Startup success: Why addressing cybersecurity from the beginning is critical

As a startup, you can’t afford to ignore potential cybersecurity challenges

No matter the size of your organization, a lack of preparedness will put you at risk for cybersecurity attacks. Often, startups think they are flying under the radar of most cyber criminals and are not as vulnerable. However, the reality is quite the opposite.

• Since 2020, the average number of cyberattacks per company of all sizes has gone up 31%.
• Smaller businesses, like startups, are 350% more likely to experience targeting via social engineering emails.
• Startups are more likely to use the cloud, and for 32% of businesses, security is not part of the cloud discussion.
• Despite the risks, startups and other small companies often leave themselves vulnerable, with 60% of them closing their doors within a 6-month window post-hack.

CISA put out advice* in 2015 that’s still widely applicable today: Startups need to think about cybersecurity from day 1 or experience a higher risk of being compromised down the line.

[*See our blog: 8 Takeaways from CISA’s latest report for cybersecurity].

You could be a prime target for a number of reasons. 1] Your startup may have what the data hackers want, and they may believe (often for good reason) that, as a small business, you have fewer safeguards; and, therefore, be easier to infiltrate. 2] If you’ve received funding lately, you may have gotten more press coverage, putting your startup in the spotlight. Hackers would love their “fair share” of your Series A or B! 3] Lastly, you may be more likely to use cloud-based services, which aid in digital transformation, enable remote working, and allow for a more efficient workforce; but can also make organizations more vulnerable to cyberattacks.

Of course, implementing proper cybersecurity measures is easier said than done. Startups need to overcome certain obstacles to effectively manage their risk. Here are some common challenges startups face when implementing cybersecurity measures, and how you can address them in your own business.

“Move fast and break things” = Exposures + high risk

Many startups subscribe to the philosophy that it’s best to “move fast and break things” – there’s lots of talk about minimum viable product (MVP), moving as quickly as possible, and expanding with services and partners to build an infrastructure fast. This approach is great when you’re trying to prove market-product fit, win your first customers, and scale rapidly. However, by hitting these KPIs by any means necessary, you may be opening yourself up to added risk and exposure.

Say you bring a payroll SaaS app into your organization. You decide not to implement multi-factor authentication (MFA) because the process feels like it will take too long. One of your employees decides to use the same email and password combination from a social media account to log in. This sounds innocent enough except that the details of that social media account were leaked years ago. A hacker gets this information, tries it on the payroll app, and successfully logs in leading to a data breach.

The same scenario can easily happen with even more critical assets and services – cloud infrastructure, third-party databases – and may allow criminals to access extremely sensitive financial or health data in the process.

Many startups have been involved in cyberattacks and data breaches, including:

• Revolut: In September 2022, just over 50,000 customers of the fintech startup were affected by what Revolut called a “highly targeted cyberattack.” Data that was accessed might have included customer names, emails, physical addresses, phone numbers, and partial card payment data.
  
• Canva: In 2019, 139 million personal records in Canva were leaked. By the time Canva announced it, the hackers had server access for 7 months and 4 million accounts had their passwords decrypted.
  
• Cleartrip: In July 2022, Cleartrip, a travel-booking platform, experienced what they described as a “security anomaly” with data leaked on the Dark Web. While they stated that no sensitive user data was compromised, they did ask all users to change their account passwords.

While spear phishing, malware, and brute force attacks can lead to data breaches, data leaks can also come accidentally from open AWS S3 buckets. An “open” S3 bucket is a cloud storage service from AWS that can be accessed by anyone without the need for authentication. If these buckets are left open and misconfigured, hackers can download, read, or even delete data stored there. A Rapid7 report found that nearly a quarter of the time, misconfigured AWS resources led to leaked data.

What can we learn from these examples? If a startup is too focused on moving quickly, it will miss key security configurations and important setup steps that, when skipped, end up unnecessarily leaving the company more exposed. 

Startups might not think they’re a target

All organizations, large or small, are at risk of a potential attack. Hackers aren’t looking for small businesses or startups; they’re looking for good targets. In particular, they seek low-hanging fruit, such as unpatched systems and software, misconfigurations, and so on.

Because hackers don’t discriminate based on the company’s size or revenue, the same risky behavior that might show up at an enterprise company involving misconfigurations and a lack of security controls or policy can also be what leads them to attack your organization.

Here are a couple of examples.

• SevenRooms, a popular restaurant CRM, experienced a data breach that was announced on December 15, 2022, by a threat actor that posted parts of a 427 GB data base on Breached, a forum for discussing breaches and hacks. While the CRM didn’t have sensitive payment data, it did contain API keys, promo codes, client names, and payment reports, among other things.
  
• Vinomofo, an Australian wine dealer, announced a cyberattack on October 18, 2022, where the information from up to 50,000 customers might have been exposed. This information included email addresses, names, physical addresses, dates of birth, genders, and phone numbers.

The reality is that size has a lot less to do with whether you will be attacked. Behavior and safeguards are the most relevant predictors for your level of risk.

Getting stakeholder buy-in can be difficult

One of the biggest obstacles that may stand between you and having a more robust cybersecurity framework can come from leadership. The board and executive team may not want to fund the IT department. This can result from a mix of limited resources and an inadequate understanding of actual risk. If you can’t get the higher-ups to OK your cybersecurity plans, you have to figure out how to make the most of your limited resources, which might include a minimal team, tools, and budget.

Dealing in scarcity can lead to cyber debt. Also known as cybersecurity debt, cyber debt is a subcategory of technical debt that encompasses security measures a company is taking technologically. Just like technical debt, when you take a shortcut and opt for a less-than-stellar solution upfront, the cost of making up for it in the future can be higher than the initial investment, leading to cyber debt becoming more expensive with time.

Your leadership team needs to understand that cybersecurity risk is organizational risk. Because of this, it can impact finances, reputation, and even your ability to secure funding. These days, good cybersecurity is a must to gain attention and foster trust with investors. More than ever, investors are considering risk and security posture when deciding what to fund. Additionally, and increasingly important, having a poor security posture can bar you from procuring cybersecurity insurance coverage.

When you present the need to mitigate cybersecurity risk, ensure decision-makers that you are speaking about moving the needle on organizational goals. Aside from getting funding, this can also include reducing long-term spending, achieving compliance, and establishing trust internally and externally.

Consider cybersecurity partners a way to overcome common challenges

Working with a cybersecurity managed service partner like SolCyber can be a cost-effective way to quickly manage your cybersecurity risk without feeling the need to stretch your team beyond capacity or hire new people. With a partner, you’ll have 24/7 access to experts who provide detection and response services, as well as cybersecurity support. You don’t have to bring in new team members; plus, partners can bring in their own security tech stack with no added hassle for you.

Instead of working with one or two new people, you can gain access to a wide range of expertise, with the right people available to weigh in on what you can do to meet cyber insurance requirements or resolve urgent vulnerabilities. When you bring in the right MSSP, you don’t have to know all the right questions to ask. Our job at SolCyber is to anticipate your needs and help protect you against incoming threats, while making your organization more attractive for funders and end-users.

Don’t leave your business exposed to cyber threats. Contact us now to learn how we can safeguard your company’s sensitive information and protect your bottom line.