How to protect my startup from bots or hacks?

10 June 2022 ยท Updated 07 July 2022
Question

I'm a non-technical indie founder and just built my first startup with a technical co-founder. I'd like to improve our security but I'm not sure how I should protect the company so we don't get scammed out of our money or worse expose client data. Any advice?

Answer

When you’re a tech startup, one of the first things you’ll want to do is make sure your business is protected. There are plenty of bad actors out there that will try to access your company data, so it’s important to know how to keep them out!

First of all โ€” I highly recommend using a proxy with in-build firewall functionality, it can either be Cloudflare or Google Cloud Armor. Cloudflare makes it easy, GCloud is good after you’ve reached a point when you need to take it more seriously with custom application firewall rules.

You can also use a proxy to hide your real server IP, which makes it harder for hackers to do harm. There are a lot of contractors who can set up proper VPNs and security rules for you. Most of them are set once and forget, so invest some $$ at the start.

Wherever you have a contact form on your website โ€” use a google reCaptcha or Akismet to protect from spam. You can’t imagine how fast you’re gonna get spammed with viagra, pharma, and crypto stuff if you leave a form unprotected, and never allow sending emails to other users with arbitrary content inside them. These are the juiciest ones for the spammers, they’ll add you to the list of “allows spam” websites.

Instruct your team members that if they receive an email from you asking to perform a quick task for them and reply to them to get more details โ€” highly likely that it’s a scam attempt and they should always double-check the validity of the email contents.

Make sure all of your employees understand their role in keeping the company data safe โ€” run security training sessions in which they learn how to spot suspicious activity, be it social engineering or phishing websites. This way, everyone will be able to identify potential threats before any damage is done.

Don’t install any weird software from random sources โ€” if you’re on a Mac, always install stuff from the app store only and if you’re asked to allow the package to make changes to your system, be really careful when allowing that.

Use a Password Manager like 1Password or any other. This helps with having a unique password on every site.

2FA everything. This will save your ass when someone will decide to get into any of your accounts. From Email to Gcloud to Slack โ€” everything needs to be connected with Two-Factor authentication.

Backups are super important. No database should ever be running unless there’s a backup process running alongside it. If you’re using cloud databases – turn on the point-in-time restoration option and save at least 2 weeks’ worth of backups.

Order a pen-testing. If you want to test how secure your webapp is โ€” you can go to any cyber security firm and order a penetration test done. It usually costs from 5’000 USD to 15’000 USD depending on how many services you have.

These are the low-hanging fruits of how you can protect your company. Add some more if you have any, I might edit this answer later.

๐Ÿ“š More Q&A here




Hot! The last couple of years I've been writing about CTO / Tech lead job. I've compiled all my knowledge into a printable PDF. I called it "256 Pages of No Bullshit Guide for CTOs". So if you're interested, take a look.

New! If you're a software engineer looking for a job, I started a Roast my Resume service, where I record a personalized video of me "roasting" your CV, which basically means taking a hard look at your resume as a CTO and commenting on all the good and the bad parts.

  • Seb

    Honestly, lots of startups ignore basic employee training for cyber security, thinking all the fancy tech will cover them. Big mistake. Simple mistakes by team members can open up huge risks. Also, do regular checks with outside experts to find the holes in your setup. And donโ€™t just set it and forget it; keep updating your security measures. Chatting with folks in online security forums can also give you a heads-up on new threats lurking around.