Last month, the world learned that the password-storage app provider LastPass had, ironically, been hacked. Again. The perpetrators stole email addresses, authentication hashes and password reminders – enough information to break weak master passwords. It was the second breach in four years for the Washington, D.C., company.
In another facepalm (or maybe just karmic) moment, hackers recently broke into mSpy, the Web app advertised as a way to spy on your kid’s or partner’s mobile device. Records belonging to as many as 400,000 of the app’s two million subscribers were plastered online, including location data, Apple IDs, password emails, text messages and payment information.
Facepalm no. 3 – earlier this week, a hacking group called Impact Team broke into adultery-themed dating site Ashley Madison and is threatening to release the customer records of its 37 million users. Despite the obvious need for higher privacy and security, the site’s conventional design, opined The Verge, “made a breach like this inevitable.”
Oh, Those Millennial Startups. When Will They Learn?
The list of companies that should know better goes on. Earlier this year, Slack, the chat and project planning app, lost customer phone numbers and email addresses to hackers. And last fall, users of the mobile messaging app Snapchat were red-faced to see 98,000 of their racy photos and videos posted online after a third-party (and since removed) site called snapsaved.com was hacked. (Ten months before that, a breach of Snapchat’s own servers leaked the account details of nearly five million users.)
Finally, there is WhatsApp, the mobile messaging app. The Electronic Frontier Foundation gave it one star out of five for protecting the privacy of customer data, the worst ranking on the EFF’s list of 24 major technology companies.
The common thread here? All of these companies are millennial startups, launched since the turn of the new century, and for some reason many of today’s startups treat customer security and privacy as an afterthought, not a priority. Strangely, some were even given ample prior warning by security experts, warnings they seemingly ignored. Snapchat, for instance, reportedly was warned twice in the months leading up to its first breach.
“This leak shows you they aren’t handling this correctly,” ACLU security research Chris Soghoian said about Snapchat to the Wall Street Journal at the time. “Granted, they’re much smaller than a Google or Twitter, but they just haven’t invested in security the way that they should.”
Considering the huge wads of cash many startups raise, it’s not lack of money that is preventing them from investing in security. Rather, it seems there is something about a culture focused on scaling up as fast as possible that leaves security a second-tier concern. These startups are not running through the checklist in whitepapers such as this one by the SANS Institute. I see four problems:
- Lack of concern for customer data. Does the startup prioritize security as much as marketing or customer growth? If it does, does it know how to hire the right experts to ensure security strong enough to protect their customers? As Kenneth Hartman, author of the whitepaper What Every Tech Startup Should Know About Security, Privacy and Compliance, writes, “Businesses that lack a mature information security program may experience security breaches, mishandle their customers’ personally identifiable information, or fail to meet compliance requirements.”
- Inability to keep pace with growth. Although startups often have very talented and eager people on board, those employees might not have enough experience to manage the security, compliance and privacy issues that come with growth. One software-as-a-service (SaaS) CEO told ZDNet last year that he estimated two-thirds of SaaS vendors have never done a third-party audit of their internal IT security. If a startup doesn’t understand its own security needs, can it understand yours? Research firm Gartner predicts IT professionals will “remain dissatisfied with SaaS contract language and protections that relate to security…As no consensus exists about how commitments to security services should be described contractually, most SaaS vendors choose to commit to as little as possible.” Gartner advises potential customers to require in writing from their SaaS provider “some form of service, such as protection from unauthorized access by third parties, annual certification to a security standard, and regular vulnerability testing.”
- Inherent instability. The very term “startup” says it all: these companies are focused on ramping up services to win investors and customers as fast as possible. They might be looking to be quickly swallowed up by another company for financial gain, so why should they bother with security? Or they might simply not have what it takes to withstand the competition and quickly fold. “Being a good cook doesn’t mean you will be a good restauranteur,” says Lisa Smith on why startups fail.
- Poor data backup and recovery services. In a 2013 Spiceworks study of IT pros, 45% of respondents said they had experienced a loss of data using cloud apps when using SaaS, with a surprising 14% of those saying the loss was unrecoverable.
What Startups Can’t Offer
Startups can be fresh, exciting – and somewhat flimsy in the security arena. The one thing they can’t offer by definition is gravitas. Enterprises looking to minimize risk should choose a vendor with a proven track record in privacy and security. BlackBerry’s security-first heritage goes back three decades. It has more than 70 security certifications from governmental bodies, including the coveted Authority to Operate from the U.S. Department of Defense.
BlackBerry’s latest enterprise mobility management platform, BES 12, offers those rock-solid security and privacy features for smartphone fleets without sacrificing usability or cross-platform capabilities. With BlackBerry, security is in every thought, not an afterthought.
If you’d like to learn more about how you can address the latest threats to your enterprises’s security and privacy, you can download a free copy of our eBook, The Definitive Guide To Enterprise Mobile Security.