The hack attack
The exploits of groups like Anonymous and Lulzsec attacking big corporations and intelligence agencies have demonstrated the importance of high-level security, but the Distribute IT scandal highlighted the fact that start-ups are also at risk.
A malicious attack by hackers forced the company offline and eventually the data of a large number of customers was lost because Distribute IT had poor backup facilities.
It raised a number of worrying questions for start-ups. Could it happen again? Are start-ups more at risk than larger firms? And what are the main ways that start-ups are vulnerable to losing data?
Distribute IT not a one-off
While thousands of businesses were brought to a standstill because of the Distribute IT backup failure, local start-up RecruitLoop suffered a similar fate with another host provider.
RecruitLoop is a web-based recruiting system and founder Michael Overell says the application was offline for two days because its hosting provider experienced a server crash.
He admits it was lucky the product was only in beta at the time so there was a limited impact on customers, but the outage meant that some parts of the code had to be completely re-written.
“We fortunately didn't lose any data, but were offline for an unacceptable period. It's lucky we were still in beta,” Overell says.
The business has fully recovered from the ordeal – the full version was recently launched – but the experience forced the fledgling company to completely revisit its backup solutions and processes, including daily off-site backups.
“We’re investing much more time and dollars into a robust solution,” says Overell. “We have also fully simulated a crash and backup situation. The lesson is that it's an ongoing process, not just a one-off activity.”
“We invested more money than originally planned on network and data security. We implemented daily offsite backups, so that our data is securely stored independent of our hosting provider.”
Yes, this could happen to you
This incident is a pretty typical example of the start-up mentality that “it won’t happen to me”.
Despite being bombarded with stories about hacking attacks and outages, the problem is actually under-reported, according to Drazen Drazic, CEO of specialist security consultancy firm Securus Global.
“They’re happening all the time to various degrees of impact to organisations,” Drazic says.
“What you read in the press is the tip of the iceberg to what we see out there. The scary thing is that many organisations don’t even know they’ve been attacked or compromised.”
While he said that start-ups aren’t on the radar of hackers, he said that it does happen, and a start-up has more to lose because the impact of a “random” attack could pretty much ruin the reputation of a new venture.
“Ostrich Risk Management”
The reason that most start-ups are vulnerable is because they have their head-in-the-sand when it comes to security, according to Donal O’Duibhir director of Nodecity, a network and security consultancy that helps socially minded businesses and start-ups.
“Many entities both large and small employ a placebo form of 'Ostrich Risk Management' when dealing with uncertainty,” according to O’Duibhir, who has spent the past 10 years in security, network and technology risk management teams for global multinationals.
“The nature of networked devices and humans is that there will always be an attack of some sort and as such, a high impact event tied with a low probability is always possible.”
This high-impact, low-probability event was what happened in the case of the Distribute IT attack, according to Patrick Gray, founder of security media publication Risky Business.
This type of attack will probably happen again, he says, and it won’t just affect internet-based businesses but also SMEs and start-ups that rely heavily on technology.
“The only reason the hack made the news in such a spectacular way was the company's apparent lack of a decent disaster recovery plan,” Gray says.
“There were gaps in its offline backup regime that meant some customer data was simply wiped off the face of the internet.”
“You’re nuts if you don’t have offline backup”
Business owners need to take responsibility for their own data and can’t rely on online backup systems and service providers.
Offline backup is a must and should be performed daily, Gray says.
“Do automatic, daily online backups. If possible, do offline backups daily, and make sure you're physically removing some of these backups to offsite locations.
“It's a pain in the neck but you'll thank your lucky stars you bothered if your office burns down one day.”
O’Duibhir says that there should be a three-way data rule: a local live, a local backup and most importantly an off-site backup must exist.
“A successful backup does not guarantee a valid nor integral restore,” he advises. “Test for both.”
Define proper service level agreements
One way to optimise for failure is to identify and test the minimum level of service that you can afford to provide customers and the system failure scenarios the businesses can tolerate, according to Nodecity’s O’Duibhir.
This applies to your own systems used to service customers as well as using services from other providers such as Amazon, he says.
“Expending some time and energy writing down and testing for certain data and system failure scenarios helps solidify what metrics, service levels and tolerances you actually can operate within.”
“This facilitates confident communication of SLA's to customers and kinks to be ironed out in a wide range of manual and automated processes.
“Have you engineered correctly around an Amazon failure and what is an acceptable outage or loss of data to your business and customers?”
Optimise for success, not failure
In this age of rapid development, deployment and iteration to release sexy applications and web services, start-ups often overlook security, where it is hard to quantify the benefits and measure the impact.
O’Duibhir says: “The entrepreneurial mindset tends toward the trusting of technology and is combined with rapid prototyping which leaves little room for things like effective change management, good security practice and an operational mindset.”
He says that businesses need to start optimising for failure, as well as success.
“It comes down to the challenges of risk management, good engineering and data valuation.
“Fortunately, or unfortunately, there is a tipping point when enough value is potentially exposed or vulnerable to exploitation, especially by sentient attackers, that everyone’s game must be raised.”
- Hire techs with demonstrated experience in dealing with failure scenarios. Both systems and humans should fail well.
- Automate daily, offline backups. Define and practice good backup, disaster recovery and business continuity planning.
- Understand your assets, risk profile and attack surface.
- Contact AUSCERT and/or the AFP's High Tech Crime Unit if you believe a crime has been committed.
- Define proper service level agreements for your customers as well as your suppliers.