The Internet has experienced an epic set of attacks over the last few months.  This has ranged from massive compromises such as Sony’s Playstation Network to the smaller but potentially equally impactful breach of Mt. Gox (a bitcoin exchange that is still trying to recover).  The affected entities have included both companies and governments, as in the recent hack of the CIA’s web site.  It would be naive to believe that groups such as Anonymous or LulzSec will go away easily or even if they did would not be replaced by others.  In addition, there are meaningful security threats from ruthless competitors (or individuals at those competitors) and from (quasi-)government entities. 

So unless we dramatically restrict the Internet, which would be a terrible idea, we will have to assume that someone will be attacking.  That means security should be a board level issue for companies just as much financing risk.   How should a board approach this?  Here are some of the key questions that I believe every board should ask of management:

• Who owns security inside the company? How qualified are they? If the answer is nobody or not qualified, then need to get outside help quickly and add to recruiting plan.

• Has an external security audit been performed? If so, what critical vulnerabilities have been identified and when will those be closed? If not, when will it be performed?

• Even prior to or without an audit, does the company adhere to some minimal security practices? My personal short list: Password storage (one-way salted hashes), strong passwords for admin systems (ideally two factor auth), https-only for all admin systems (to prevent hijacking of wifi admin usage), rigorous input sanitizing (to guard against XSS and SQL injection attacks), DDOS preparedness.

I am writing this post in part to remind myself as a board member to go over these issues.  Most startups have so many things going on that it security could be perennially below the cutoff on the priority list of board topics.  The last few months have made it clear that we cannot afford that going forward. 

Would love to hear from other board members and from startup teams what they are doing re security!

The Internet has experienced an epic set of attacks over the last few months.  This has ranged from massive compromises such as Sony’s Playstation Network to the smaller but potentially equally impactful breach of Mt. Gox (a bitcoin exchange that is still trying to recover).  The affected entities have included both companies and governments, as in the recent hack of the CIA’s web site.  It would be naive to believe that groups such as Anonymous or LulzSec will go away easily or even if they did would not be replaced by others.  In addition, there are meaningful security threats from ruthless competitors (or individuals at those competitors) and from (quasi-)government entities. 

So unless we dramatically restrict the Internet, which would be a terrible idea, we will have to assume that someone will be attacking.  That means security should be a board level issue for companies just as much financing risk.   How should a board approach this?  Here are some of the key questions that I believe every board should ask of management:

• Who owns security inside the company? How qualified are they? If the answer is nobody or not qualified, then need to get outside help quickly and add to recruiting plan.

• Has an external security audit been performed? If so, what critical vulnerabilities have been identified and when will those be closed? If not, when will it be performed?

• Even prior to or without an audit, does the company adhere to some minimal security practices? My personal short list: Password storage (one-way salted hashes), strong passwords for admin systems (ideally two factor auth), https-only for all admin systems (to prevent hijacking of wifi admin usage), rigorous input sanitizing (to guard against XSS and SQL injection attacks), DDOS preparedness.

I am writing this post in part to remind myself as a board member to go over these issues.  Most startups have so many things going on that it security could be perennially below the cutoff on the priority list of board topics.  The last few months have made it clear that we cannot afford that going forward. 

Would love to hear from other board members and from startup teams what they are doing re security!