How to Decrease Cybersecurity Costs for a Start-up
by Bige Beşikci
It is an unwritten rule that cybersecurity in the current data-driven era is a must and a fundamental extension of any entity. Investing in cybersecurity is crucial to safeguard the entity's digital assets; not investing in cybersecurity may cause immense losses or disruption of operations to the entity in case of compromise. However, cybersecurity frameworks and measures can be ridiculously expensive for any start-up to build and maintain if not well catered for. This is because these measures need to be stable and deployed fast. Thus, it is not uncommon for the start-up to run into capital issues while endorsing cybersecurity measures in their ecosystem. This may also be contributed by unforeseen security integrations and regular security updates to patch encountered vulnerabilities. This can turn hideous for any start-up as, normally, the budget may be tight to get the business up and running.
There are various cybersecurity costs that start-ups are commonly faced with. Some of these costs are direct costs and others indirect costs. Direct costs may constitute monetary theft, compliance and regulatory fines, public relations and legal fees, systems repair and remediation, identity theft repairs, or insurance premiums, among others. Some of the indirect costs may include the loss of intellectual property, loss of clients or customers, loss of business downtime, disruptions of business operations, damage to the company's reputation, brand, and credibility.
6 Things Every Start-up Must Do For Cybersecurity
Sanctioning and deploying the correct cybersecurity practices is one of the main ways to ensure the budget and costs are in check. In addition, having the right practices in place will allow the start-up to secure the digital assets and help the start-up avoid and minimize the chances of incurring losses and experiencing cyber-attacks.
Backups are a crucial aspect of ensuring the security and continuity of a business in the event of an attack. As someone who works in a cybersecurity company, I want to say that you should seriously consider backups if you are stuck deciding between security products and backups.
- Cybersecurity Awareness
Security Awareness is a powerful way to avoid and reduce cyber-attacks. It would be best if you were sure that you set up the technologies you are using accurately. Also, knowing fundamental vulnerability and attack techniques would protect you and your application against social engineering attacks.
- Simplify Vulnerability Notifications
Not all people who look into your backdoors have bad intentions. Sometimes, a white-hat cybersecurity expert finds critical vulnerabilities while using your application or performing minor tests. If a user who is a cybersecurity expert finds a vulnerability, you need to make it easier for them to report that to you. Otherwise, no one would want to waste time reporting a vulnerability for you to fix it, especially if it is for free.
Monitor your application’s bugs constantly, especially the ones that are critical. It is necessary to keep a record of your authorizations and database bugs. This will make it easier for you to both give support and also find the problems much faster. Remember, cyber attackers automatically scan anything that can be found on the internet regularly. So, if you have a vulnerability, you would want to know that before anybody else does.
- Performing Vulnerability Scanning
A vulnerability scan refers to an automated process of proactively identifying the application, network, and security vulnerabilities. Cybersecurity experts can perform this by using automated tools.
A start-up may invest in vulnerability scanning, which is also a step in the penetration testing process, to identify vulnerabilities and ensure they get fixed to avoid compromise. Vulnerability scanning should be performed regularly upon each major update.
- Performing Penetration Testing
Penetration testing is a controlled attack towards an application or infrastructure that is simulated for the sole purpose of being aware of the security posture of the organization or business. Penetration testing is suggested to be performed on your organization or business on a yearly basis or once every six months.
Penetration testing will help a start-up learn how to handle break-ins from attackers and effectively determine whether the security policies in place are genuinely effective.
Here are the cost estimates of the various recommended cybersecurity actions that a start-up can invest in. These estimates will vary from platform to platform, tools used, the expert/professional charges, complexity, and the type.
If you don’t have top-level privacy in your start-up, this is the easiest action for you. You can utilize cloud storage services that Google, Yandex, and Apple offer for free. Also, these tools simplify collaborative file edit and file-sharing services.
Although, don’t forget to backup your critical data offline. In spite of it not being likely to have data losses while utilizing these huge services, there is a chance of having access problems for various reasons.
If you want to backup a code-base, Github or Bitbucket would be sufficient for you in the beginning. You can rent a server from Gitlab for $5-10/month with one-click-setup for a further step. No matter which online cloud service you are using, be sure you have the backup services on.
Min. cost for backups : 0$
- Cybersecurity Awareness
You need to follow the types of vulnerabilities in your systems, especially third-party software, as they tend to be ignored. There is a chance of facing severe problems if you do not update your security for a long time. You can access the published vulnerabilities on the technologies you are using from cvesearch website. You must use +making secure, +hardening tips searches for the technologies you are using. Also, you can follow the blog sites below to learn more about the current attack techniques and new vulnerabilities.
Additionally, there are great cybersecurity groups on Reddit. It could make it easier for you to join several of them and take a glance at current information.
Min. cost for cybersecurity awareness : 0$
- Simplify Your Vulnerability Notifications
There is a proposed standard which allows websites to define security policies to simplify vulnerability notifications. You can explain to your users how and where to notify you in case of a vulnerability by simply adding a security.txt file. If you create a ‘hall of fame’ page, it might increase your chances to receive more security notifications.
Other than that, creating a section in your contact form or support page would make it easier for your users to notify you of the vulnerabilities for your application.
Min. cost for vulnerability feedback : 0$
You need to put a flag if there is an error on your queries or constantly receive authorization errors or notice different user-agents in your access logs. You can send the critical issues in both your application and logs by defining a simple scheduled task (HTTP 500 error code could be an example, but even that is subject to change according to application). Error logs that you set to receive on a daily basis would allow you to detect a problem very quickly.
If you deal with bigger data, you can trace your logs by utilizing services like https://logz.io/ or https://www.loggly.com/ for free, but these services have a low retention time on their free versions.
Also, you can use cloud services to deploy elastic search. But unless you exactly know what you are doing, this may cause some management costs and security issues.
Min. cost for monitoring: 0$ for small-size, 25$-100$ for small packages of logging services.
Even if you have a small team or have capital problems, as every start-up has, you need to include vulnerability scanning in your deployment processes in order to keep your users’ trust. We are aware that action requires a budget allocation, but as an expert opinion, this plays a big role as a precaution to reduce the risk of facing more significant losses in the future.
You can find a variety of vulnerability scanning tools online.
- Acunetix - SaaS that scans 7000+ web vulnerabilities. standard user fee $4500/year; premium user fee $7000 for 1-5 assets.
- Netsparker - SaaS that scans and crawls web vulnerabilities. You need to contact them for the fee. However, it will be more expensive than Acunetix.
- Burp Suite Pro - SaaS that crawls and scans web vulnerabilities for experienced users. $399/year per user.
- Nessus - SaaS that scans both system and web vulnerabilities. $3390/year.
- S4E-Equality - Thousands of vulnerability scanning tools are completely free. Web application vulnerabilities’ scanning will be deployed at the end of Q3, 2021. You can ask for automatic vulnerability scanning for your web applications for a little fee.
- Zed Attack Proxy
- Nmap NSE Scripts
Even though we use all the tools as professionals (one might catch a vulnerability that the other couldn’t), free tools would be sufficient for your fundamental vulnerability scanning needs.
Min. cost for vulnerability Scanning: 0$
- Penetration Testing
Security tests contain both automatic and manual processes, whereas vulnerability scanning is an automated process. Experts will act as real hackers to get in your application for tests. Security tests will be performed by cybersecurity experts known as white-hat hackers. They will help you find your start-up’s application’s vulnerabilities.
It is more comprehensive than vulnerability scanning and requires a manual process. This is why it cannot be for free. Although, you can contact organizations that give penetration testing services provided below for your start-up.
- securityforeveryone.com: Performs mobile and web application pentesting. You can ask for the start-up discount.
- redscan.com: Performs web, mobile, network penetration testing as well as wireless network, social engineering, and firewall configurations.
- pentest-tools.com: Owns nine different certifications, and performs only web application penetration testing.
- netspi.com: Performs web, mobile, network, cloud penetration testing. They attract attention with their pentest as a service feature.
- secureworks.com: Performs web, mobile, API penetration testing as well as red team tests and scenario-based penetration testing.
- cobalt.io: Performs web, mobile, desktop, API, and external network penetration testing.
Security is not an option but a necessity for every start-up and is crucial for business continuity. With the majority of the devices and platforms having known vulnerabilities and the availability of automated hacking tools, hackers always have the upper hand in offensive security, thus the need to invest in defensive security from the word go. Additionally, a start-up should consider outsourcing security if they do not have an in-house active cybersecurity response team.
About the Author
Bige Beşikci, started her career as a marketing enthusiast. Now, she is working with white-hat hackers at Security for Everyone and helping to make cybersecurity understandable, manageable and affordable.
The article originally published at: https://pentestmag.com/product/pentest-latest-trends-in-iot-pentesting/