Startups really aren’t that different from traditional small businesses when it comes to cyber security. Startups likely feel they’re ‘too small’ to be a target. And, like small businesses, the perception (whether truth or reality) is that startups aren’t prepared for an attack and are, therefore, an attractive target.
The combination of limited financial resources and the growing sophistication of attacks means startups are at risk of a cyber attack. In addition, many startups are in the supply chain of large enterprises, making them a little fish on the way to much larger prey.
Today, there’s no such thing as ‘too small’ to be attacked.
Statistics from Small Businesses
Looking at statistics from small businesses can give us an insight into startup vulnerability and the impact of an attack:
- According to the 2017 Verizon Data Breach Investigation Report, 61% of breaches hit smaller businesses, up from the previous year’s 53%.
- The National Cyber Security Alliance found that 60% of small companies are unable to sustain their businesses over six months after a cyber attack.
This last statistic is in evidence in the following three examples of startup security failures:
- Code Spaces, a SaaS startup based in Coventry UK, was targeted by a DDoS attack and forced to shutdown operations.
- MyBizHomepage was the victim of an insider attack that compromised the company’s backup data and caused the company to go out of business.
- Onlyhonest.com, an online platform to voice political opinion, was reportedly targeted by popular “hacktivists”. The site is no longer operational.
Motives, Weapons, and Aftermath
Attackers want money, to make a statement, or to agitate on behalf of a national interest. The weapons at their disposal include ransomware, malware, social engineering attacks, and more.
Today, the data you store is an increasingly popular target. Your startup stores at least one of the following types of valuable data:
- Personally identifiable information of your employees or customers
- Protected health information of patients
- Intellectual property
- Merger, acquisition, or IPO information
- Bank account or credit card information
Even if your startup manages to survive an attack, the cost of surviving – recovery operations, legal fees, customer churn, and reputation damage – can be enormous. Given the number of data breaches making the headlines – and the huge outcry from those affected – these costs will rise. Global governments are increasing scrutiny – and fines – after a data breach. The EU’s General Data Protection Regulation (GDPR) goes into effect in 2018, impacting all organizations that hold personal information of EU residents with the potential of large fines in the event of a breach.
When it comes to data breaches, you can’t protect what you don’t know about. That’s why the first step in data protection should be a data assessment. Ask yourself:
- What valuable data do we store? Remember, this is everything from personally identifiable information, protected health information, employee data, bank/credit card information to IP and IPO plans.
- Do the right people have access to this data?
- How do we prioritize this data based on risk if it’s lost?
- Are we properly allocating dollars based on the risk?
- What is our response plan in the event of a data breach?
- Finally, are we collecting more data than we actually need.
Next, focus on your personnel. In many instances, employees can make the difference between a data breach and a thwarted breach.
- Startup employees typically wear many hats, and many people may have access to sensitive corporate data. Challenge the access decisions you made for convenience, and institute a policy of least privilege to limit access to data based on job necessity.
- Require more than a simple username and password combination to access your network and corporate data. Mandate that two-factor authorization (2FA) be used by all employees.
- Share examples of social engineering techniques with team members so they can identify and avoid scams. Periodic email phishing simulations are a great way to test awareness and provide remediation where needed.
- Monitor for negligent or malicious insider threats. User monitoring software creates a baseline of normal activity patterns around emails, file transfers, and USB use, helping you to spot anomalies and proactively block potentially threatening activities from occurring.
- Include everyone in awareness education and security policy acknowledgement – employees, freelancers, virtual assistants, etc.
- Pay attention to offboarding. When someone leaves your startup, ensure all access is revoked.
If full-time personnel are not in your budget, consider outsourcing to reduce cost. Managed security service providers (MSSPs) can be a less-expensive route and are better equipped to keep up with emerging threats. You can also consider using ethical hackers to perform penetration testing – of your network or the hardware/software you’re developing – via bug bounty programs.
For more resources, you may want to check out Starting Up Security: Guides for the Growing Security Team.