初创公司需要哪些部门
You had a great idea that is somehow also making money, and you’ve decided to bootstrap it into a full-fledged company. Congrats, you have a startup. In today’s market, it seems like we are all being pushed to build, grow, and sell — over and over and over. It seems like there’s no time to think about anything else. If you’re not developing something that will directly contribute to the product’s success, it seems like a waste of time.
您有一个绝妙的主意,那就是它还能以某种方式赚钱,因此您决定将其引导到一家成熟的公司。 恭喜,您有一家创业公司。 在当今的市场中,似乎我们都被一遍又一遍地推动建设,发展和销售。 似乎没有时间考虑其他事情。 如果您没有开发直接有助于产品成功的产品,那似乎是在浪费时间。
This is the mindset of today’s startup founder. It’s the mindset of many CTOs and engineers pushing development forward without best practices being met, because “we can reiterate later”. The hard truth is that “later” rarely ever comes. This is how bad operational security practices and, in the case of software companies, vulnerable code gets baked into an otherwise great product.
这就是今天的创业者的心态。 这是许多CTO和工程师的思维定势,他们在不满足最佳实践的情况下推动开发前进,因为“我们可以稍后重申”。 硬道理是,“以后”很少出现。 这就是不良的操作安全性做法,对于软件公司而言,易受攻击的代码被烘焙到本来不错的产品中。
Here’s another hard truth: not paying attention to security, even from the outset, drastically increases the odds of failure for your company. It’s been estimated that nearly 60% of small companies get hacked each year. What do you think it means to your client base when your product is hacked, and their private data is stolen because of you? You could be facing massive losses of revenue and, even worse, lawsuits. That’s a surefire way to crumble the foundation of a fledgling company.
这是另一个硬道理:即使从一开始就不重视安全性,也会大大增加公司失败的几率。 据估计,每年将近60%的小公司被黑客入侵。 当您的产品遭到黑客入侵并因您而窃取其私人数据时,您认为这对客户群意味着什么? 您可能会面临巨额的收入损失,甚至是诉讼。 这是瓦解刚起步的公司的基础的必经之路。
So what are you doing wrong? How can this be fixed so you never get hacked? Well, I have some bad news — you’re going to get hacked. It’s just a given. However, there are steps you can take to greatly minimize the effects of such an attack and protect your golden goose from slaughter.
那你在做什么错? 如何解决这个问题,使您永远不会被黑客入侵? 好吧,我有一个坏消息-您将被黑客入侵。 这只是给定的。 但是,您可以采取一些步骤来最大程度地减少此类攻击的影响,并保护您的金鹅免遭屠杀。
从游戏计划开始 (It starts with a game plan)
Repeat after me: “If I don’t have a plan, I’m a big stupid idiot”. Sorry, not sorry. If you don’t have an official security plan, you’re really just telling the universe “well, it’s up to you how things work out for me”. Take responsibility, and include the following concepts in your plan:
在我之后重复一遍:“如果我没有计划,那我就是个笨蛋。” 对不起,对不起。 如果您没有正式的安全计划,那么您实际上就是在告诉宇宙“好吧,这取决于您如何解决我的问题”。 承担责任,并在计划中包括以下概念:
- What tools/technologies are protecting my intellectual property? 哪些工具/技术可以保护我的知识产权?
- Is the communication across my company secure? 我公司之间的通讯安全吗?
- In the case of software, are we checking every new development for best security practices? What sort of review process do we have? 就软件而言,我们是否正在检查每个新开发的最佳安全实践? 我们有什么样的审查程序?
- How are we managing access to company assets? 我们如何管理对公司资产的访问?
- What are we doing to train employees in security awareness? 我们正在做什么培训员工的安全意识?
- How are we tracking the safety and security of our employees? 我们如何跟踪员工的安全和保障?
I don’t expect you to just know the answers to all of these right off the bat. You need to do your research, and speak to your team. Let’s go over some of the key points.
我不希望您立即了解所有这些问题的答案。 您需要进行研究,并与团队交流。 让我们讨论一些关键点。
使用和跟踪安全工具 (Using and keeping track of security tools)
In general, it’s just good practice to require some kind of anti-virus software on employee machines, and to track the security patching of these machines to ensure they are up to date. On top of that, you may want to bring in other tools like password safes (KeePass and LastPass are popular choices). You may also want to require employees to install browser extensions to block unwanted scripts and tracking.
通常,在员工计算机上需要某种防病毒软件,并跟踪这些计算机的安全补丁以确保它们是最新的,这是一个好习惯。 最重要的是,您可能希望引入其他工具,例如密码保险箱( KeePass和LastPass是受欢迎的选择)。 您可能还希望要求员工安装浏览器扩展程序以阻止不需要的脚本和跟踪。
All of this is totally up to you, the important part is that you have some way of protecting your employees from common attacks, and that you are both requiring compliance across the company AND tracking who is compliant/non-compliant. Without accountability, people will nearly always choose the path of least effort.
所有这一切完全取决于你,最重要的是,你必须保护员工免受常见攻击的一些方法,而且你都需要在整个公司合规和跟踪谁符合/不符合要求的。 没有责任制,人们几乎总是选择最少的努力。
保持通讯安全 (Keep communication secure)
I always think of this one (nameless) client I had long ago when I bring this up to someone. I took on a security contract to pentest their product in blackbox fashion (no access was given, it was completely blind from the outside). To discuss the specifics of the engagement and give daily reports, I was given access to their Slack workspace.
我一直想起我很久以前把这个带给某人的那个(无名)客户。 我签了一份安全合同,以黑匣子的方式测试他们的产品(没有访问权限,外面完全是盲目的)。 为了讨论参与的细节并提供每日报告,我可以访问他们的Slack工作区。
I quickly realized two things: there were public channels that should have been private, and some very important people were very cavalier with how they shared mission-critical information. Within about an hour, I had access to everything from production servers to vendors, and even banking information.
我很快意识到了两件事:有些应该是私有的公共渠道,有些非常重要的人对于他们共享关键任务信息的方式非常谨慎。 在大约一个小时内,我可以访问从生产服务器到供应商的所有信息,甚至包括银行信息。
Moral of the story: communication should always be on a need-to-know basis. If someone doesn’t need to know, they should’ve have access.
故事的寓意:交流应该始终基于需要了解的基础。 如果某人不需要知道,他们应该有权访问。
安全培训对成功至关重要 (Security training is critical to success)
I get it. You’ve never been hacked (that you know of) before, so why should you spend the time and resources on security training for your company? Obviously, they’re doing OK because nothing bad has happened. That’s like saying some guy without medical training is fine being a doctor because he hasn’t killed anyone.
我知道了。 您以前从未被黑客入侵(您知道),那么为什么要花时间和资源进行公司的安全培训呢? 显然,他们做的还不错,因为没有发生任何不好的事情。 这就像说某个未经医学培训的人可以当医生,因为他没有杀死任何人。
Get your hands on some legitimate security awareness training and make participation mandatory. If you’re feeling really zealous, require a basic security certification from all employees as well as ongoing training. It might seem like overkill, but take a page from our armed forces — even the mess hall cook went to basic training. The company grows as a whole when the individual parts are strengthened.
获得一些合法的安全意识培训,并强制参加。 如果您真的很热心,则要求所有员工提供基本的安全认证以及持续的培训。 这似乎有些过头了,但请从我们的武装部队那里拿走一页-甚至食堂厨师都接受了基础培训。 当各个部分得到加强时,公司将整体发展。
If your company is more than a few people, consider implementing a phishing simulation program as well. You can set this up yourself, check out my article on choosing the right platform to get started. Phishing has been the #1 attack vector for years and is only getting worse. Spending a little extra effort on this training will pay off.
如果您的公司人数不多,请考虑实施网络钓鱼模拟程序。 您可以自己进行设置,请参阅我的文章中有关选择正确平台进行入门的文章。 网络钓鱼已经成为多年来排名第一的攻击媒介,并且只会越来越严重。 花一些额外的精力在这次培训上会有所收获。
监控员工的安全 (Monitor the safety of your employees)
I’m not saying that you need to track their every move, or install spy software on their machines, but you should at least be monitoring whose data gets leaked. One way to do this is to sign up for Dark Web Monitoring. There are a number of companies that will help you track when your employees’ credentials get leaked (HailBytes is one such company). You can also keep tabs with resources like HaveIBeenPwned.
我并不是说您需要跟踪他们的一举一动,或者在他们的计算机上安装间谍软件,但是您至少应该监视谁的数据被泄漏。 一种方法是注册Dark Web Monitoring。 有很多公司可以帮助您跟踪员工的凭据何时被泄露( HailBytes就是这样的一家公司)。 您还可以使用诸如HaveIBeenPwned之类的资源来保留标签。
I don’t think I need to go into great detail why keeping track of your employees’ stolen credentials is a great idea. I’m sure your imagination is doing all of that for me. This is one cost that will continue to pay for itself in damages prevented.
我认为我不需要详细介绍为什么跟踪员工的被盗凭证是一个好主意。 我相信您的想象力正在为我做所有这一切。 这是将继续为预防损失支付的费用。
最后 (Finally)
Just care. Take the time to plan ahead. Tell yourself that it’s ok to spend time and money on security. Treat security like any other resource you need to be successful. It’s just one of those things that you don’t need until you really, really do — and then it’s too late. Don’t be an idiot, be prepared.
只是在乎。 花时间计划。 告诉自己,花时间和金钱在安全性上是可以的。 像对待成功所需的任何其他资源一样对待安全性。 这只是您真正需要的东西中不需要的其中之一,然后为时已晚。 不要白痴,要做好准备。
翻译自: https://medium.com/swlh/what-startups-get-wrong-about-security-87cb427b35ce
初创公司需要哪些部门
556
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
