What investors look for in a startup’s cybersecurity posture

We spoke to Brian Stuckey, a cybersecurity and risk management expert, investor, and co-founder who provided helpful insight and expertise for this article.

Starting any new business is difficult and startups who are looking to be the next unicorn or IPO face many challenges as they try to grow, scale their services, and increase their customer base as quickly as possible. 

These startups will undergo rigorous due diligence from investors that are considering putting money behind their company. This is true at any level of funding, and companies face even tighter scrutiny as more money is involved. 

During the first couple rounds of investment, it’s all about product market fit and growth – metrics like rate of growth, number of customers, ARR (annual recurring revenue), and CPA (cost per acquisition) are important. They’re markers of a company’s health and provide investors with a better view of their potential return on investment. 

However, as the company grows, investors start putting a lens under their operational maturity. This is where less quantitative and more qualitative views, especially around risk, pop up. Qualitative aspects of a company such cyber due diligence is incredibly important and shouldn’t be ignored. 

We’re going to reveal why cybersecurity matters across any of the investment growth stages for a company, and what investors care about. 

Why do investors care about a company’s security posture? 

Both investors and founders face specific liabilities and risks when investing in or starting a new company. Risk management is crucial, and cybersecurity is an important aspect that shouldn’t be brushed aside. Here are a few of the risks that investors can face if they are lax with their cybersecurity due diligence.  

Business risk – To a start-up who has few resources available, a security incident is no small matter, and a compromise could be a killing blow. No investor wants to run that risk. 

PR risk – If a company is affected by a data breach, exposure, or attack, there can be reputational damage that could even taint its investors. 

Liability risk – Depending on how a company was compromised and what its resulting response was (or lack of response), victims can take legal recourse. 

Legal risk – Severe compromises can lead to law enforcement and legal investigations.  If it can be shown that the company was negligent, that can come back to investors and founders. 

The cost of such risks can drastically hamper a business or even bring it down completely. This poses a very real financial risk to investors. If a company fails to properly secure and manage their risk, the company loses a lot of its attractive luster. Excessive risk can quickly turn an attractive investment into a poor one for investors. 

What cybersecurity risks do startups face? 

Unfortunately, just because a company is new, doesn’t mean it won’t face cyber-attacks. Hackers don’t discriminate and target all types of organizations with similar kinds of attacks including phishing, ransomware and zero-day exploits. Startups are prime targets for hackers due to typically fewer resources and less mature security controls. 

Because new companies may not be aware of these risks or how to prevent them, they may be more susceptible to these attacks. If you don’t invest in a strong security foundation from the get-go, you’re just low hanging fruit that criminal hackers will inevitably find. These data breaches may not make front page news but they do happen.  

Investors aren’t just looking to see if you’re aware of such threats, but that you’ve made the necessary investments to reduce cyber risk. 

Startups can be an easy target for opportunistic hackers 

Like in the physical world, criminal organizations are motivated financially – they love easy money. They’ve quickly learned that it is substantially easier to target smaller companies who have traditionally made very little investment in cyber security. 

Startups who prioritize speed, development, and deployment above all else need to understand they’ll eventually become a target. This isn’t just limited to a ransomware attack, it’s important to understand all the potential risks: 

Improperly securing data – Most startups use third-party infrastructure or cloud-based servers like AWS or Microsoft Azure. It’s important to note that cloud providers aren’t liable for securing the assets within the servers you use. If you accidentally leave a database exposed or fail to place any controls like authentication in place to secure sensitive data, that data can find its way into the wrong hands. Just last year, there were countless number of misconfigured databases that leaked hundreds of thousands of records. For a burgeoning startup, it can be a death knell. 

Exposing client data — Much like how you have to protect your business data, you’ll also have to protect your client and customer data. Nearly every product uses and ingests data in some way, whether it’s emails, names and addresses, billing information, and others. It’s your responsibility to make sure your app, product, or site does so securely. Otherwise, if your product isn’t securing your customers’ information, it can lead to catastrophe. Privacy fines continue to rise and will only continue to do so. 

Exposing your organization to third-party risks – Many startups use several third parties to make up their infrastructure and supply crucial business services. This can include HR services, communication services, email, and productivity services like Microsoft Teams or Google Apps. If you don’t have the right access controls, permissions, or authentication, a hacker may make their way in with little resistance. Don’t assume they’re secure by default. 

Leveraged to attack other organizations – Hackers may use a company as a platform to attack other companies. If a start-up provides crucial services to larger corporations forming part of a broader supply chain, a hacker may look to attack a high-value target via a much smaller (and insecure) third-party. More and more companies are increasing due diligence for their suppliers, so better security can win you more business too! 

Being used for crypto mining – This is a newer kind of compromise but can have a material impact on a company’s finances. Hackers may compromise your cloud-based infrastructure simply to mine crypto, leaving you with the bill. 

MSSPs can be a crucial partner for risk management and cybersecurity 

Startups have enough to focus on and rarely have the resources to address all priorities. In these early stages, they’re unlikely to bring on a dedicated security expert or CISO. Because they’re too focused on building and launching their product, security, if even considered, is often deprioritized. It’s a difficult thing to advocate for. Asking startups to devote their limited resources to buying expensive security tools and building in-house solutions, and burdening a COO, CTO, or CEO with security responsibilities, may affect how a company will scale.  

However, startups still need to properly manage their risk and protect themselves from potential cyber-attacks. They need to be aware that they don’t find themselves neck deep in cyber debt, as they progress through the stages of growth and funding. To solve this, companies can transfer a large portion of the responsibility to MSSPs, to help address key challenges in cybersecurity and associated risk. Startups should also strongly consider applying for cyber insurance, as this will help limit their liability, if a breach should occur.

The right MSSP can bring a curated tech stack so there’s no need to build solutions in-house which will save months, if not years to ramp up. They can also provide guidance on the best way to secure and defend against attacks while helping you maintain security as you build new products, features, and scale over time. Importantly, they also should provide 24×7 response capabilities to enable your business to quickly recover from any cyber-attack, which drastically reduces the business impact. 

Investors expect a minimum amount of security that forms part of their overall due diligence. Without it, startups may find themselves facing an unexpected obstacle that may reduce the chances of raising the next round of capital.