It’s pretty well established that the impact of cybercrime activity and the mitigation of this impact through security defense costs, has become a major business expense. In 2015, the cost of cybercrime, according to the Ponemon Institute, in their report, “2015 Cost of Cybercrime” was on average $7.7 million and as much as $65 million per organization. The types and numbers of breaches perpetrated was also phenomenal with PWC finding that in the UK, 9 out of 10 organizations suffered some level of security breach in 2015, and globally cyber attacks were up by 38%.
With big news headlines about mega breaches, such as the Ashley Madison attack, where around 37 million accounts were exposed, it is easy to think this only happens to large, global organizations. However, this is simply not the case.
The Startup – A Cybercriminal’s Dream
Building a start-up company is hard work, but exciting. It can be one of the most satisfying and potentially fruitful things a person can do. You get to create that great product idea you’ve had for years, and work with talented people, all the while having business, mostly, under your control.
To build your company, you need to truly focus in on your core business. It takes long hours, hard work and tenacity, to not just create a product, but to market it and sell it too. All of the energy of a start-up goes into the building blocks of their company and product – this is why start-ups can be so innovative – they eat, sleep, drink innovation and make great ideas happen.
This focus, coupled with tight finances, means that the emerging start-up space is rapidly becoming the favorite target of the cybercriminal. But why exactly should such new and usually smaller companies be prime real estate for the hacker?
Why Pick on the New Kid on the Block?
Building a startup has become ubiquitous throughout the world. Entrepreneurship is a driving force for economic change and small companies employ large numbers of people. The GEM Global Report states that there are over 100 million startups formed every year, globally. The European Commission has estimated there are around 23 million small to medium sized enterprises in Europe, accounting for 99% of businesses. This is a very large pot for cybercriminals to go after.
Cybercriminals are targeting smaller and especially startup organizations for the simple fact that they are more vulnerable, the specific vulnerabilities being several-fold:
Financial challenges: startups often have financial challenges and can even be very under-funded. Security is a luxury they cannot afford. Many startups are so busy building product and trying to get in front of the right people to sell that product, that paying attention to security seems secondary and a pointless expense. Despite evidence to the contrary, according to the National Cyber Security Alliance, 77% of smaller companies believe they are safe from cyber-threats. If you don’t feel there is a need to do something, you won’t.
Sophistication levels of an attack: IT security has become a complex game. As attacks become more sophisticated and stealth attacks like Advanced Persistent Threats (APTs) become more prevalent, the level of experience needed to address these threats is becoming ever greater. According to security vendors Kaspersky, 87% of data breaches required assistance from third party specialists and specialists are costly.
Use of Cloud computing: Cloud storage of sensitive data and intellectual property (such as software code) is a common choice for startups. It is cheaper than building your own data center and easily accessible from home locations. Managed Cloud provider, Rackspace, reported that 52% of startups surveyed said that they simply would not be able to afford on-premise IT resources. However, security within a Cloud computing context needs specialized skills and proper knowledge. If security controls are not correctly implemented, or security tools not used properly, then cloud data is at great risk.
The Supply Chain: startups are hungry for sales. Getting onto a supplier list is a great strategy for continued revenue for a startup. Once in the supply chain, the company becomes an even more attractive target for cybercriminals. Supply chain attacks are a real and serious threat to the whole chain and take on many forms. Supply chain members can supply and receive sensitive data, including source code. Source code, for example, is at great risk of being contaminated by malware and passed onto clients. Cybercriminals are targeting smaller companies in the chain, with the express purpose of getting to the top of the chain. The most infamous example of this was the attack on the U.S. retailer, Target, who ended up having around 70 million customer accounts compromised. The inroad into the Target customer database was through a third party supply chain vendor; the vendor, who had access credentials for Target’s network, was spear phished with the result that Target became a victim of one of the world’s largest breaches.
What are the Consequences of a Security Breach on a Startup?
The fact is that most start-ups fail. The Startup Genome Report, found a 90% failure rate for start-ups. This type of statistic is frightening and implies that any event that can cause serious impact on the continued working of the startup could contribute to its failure. With information like this in mind, having a breach, which results in down time, or reputational damage, is something a start-up literally cannot afford. Coupled with this is the knowledge that small companies who suffer breaches, are more prone to that breach being catastrophic. The National Cyber Security Alliance reported that 60% of smaller companies go out of business within 6 months of a breach; start-ups, being at an early stage in development, will be particularly vulnerable. Start-ups have a lot to contend with, just to make sure their venture persists and grows. Security issues can be the ‘straw that broke the camel’s back’. Without due care taken to mitigate the risks they are experiencing, the increasingly targeted smaller organization will place itself in a highly vulnerable position.
Taking Control of Your Start-up
Start-up entrepreneurs need to become mindful of the importance of cyber security and the threat landscape. By nature of their vulnerable position, they have become attractive targets for the cybercriminal. Security is no longer something that a large enterprise has to contend with, it is now in the face of the start-up entrepreneur and needs to be taken on board as a business expense, most likely incurring consultancy through third party specialists. The use of managed security services and Cloud based security solutions (security-as-a-service) are often cheaper to setup and run as well as offering ‘pay-a-you-go’ options.
Security may seem, ‘somebody else’s problem’ when you, yourself are in the midst of creating your dream. But, that dream will quickly become a nightmare if you don’t take control of your IT security and protect your company as it goes through its most vulnerable early stages. Cyber-threats need to become an integral part of a start-ups risk management assessment in the same way that more traditional risks, like intellectual property protection, staffing and funding are now.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.