Startups Don’t Need Cyber Security (Or Do They?)

Originally published by NCC Group.

Written by Sourya Biswas, Technical Director, NCC Group.

Every new day seems to reveal news of yet another data breach or ransomware attack. CNET published a great article towards the end of 2019 cataloging the major data breaches last year. While I won’t name any names, there are some very recognizable brands on that list. These breaches spanned multiple attack vectors—software misconfiguration, malicious insider, insecure code or even plain user error. It pains me to say that many of these breaches could’ve been prevented by observing basic cybersecurity hygiene.

However, this post is not about the big companies that make the news on CNN and Fox, but about those that might hardly make a column in the local town paper if they were breached. In other words, I’m talking about startups.

Before we go any further, I would like to put something on your radar. I recently recorded a webinar called “Security for Startups”, where I talk about the importance of being able to accurately gauge where you are in your company’s security maturity and how to point towards a desired target state.

You can view the recording on-demand—I really think you’ll find it helpful.

Why is cyber security important for startups?

If you think that attacks are limited to billion-dollar firms targeting million-dollar payouts, you’re wrong. According to the Verizon Data Breach Investigations Report (DBIR) for 2019, as many as 43% of all breaches occurred at small businesses.

To understand why small businesses are targeted, let’s take the viewpoint of the cyber threat actor, specifically with respect to their motivation and capability. Motivation answers “why a threat actor would want to attack a startup” and capability answers “if they have the ability to do so”.

With respect to motivation, the Verizon report states that 71% of breaches are financially motivated. What many fail to realize is that startups often have information that can be misused for financial gain.

Let’s start at the lowest level—most startups retain their customer’s Personally Identifiable Information (PII), information that can be used for identity theft. Other startups store their customers’ payment information (jackpot!). Finally, a few innovative startups have such valuable intellectual property that become attractive targets for their own rather than their customers’ information. I once worked with a startup that was subject to multiple cyberattacks due to the niche industry in which it operated—quantum computing. As is evident, startups have information that bad guys consider worth stealing.

Now focusing on capability, attackers are actually better equipped to target startups. Most startups have limited cybersecurity protections in place, thereby reducing the typical cyber threat actor’s level of effort and increasing the chance of success.

As the US Small Business Administration eloquently puts it, “Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.” While moving to the cloud helps (see Point 1 below), it’s not a magic solution for all security issues.

• Strategy. Like most business goals, cyber security is not achieved overnight, and resources for achieving those goals are already constrained. Developing a strong security foundation based on a long term roadmap is a must. Minor investments in cyber security over time go a long way towards protecting the value of the business and enabling future business growth and revenue.
• Culture. Many startups reject cyber security because it’s not understood very well. At some companies, it’s even viewed as a business inhibitor and/or sunk cost. This mentality often creates a culture that resists cyber security as the organization continues to grow. Create smart solutions that contribute to the product or service and ensure security is baked in as an investment and/or component of competitive advantage.
• Protection. Resources are limited and must be spent in the areas that provide the most value. Focus on the highest degree of protection while driving the most value. Critical tasks like cloud configuration reviews, escrow services, and incident response retainers will help establish the minimum amount of security needed to keep the organization moving forward.

What are some security quick-wins startups should aim for?

As cyber security consultants, we are cognizant of the fact that startups cannot afford to spend millions on securing their information assets. Also, depending on a few systems without redundancy can make startups more vulnerable to complete disruption and possibly more amenable to pay out a ransom when things stop working.

However, there are some easy to implement controls that won’t cost much but can go a long way in improving security maturity.

1. Follow cloud service providers’ (CSPs) best practices. If you have assets in the public cloud (Amazon, Google, Microsoft, etc.), follow the service provider’s best practices. While cloud service providers are responsible for securing the infrastructure (“security of the cloud”), users are responsible for securing the data within (“security in the cloud”).

2. Don’t ignore physical security just because you have assets in the cloud. Information in the cloud is accessed from devices in your physical environment, and if those are compromised, so can your data in the cloud. And of course, if you have critical assets and/or data on-premises, physical security is even more important.

3. Enable multi-factor authentication (MFA) whenever possible. MFA requires, in addition to a password, information like a code sent to the user’s phone or displayed on an authenticator application to log in.

4. Backup critical data regularly. First, identify what your critical data is (e.g., customer PII or payment data, IP) and back it up in the cloud. This will not only help against ransomware that encrypts your data and demands a ransom, but also against accidents in the workplace, such as a flood or fire.

5. Install antivirus software. Anti-virus or anti-malware software is offered by a number of reputable vendors at manageable prices. Once installed, ensure it is updated as per vendor recommendations to be able to respond to new threats.

6. Provide security awareness training. People are considered the weakest link in cybersecurity, and even with the best of tools, attackers succeed because victims let them in. Train your employees to observe good security practices like strong passwords and not to respond to common social engineering attacks like phishing.