No-office and 100% cloud-based... how secure and resilient are you?
Like many new enterprises, your company might not own nor host any servers, database storage or telecom equipment. Hey, you may not even have a physical office: all your employees could be remote and work from home, or from shared office space(s).
If you are asked the question:
“How secure (from hackers and failures) is your company, and the data it strives on?”
Your answer shall NOT be:
“Well, everything is at Amazon Web Services and these guys are really secure!...”
Yes, AWS (or Google or Microsoft or Oracle) know how to secure their own Information Technology (“IT”) and run it at 99.99% (or better) availability because they have a big target painted on their back.
But how secure and resilient your usage of their services is, depends entirely on you:
Which version of which service items did you pick and choose from your cloud vendor?
Who in your team has access to what at the cloud center?
What if your choice of a single location or region for your cloud data center did go dark for a couple of days for whatever reason?
Is some of your data copied from the cloud into the laptops or phones of your employees, or of your customer support contractors? What files are sometimes attached to emails?
Can someone you don’t know access your employee laptop when they go to take a coffee break at the WeWork, or when they work from home?
What if some of your key employees had to move and be incommunicado for several days because of some hurricane or wildfire?
This list could be much, much longer. In fact, the Information Technology Security and Business Continuity questionnaires often used by banks before they agree to sponsor a “FinTech” company can be hundreds of lines long. The security weaknesses intended to be identified by such questionnaires are all about you: your employees, your choices, your processes and controls, your policies, your office equipment.
Filling out such a questionnaire is one thing. Making sure your responses reflect your current reality, and that your systems and processes are indeed secure and resilient, is quite another.
Two key initiatives will help you sleep at night:
Organizing regular security evaluations (also known by the decidedly unappealing name of (“penetration tests”) of your IT infrastructure. They come in various flavors, or, rather, colors: black box, grey box or white box depending on how much information and access you provide to the evaluators. “Cloud audits” are a specialized type of evaluation also worth considering.
Doing a broader yearly audit such as a “System and Organization Controls” (“SOC”) or ISO 27001, and/or a narrower audit such as Payment Card Industry (“PCI”) specific to companies handling payment cards.
There is a large choice of providers of security evaluations, SOC-2 and ISO 27001 audits, and PCI certifications at various price points. It is best to choose a provider with experience in your specific industry and with your particular company size. In other words, don’t pick a large multinational auditor if you are a startup, and don’t choose someone specialized in healthcare privacy compliance if you are a payment FinTech.
There is obviously a cost for such evaluations and audits. However, if you are early stage and still small, you can probably get what you need for about $20 - $25K per year, which is a lot less than the consequential costs of a data breach.
Timing is everything: don’t audit something that is still under construction, but still try to obtain an evaluation before you launch your service to the general public.
Security evaluations (“penetration tests”) perform a double duty:
They are an essential and required control for most formal audit types referenced (PCI, SOC-2, and ISO 270001).
They are an integral part of your (and your board members’) fiduciary duty: you don’t want your company to fail because of a security oversight.