Google’s Information Security Manager Heather Adkins has a pretty good track record. The company was last hacked in 2009, that’s why Adkins had some good advice for startups in the audience at TechCrunch Disrupt SF.
“At some point in the history of your company, you’re probably going to get hacked. The question is not whether or not you’re going to get hacked, but are you ready?” Adkins said. “Are you going to be able to very quickly make decisions about what to do next?”
In other words, you need to think about your emergency strategy right now. Think about the ways you can protect your user data so that it’s useless if someone can access it.
And one of the reasons why you’re going to get hacked is because most technology companies rely on open source software. Hackers can use this opportunity to find 0-day vulnerabilities. It’s the reason why you should keep all your dependencies patched at all times.
“I think it’s the cost of doing business with open source software. The reality is that we have to stay on top of it,” Adkins said. “Even if you’re just two people in a garage, one of you need to be in charge of security, whether it’s part time as an IT person or as a lead software developer.”
“Rather than spending tons and tons of money on technology, put a little bit of money on talent and have them do nothing but patching.”
I delete all the love letters from my husband
At the same time, it doesn’t make sense to force all your employees to use a VPN to connect to your company’s network when they’re not at the office. What Adkins calls the enterprise castle no longer works.
“The idea of a VPN is anachronistic because you’re routing your traffic through a corporate VPN and then to the cloud,” she said. “The purpose of VPN originally was to create private networks, to create confidentiality between the end points and the server. And we can create this today with SSL. We use SSL to protect that, find that confidentiality capability.”
And of course, if you don’t need to keep data, don’t store it. Having healthy retention policies is important. Adkins also uses the same strategy for her own data. “I delete all the love letters from my husband,” she said.