How do you get over the fear of getting hacked?

I agree with most of the comments posted here.

Salted + hashed password storage, plus proper token management, is super important. Even if you get hacked, there's limited use if everything is encrypted properly.

That said, I think you're probably overthinking things. This seems like more of an excuse to not launch. Yes, at some point you'll need to invest in security. Doing so while you have 0 users and no product is counter productive.

Focus on building something useful, and marketing it. Once you actually have users, then it makes sense to invest in security. Right now, you're solving problems that you don't actually have, and it's preventing you from actually building.

Hi @gthodd!

First of all, as a professional who works a lot on high security tech, I would like to commend you on being afraid! The sad reality is, the majority of business owners make security an afterthought, usually only ever addressing it after it's too late. So the first thing I would say is, don't feel bad for having this fear.

The fear is just your gut telling you that you don't actually have a handle on the level of risk your business has, but you know the cost is high! This is a great instinct.

The second thing I'll say is potentially not great news — there is a good chance that your system is not configured ideally. Truthfully, most are not. On a positive note, it's relatively easy to get up to banking / government level security, or at least to employ many of the same methods, where they are reasonable.

That being said, while most aren't up to that standard, many also rarely face issues. It really comes down to how much of a potential target your business is. That can be determined by a number of factors, including the potential value of compromise to am attacker and the the overall exposure to the public (popularity of the product).

But, even when small, it's always best to ensure that you get the security part right up front!

Fortunately, there are things you can do to help mitigate risk. Namely, I suggest that you bring in professional help! These are my recommendations:

1. Get a Pentest

First step would be to get a penetration test. The cheapest route would be to go with the route where you give them the full detail of your network and setup. This is also the route I would recommend. You can usually get these done for $1-4k.

2. Get Insurance

If you don't already have this, it's a good idea to look into the different types of business insurance. There are some that specifically cover these sorts of scenarios. While it can't cover a hurt reputation, it can cover you financially, and many can bounce back.

3. Get a full code-audit from security professionals

This is a little more expensive. At my firm, it's generally around $10-20k, depending on the size. We add a pentest in as well.

Whoever you go with, make sure you get someone who understandings banking, government, and/or fintech level security who can help you tune up your setup. There aren't many who understand this well, so definitely do your research and make sure you're comfortable they know what they're doing before moving forward.

If you can afford it, this is the step that's going to really assuage your fears, as you'd be closing all potential holes and configuring the system to block any potential future issues in dependencies, etc. by limiting the scope of their potential access.

You'd be surprised at the risk reduction that can be gained by switching to separate, isolated containers for things like DB & webheads. There's a lot that can be done with proper firewall configuration and techniques like port knocking as well.

In any case, this message is long enough! I wish you luck with your business!

Code injections - Filter all code in textbox, For exemple if you name a textbox to collect First Name, block all users who enter things like: <script> and allow only characters between [a-z and A-Z] all other characters aren't allowed. This will protect agains XSS and SQL injections. Also consider DOM attack and URL base attack

DDOS - Configure a web application firewall like Cloudflare (offer a free version too), that filter attackers from real users.

Trafic encryption:

1. If not already made setup an SSL certificate for encrypt your trafic Cloudflare can help you with it.
2. Setup a HSTS to your Web Server.
3. Redirect all HTTP --> HTTPS .
4. User SSH to your server connections SFTP instead of FTP.

Operating System :

1. Host your website on linux based OS instead of Windows server if not already done.
2. Setup an Auto update of your server and update your Server, Web Server (Apache/NGINX), bootstrap, wordpress, PHP.

Disaster Recovery - Just to be safe keep at least one offline backup of your software code in a usb key or Hard Drive.

Keep tack of visitors - Save their IP address, User Agent, or even better browser-fingerprint. Block IP with high frauds score and block visitors who use TOR Browser, TOR Browser is use by experimented hackers.

Think about the consequences of a hack. What CX data would be exposed? If you're hosting private crypto keys, that could be very, very bad - $ at stake. If emails get exposed, that's a lot less bad. If you can't handle hosting sensitive data, then don't collect it. You don't even have to store all that sensitive CX data really to run many online businesses. A lot of the really sensitive stuff, like Credit Cards #'s, can be outsourced to 3rd parties who deal with it.

Also for a CRM, maybe you could let the CX host it on a license? If you feel that a hosted CRM would be too big of a target.

Read up on security, reduce your attack surface. try to be good and not piss hax0r off.

If someone wants to attack you, it's very difficult to do anything. That said, if you go with a good cloud provider, they have all the security tools to help you (given fee of course). So when you grow, you know you have good backup. Another reason why I prefer Azure.

Implement best practices when it comes to storing passwords -- it's a solved problem in every language. Implement SSL properly. Beyond that, your work PC should use entirely different password managers + emails/credentials than your personal PC.

Read up on security! It requires constant upkeep, that's why it's expensive!

BUT, you can make it VERY hard to leak info by only ever transmitting the required information and never more.

For example, when I fail a login. the browser doesn't need to know if the user exists or not, only that it failed.

When I look select a user on your CRM, I should receive data for that user only from the back-end. I should not receive ALL users and then the front-end filters the correct one.

Do not roll your own authentication solution. Just pay for a well-managed solution. Ideally it uses JWT or something along those lines. Always, always verify the token on the backend before returning any data. For each request.

Yes, it's tough to manage. But when it's architected well, it should be very hard to write code that leaks data.

Source: I used to work in authentication/authorization and processed millions of requests per day.

Caveat: Read more than just my post. Best practices are always evolving. If you're dealing with PII, consider potential legal issues as well and whether you legally require an auditing process and system.