Two Dutch startups have obtained a new type of information security certification. Restaurant bill splitting app Tabster and educational software company SOWISO have passed the Security Verified review. This is the first information security standard that is suitable for smaller organisations and helps these startups to gain trust from consumers and large customers.
Why information security for startups
Many startups handle information in innovative ways. SOWISO has a smart platform for learning mathematics and must keep track of student progress. Tabster allows people to order drinks and split bills online, and thus keeps track of payments. Both companies receive questions from business partners about how they handle and secure sensitive information. For startups, providing evidence that information security is handled well can be challenging. Most startups only have a small team, and producing all documentation that traditional certification requires is a significant overhead. There was thus a need for a more practical standard, and Security Verified was designed to meet this need.
SOWISO: Educational technology
For SOWISO, having a policy in place is important to protect the privacy of students. “In the whole education sector, protecting personal data is becoming more important.” says Max Cohen, CTO at SOWISO. “With the increase of digital learning environments, such as our platform, more data about individual students is available. This data must be protected and we are not surprised that universities ask for our security credentials when deciding to use our platform. Getting a security certificate is just one step. We intend to have regular tests and independent reviews to keep all information secure“.
Tabster: retail convenience
For Tabster, information security is similar important. “Our app needs to know what people ordered so that everyone can pay their share. Users thus need to know that the app is secure. Bar owners need to know that our infrastructure can be trusted” according to security officer Pieter Paul van den Hoven(picture right). Certification is only the first step in the overall plan: “We need to make sure that we apply the principles of security by design and privacy design.” For Tabster this means the the whole staff has been involved in the information security approach. “The infused team manages the process, but everyone is responsible for protecting our customers”.
Security Verified initiative
The Security Verified information security approach has been developed by ICT Institute, a startup-like consultancy firm in Amsterdam. (Full disclosure: The company is co-founded by the author, one of the founders of StartupJuncture). The standard uses the best ideas from existing standards such as SANS, OWASP and ISO 27001. By making a new standard, we could make improvements to make the standard independently verifiable and usable for smaller organisations. The main elements of the standard are open source (under creative commons) and available via online via securityverified.nl. Other experts can use the standard as well, contribute ideas and help develop this standard. I.e. innovative services by startups such as Hackerone, Redsocks or Zerocopter, can be included once enough experts agree that such service boosts overall security.
The ultimate goal for the standard is not just to prevent hacks and fix security issues. It should make it easier to do business in The Netherlands. Checking that a startup protects your data is a lot easier with a standard like security verified. The public register where all verified organisations are listed is an important step and hopefully helps startups gain trust and customers.