Startup Companies and Web Security
When you talk to enterprise companies with several years of experience, possibly they know very well how important web security is. In case they haven't experienced any security breach, at least they have heard about other companies experiencing data leaks and security breaches. So I'm not talking to them in this post, they should have already learnt importance of IT security.
But when it comes to startup companies, they don't even know about IT security. A lot of them don't care about it, they never take it serious, you would hear responses like:
* We don't have anything yet, we just haven't build anything yet.
* What's worst scenario? Someone would hack our website and change it's front page with "Hacked by..."? Who cares? That's not a big deal, we'll fix it next morning
* We don't have money to invest on it
* We are not an IT company, we'll just setup a website and email server and we really don't use them much.
* and so on...
But let me tell you something, you are just plain wrong.
I'll try to explain each point separately:
* When you say you don't have anything important yet, as you said, you don't have anything important "yet". A hacker, would get access to your computers on very early days maybe just for fun or to have some more bots, but he can keep this access for a really long time.
* When you say it's just a website, hacker will change front page with some "Hacked by...." texts and you'll fix it next morning, you are talking about script kiddies, not hackers. Hackers will get access to your "not-so-important" called website, then as you are already new startup and you don't have much network traffic, they'll place an exploit code in your website, next morning one of your employees or webmaster will want to take a look at the website, then when he opens the website his computer will be infected with hacker's malware and rest of it is just like domino effect, from that employees computer hacker will get access to other computers, to your databases, to your production and development computers and so on...
* When you say you don't have money to invest for IT security, I should say again that it's wrong. First of all, it's not really expensive, below I'll explain first steps for securing your network and you'll see it's almost free. Secondly, if you don't secure your infrastructure, you can lose all your investment and all secrets to your hard gained achievements in a blink of an eye!
* When you say you don't have an IT company, that's right, but nowadays every company does have a website and email. Imagine someone steal all your company information (customers, development sketches, outsourcing related information, business ideas, funding related documents, ...) which would somehow exist in emails, have can you recover from it? Also again as I explained above, hacker could gain access to your internal network by infecting your website and a single visitor from your network to your "not-important-called" company website would be enough to own your private network.
You can take care of this problem by following some steps:
1) First of all stay away as more as you can from anything shared. Shared hosting, shared mail server, shared database server, etc... not at all! Just stay away from it. A dedicated hacker can easily infiltrate to server through another customer into same hosting you are using to gain access to your files. Just take a look at recent vulnerability in Apache, hackers or even script kiddies was able to use symlink vulnerability to read files from any other users web folders, still a lot of hostings are vulnerable to this very same vulnerability and also there could be some 0-days in hands of dedicated hackers for this purpose. Just pay a little extra bucks a month and get a VPS.
2) Do not connect your VPS or your web server directly to your development network. Separate internet facing servers from internal company network. If you can just use an online VPS hosting instead of hosting your website in your company network, if you can't do that, do your best to seperate this two networks. It could cause some difficulties and some delays in work (for example updating website data by employees in separate networks would be a hustle), but trust me, it would worth the effort.
3) Have your software updated regularly. If you are using Acrobat reader, try to keep it up-to-date, if you are using Windows always update it and try to use some antivirus. Do not open any external file in internal network computers, antiviruses cannot do magic. They are basically signature scanner with some heuristics, but no one can expect magic from them. When there is a 0-day, with encoded and/or encrypted shellcode, anti viruses simply cannot detect it. So simply, do not trust files and do not open any of them coming from external sources inside internal network.
4) Use secure web applications for your website. First of all, if you are not going to use and update your website too often, do not use any sort of dynamic websites, stay away from PHP, ASP, ASP.NET, etc. Just use plain HTML on a plain up to date Linux with only port 80 open to serve HTML files. But if you need to use dynamic websites, use a secure CMS, like a well hardened Drupal without unnecessary modules installed. If you don't have a programmer who understands very well about web security, SQL injections, file inclusions and file uploader security, just don't use CMS created by an employee. A lot of web programmers are not aware of web security concepts, so their codes will have some sort of vulnerability somewhere.
5) Go for *nix (Linux, OSX, FreeBSD, Solaris, AIX, etc.) as much as possible.
6) Encrypt all important backups and databases and files you have. You can use free disk encryption tools like Truecrypt or commercial tools like PGP, but just use one.
These are my initial suggestions, also you can hire a good penetration tester to checkup your network and website to make sure it is secure.
But main idea is, never underestimate IT security, even if you think you are not using web too often or you think just don't need it. A chain is only as strong as its weakest link, you can lose all your hard work to someone sitting behind a computer, somewhere too far from you. Take IT security seriously and never underestimate it.