There are more than 25000 SaaS start-ups operating in this world with total market size of more than $273 Billion. A cyber-attack on a SaaS start-up can be so devastating that many start-ups do not recover from a cyber-attack.
Most SaaS start-ups store sensitive information such as Personally Identifiable information (PII) of customers, mission critical information of clients and even highly sensitive government and defence information. Thus, they become a juicy target for threat actors.
Most SaaS start-ups are in the early stages of their journey. At an early stage, a SaaS start-up would have to manage multiple priorities such building their SaaS product, marketing, finding first customers, establishing MRR (Monthly Recurring Revenue) and building the team etc. Often, cyber security gets deprioritised resulting in weaknesses that can be easily exploited by attackers. Some of these weaknesses can end up killing the start-up.
While it is understandable that start-ups need to quickly find customers, generate revenue, survive, and scale, they need to strike the right balance and invest in appropriate level of cyber security controls that is commensurate with their risk levels.
In this article, we recommend set of measures that start-ups can implement through the initial stages of their journey. These measures will help start-ups defend against attacks from threat actors, provide assurance to their clients, regulators, and customers on their cyber security posture.
- MVP Stage:
Start-ups are trying to develop the MVP or the first iteration of the product. Most start-ups at this stage consist of the founders and one or few developers.
Start-ups are mostly bootstrapped with the founders using their day jobs to fund the MVP. This is the right time to simultaneously start implementing cyber security controls.
We recommend that start-ups undertake the following foundational cyber security initiatives:
a. Secure Code Development: Even for an MVP, start-ups are expected to follow secure coding standards when building the software. Secure coding standards govern the coding practices, techniques, and decisions that developers make while building software. They aim to ensure that developers write code that minimizes security vulnerabilities. There are several secure coding standards and coding security guides in widespread use today, including the OWASP Secure Coding Practices and the SEI CERT Coding Standards.
b. Endpoint Anti-Virus: At this stage, employees of most start-ups use their personal laptops to develop the MVP and access sensitive information. The compromise of the personal laptop could jeopardise the start-up. Start-ups must ensure all devices used for developing the MVP have enterprise anti-virus software installed on them.
c. Secure Configuration: Security of cloud assets is the shared responsibility of the cloud provider (Azure, AWS, Google Cloud etc.) and the organisations using them. Start-ups must ensure that cloud assets are configured securely. Any misconfiguration could result in exposure of sensitive information stored in the cloud. For example, misconfiguration of AWS S3 buckets is one of the top reasons for data breach in 2021.
d. Patching: Servers, laptops, mobile devices, software libraries etc. used for developing the product must be patched regularly.
e. Background Verification: Many start-ups outsource the development of MVP to software companies or freelancers. They may be located overseas. Similarly, few start-ups hire developers as permanent staff. The developers may have access to sensitive information belonging to clients or customers. It is important for start-ups to at-least do basic background verification of the developers that they are hiring. Start-ups must ask the software companies for background verification report of the developers working for the start-ups.
f. Strong Passwords: Start-ups need to protect cloud root accounts, email and domain admin accounts, source code repository and other applications. It is critical that that start-ups implement strong passwords for these accounts. Passwords must have a minimum of 15 characters with a combination of letters, numbers. special characters, upper case and lower case. We strongly recommend start-ups use a password manager software for securing passwords.
g. Two Factor Authentication: Implement two factor authenticationfor critical assets especially cloud access, email and code repository.
h. Privacy Policy: Understand privacy requirements that the start-ups are required to comply and formulate a privacy policy that clients and customers can refer to.
2. Product/Market Fit:
Start-ups have successfully launched the MVP and acquired their first customers. They have identified their product/market fit and are looking to launch or have launched key revenue generating features in their software. Most start-ups at this stage acquire some sort of external funding.
- As start-ups reach out to more customers, customers expect the start-up to provide assurance that they have embedded industry standard cyber security processes into the organisation.
- Most Venture Capitalists (VCs) conduct cyber security due diligence of the start-up to ensure that the start-up they are investing in has appropriate cyber security controls built in.
- Cyber attackers might target the start-up using common techniques as it acquires customers and markets its software.
We recommend that start-ups implement the following cyber security initiatives in this phase:
a. Cyber Security Roles and Responsibilities: Establish clear roles and responsibilities for cyber security. The key roles to be established include a senior stakeholder accountable for cyber security, a technical expert responsible for technical security operations and a stakeholder for identifying and reporting risks.
b. Cyber Security Policies: At a minimum,establish a cyber security policy that clearly articulates the management direction and intent for cyber security
c. Information Classification and Handling: Identify information accessed, used, stored, destroyed and shared by the organisation. Information can be of their clients, employees, partners and external users.
Look for the different types of systems used in the whole infrastructure and analyse the information resided in the system. Common systems to look for are – HR systems, finance systems, databases, etc.
Categorise information based on their criticality and value to business. Implement handling rules for each categorisation of information. For example, handling rules could be ‘All highly sensitive information must not be shared with third parties on email’ or ‘All highly sensitive information must not be printed’.
d. Awareness Training: Conduct some sort of cyber security awareness training to ensure that all staff are up to date on cyber security threats impacting them.
e. Asset Management: Maintain an inventory of all hardware, software and information assets used by the start-ups.This will help when responding to a cyber-attack. At this stage, we recommend using an excel sheet to track the assets and avoid spending too much time on purchasing sophisticated tools.
f. Access Control: Implement standard process for access provisioning, de-provisioning and approval. Ensure access is terminated on the last day of the employee. At a minimum, keep an inventory of all access entitlements granted to staff. Review the access entitlements at periodic intervals.
g. Penetration Testing: Conduct penetration testing of the product at regular intervals. We recommend that any significant new feature or major change to the product be pen tested before release. Ensure that all findings from the penetration testing are resolved within agreeable timeframes.
h. Secure Code Review: Implement secure code review through SAST and DAST tools.
i. KPIs/KRIs: Establish Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the controls. Ensure they are reported to the Board at regular intervals.
Start-ups must start planning for industry standard cyber security certifications such as ISO27001, SOC2 etc. These certifications mandate the start-ups to implement and maintain appropriate cyber security measures. Certifications provide clients and customers assurance on the start-up’s cyber security capabilities.
3. Scale
Start-ups has acquired more than 100 enterprise clients or 20,000 end customers. The Monthly Recurring Revenue (MRR) is growing at 30% and the start-up is adding more customers every month.
The start-up rapidly expands its team and sets up offices in various countries. There is significant media attention. Start-ups at this stage, goes through several rounds of funding.
At this stage start-ups,
- Face cyber-attacks regularly with increasing levels of sophistication.
- Has to comply with cyber regulations from various countries
- Work with various suppliers, third parties and partners who have access to the start-up’s infrastructure, information etc. Their cyber security maturity becomes critical for the functioning of the start-up.
- Acquire multiple high-profile organisations as its customers. They expect the start-ups to have industry standard cyber security capabilities.
The objective of start-ups at this stage must be to become cyber resilient. We recommend that start-ups implement the following cyber security initiatives in this phase:
a. Cyber Security Team: Establish dedicated resources for cyber security including a dedicated cyber security officer/manager for overseeing and managing cyber security activities.
b. Risk Management: Identify, categorise, track and remediate cyber security risks. Monitor all cyber security risks through a centralised risk register.
c. Email Security: Implement secure email gateway technology to protect malicious emails from reaching your email inbox. Implement SPF, DKIM and DMARC for your domains.
d. Phishing Tests: Test cyber security awareness levels of staff by conducting regular phishing simulation tests and train them accordingly. Develop targeted spear phishing and Business Email Comprise (BEC) scenarios to test senior management stakeholders.
e. Change Management: Any change in the IT environment of the start-ups must be assessed, tracked and monitored to avoid any unauthorised changes that may cause business disruption or introduce weaknesses in IT environment that could be exploited by attackers. Establish formal change control/management processes which includes change request initiation, change approval, risk analysis, testing approval, closure documentation and change owners.
f. Secure Configuration Baseline: At minimum, develop and document operating procedures and security configurations for critical assets used in the infrastructure. Regularly review and update the baselines according to the best practices.
g. Real Time Security Monitoring: Implement security information and event management (SIEM) tools and technologies to detect unusual activity occurring in the infrastructure. Later, invest and implement 24*7 monitoring using third-party Security Operations Centre (SOC) to timely notification and rectification of anomalies.
h. Incident Response: Develop incident response management framework to effectively respond cyber incidents. At minimum, the framework should include roles and responsibilities, categorisation of incidents, severity/impact rating, incident response phases and notification channels. Regularly simulate an actual cyber incident, assess the response and improve the response framework and processes.
i. Business Continuity Planning (BCP): Develop BCP and Disaster Recovery (DR) plans to sustain the business activity in case of a disaster. Define Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for the critical assets and regularly simulate the disaster and improve the BCP/DR plan and processes.
j. Crisis Management: Establish crisis management plan to quickly respond and keep business running in case of a crisis. Ideally the crisis management plan shall cover response to all crisis that the start-up shall foresee. Major cyber security incidents and incident response must be integrated with crisis management plan. Conduct crisis simulation drills and update the crisis plan regularly.
k. External & Independent Audits: Employ independent third-party organisations to conduct external audit to find new weaknesses in the cyber security implementation. Use the recommendations and resolve the weaknesses in a defined timeline.
Achieve and maintain cyber security certifications such as ISO27001, SOC2-Type etc.
4. Mature
Start-ups are now considered as a large multinational company (MNC). They generally have hundreds of staff. Their valuations have either acquired unicorn status or they are making efforts to become a Unicorn company.
Companies at this stage are expected to have proactive and industry leading cyber security capabilities. They are expected to invest in state-of-the-art technologies and controls.