifty-eight percent said the notification is not helpful if it fails to explain all the facts and is "sugar-coated."

Solution providers recommend preparing for the legal and communications challenges of breaches with the following five steps: consult public affairs, legal teams; designate an incident response leader; identify key organizational stakeholders; determine breach notification requirements; understand the key audiences.

Be Open With The Public

"Honesty is the best policy. Be transparent not only about cyber risks, but also about everything. You will provoke fewer attacks, and build up some good will for when you screw up," according to Bessemer Ventures' State of the Cloud report.

This rule holds for a garage-based startup just as it does for cloud juggernaut Amazon Web Services, which learned its lesson the hard way after a massive cloud outage in 2011 that left partners up-in-arms over the lack of transparency.

"Amazon has been extremely quiet around how the failure occurred and how it will be avoided in the future," Joseph Coyle, CTO for North America for global solution provider Capgemini, told CRN back then. "Although it is a major hit to Amazon, I believe that if they explain the issue and how to avoid it, they can hold back the damage."

Amazon has been much better ever since communicating problems at its data centers, and also of avoiding those problems altogether.