Information security expert. International experience across multiple businesses from fintech to healthcare. Giving expert advice in matter of information security and privacy: Ethical Hacking, Cybersecurity, Vulnerability Assessments, Penetration Testing, Disaster Recovery Plans, Data Breaches, Cloud Security (AWS/GCP), GDPR compliance, cryptocurrencies and other related topics.
You would need to expand on your question, but assuming you're building a new business and you want to have individual logins for each employee as opposed to shared credentials, that's a definite yes. Shared credentials should be avoided if not banned unless needed for very special cases. This is part of the very basic security guidelines nowadays.
It should be part of your Information Security Policy.
Safety and security are defined differently around the world. If I were to rank secure sites if the meet, for example, Mozilla privacy and security standards (https://foundation.mozilla.org/en/privacynotincluded/about/methodology/).
Ideally, I would like to see that they have security certifications (ISO27001, SOC2 Type 2, etc) a bug bounty programme or some sort of third-party verification (pentesting, daily vulnerability scans, etc.)
There are many criteria that can be applied, so if you don't want to do the checks yourself (or have an advisor to do it), perhaps you can rely on certifications if they're available.
Of course Stack Overflow, what would be the modern programming without it?
For a small/medium-sized project WordPress might be acceptable. However, if you plan to scale up and expect a lot of traffic it will be quite difficult to keep up.
Security of WP has improved in recent years, however, it still relies in PHP one of the languages that historically has suffered of prevalent security issues.
Scalability will be difficult at some point, you will need professional infrastructure to get a lot of transactions and other operations smooth. I would recommend research dedicated eCommerce platforms, remember Wordpress was originally conceived as a blogging platform.
GoDaddy is definitely not the best option for hosting, not even for keeping your domain!
I'd recommend to get a reputable hosting company, preferrable not using a shared hosting. You can check out Google Cloud Platform or Amazon Web Services that will scale up with your needs.
Of course, the first part of the process is to identify which personal information are you holding and for what purpose.
Based on that you'll have to do an impact assessment and map where all that info is going (I assume you use third parties like Google Apps or Dropbox). You need to collect Data Protection Agreements which should cover GDPR and of course update your privacy policy.
On the technical side, you need to have appropriate security for protecting such information (such using encryption in your laptop, or making sure you have "https" on you site when submitting information).
The process if of course, longer than that but that gives you an idea. Depending on your size it would be a good idea to bring an external consultant to help you with the process. The UK ICO has good information about you have to do.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Please also consider if the solutions architect have good knowledge of best security practices (or at least some working knowledge and he's able to find what's needed). The least thing you want is to have security gaps that might kill your startup with a security breach. Cross-platform apps might be tricky and interacting with external third-parties might leave you exposed to unwanted threats. Correctly managed these potential security breaches might be greatly reduced.
Hi,
I work in the security and privacy business in Europe and I can tell you a bit more about point d. You need to make sure you're bringing also an expert in compliance depending on your jurisdiction (e.g. HIPAA). You might need expert advice to know if you're doing enough to protect private information from patients. A lawyer might have a good knowledge of the regulations, however, a technical expert will also tell you if your measures are enough or if you're falling short and possibly liable.
If you're going to do business with Europe in any length, remember that we do have quite strict guidelines about privacy and is your responsibility to adequately protect patient's information.
After working quite a few years in engineering, definitely I can recommend bringing an expert that acts as you CTO which will help you grow a reliable team. She/he will be able to advise you the best option for you about growing a team. Make sure this person has the correct balance of experience in a similar project and is someone who can understand your business requirements.
This expert will help you to also find some other experts you might need to get you where you want to be, or hire permanent employees if that's the best option. When you're ready to get your IT security policy as well, then drop me a line, we work with a variety of small-medium businesses with very little knowledge, sometimes, of this area.
Data security and privacy controls are things to consider carefully. Depending on the jurisdiction you fall in, there can even be legislation that you need to follow (e.g. HIPAA).
Having a strong data protection and a clear privacy statement is not only good for your peace of mind, it also demonstrates that you care about your customers data and set you apart from other healthcare businesses. Here in the Europe there are strong directives for protecting private identifiable personal data and especially anything related to healthcare.