Blog

Starting a company is no easy choice. From having a main idea to building a team and looking for investors to understand your customer, scaling companies have multiple challenges happening on different fronts at the same time. All at once. If a company is like a building, each of its challenges or stages represents a certain floor. While most companies focus on the decoration of these areas, they forget about the foundations of the building and the cybersecurity efforts that will avoid it from falling. Because if the base falls, we all know how the story ends. But, why do startups not take cybersecurity seriously? And what are the consequences of not having secure foundations? In this article, you'll learn about how scaling companies can achieve a minimum cybersecurity standard without compromising their focus and having high-impact results. We call it Achievable Cybersecurity. Why is cybersecurity in startups so important? Cybersecurity is an issue that is not only affecting big corporations but also small businesses and startups. Nowadays, any attacker can intrude into an employee’s computer remotely and attack an entire company’s system regardless of its size. Developing security means your main assets aren't compromised: Your data protection This may sound obvious, but every company should make sure that their data is safe from day one. Data protection implies shielding personal data that is stored within a certain system. However, this data not only belongs to your company but also - and most importantly - your users. Ciberseguridad para Startups_Imagen 1.jpg However, for scaling companies, this issue is not taken as seriously. Let’s use this as an example: everyone knows they should have their car and house locked down, especially at night. Would you give the keys to your house to a complete stranger? Of course not. On the contrary, in the startup world, it seems that most founders give their home and car keys to complete strangers. While having the same password for every account—to give just an example—major data breaches are happening at scaling companies as a consequence of a lack of data protection. Only in 2021, there was an impact of more than 45% of data breaches in small businesses. This illustrates the importance of having data protection and rigorous cybersecurity measures in place from the get-go. Your business and its reputation When a company is a victim of a cyberattack, its reputation is at risk. Especially if the company belongs to a market where trust is essential (e.g.: finance) What this means, is that companies suffering cyberattacks do not only need to recover from it, but suffer the reputational consequences. Those can affect the company for years, and big Public Relationships investments would be needed. To put this in numbers, according to an IBM Data Breach report, the cost of 95% of incidents in small businesses can be up to $653,587, and more than 60% of small businesses had to shut down in the six months after a cyberattack. Also, out of the total cost of a cyberattack, 40% of that belongs to reputational costs. Significant financial losses can occur as a result of cyberattacks on the business and also its reputation. This happens because scaling companies will have to make a big investment to a) solve the attack and b) recover the company’s reputation, which will be heavily damaged after a data breach. This reputational cost and the financial effort needed to solve it could potentially make a company disappear. This is especially true if it is a company without much market trajectory. The VC's investment Most scaling companies run on any sort of VC investment to grow. This investment is based on truth, but any data breach could break that relationship. And every founder knows what that means. This investment should be taken seriously and protected at all costs. This is why taking care of being secure from day one is, without a doubt, one of the most effective ways to do so. Your customers' trust Making sure the privacy of your client's data is protected must be a priority for any scaling company. Caring for your clients is as essential as caring for your own friends and family. They are the ones that trust your product and make your company’s revenue what it is. If you don’t build trust with your clients, your company’s reputation may decline, and you may also experience client migration: if they don’t see rigorous security measures, they won’t use your app or platform. Nowadays, people care about some minimum privacy policies and that is no exception for small companies. According to different studies, 29% of businesses that suffer from data leaks end up losing revenue. Also, costs affect not only the startup itself but also its clients. In 2022, 60% of cyberattacks in organizations will have led to price increases that affected their customers. An elephant in the room All of the points mentioned above are extremely important and demonstrate why cybersecurity is a must for startups. However, most founders don’t take them seriously. This is why the expectations of the likelihood of a scaling company facing a cyberattack rose from 36% in 2021 to 50% in 2022. Why does this happen? Clearly, it’s not because of a lack of knowledge. Let’s be honest: every person that works in technology knows what a cyberattack is. People who run startups know that cyberattacks are bad and should be avoided, but most leave the issue in an endless backlog. It’s pretty clear that there’s an elephant in the room: startups often forget about cybersecurity because they put the focus on economics and scaling up fast. And since taking security measures can often be very expensive, the priority is investing in technology, consistent teams, PR actions, and other issues that may help with scalability. This is a story we’ve heard a million times at Strike. Ciberseguridad para Startups_1.jpg Since cybersecurity is seen as a huge impediment in the early stages, there's been an investment in building up technology but no cybersecurity measures. As a consequence, their systems could be easily vulnerable, such as what often happens with the IoT, which suffered a 77% increase in malware attacks, or smart contracts, which bring a major risk due to blockchain technology. The main result? Cybersecurity is in a constant backlog until one day a major data breach affects the company - and potentially kills it. The Einsenhower Matrix 2.0 To put a framework around this issue, we can deep dive into what is known as the Einsenhower matrix. Day-to-day tasks are divided into urgency and importance. The urgent tasks should be solved immediately because they require attention in the short term, while the important tasks have an impact in the long term. In the startup world, these issues could be summed up in what we call the Einsenhower Matrix 2.0: besides having urgency and importance, it has visibility and invisibility. There are issues that are more visible when it comes to importance and urgency, such as clients, office storage, software developments, and PR actions, while others are completely invisible, like cybersecurity. "If you spend more money on coffee than cybersecurity, you deserve to be hacked" Eric S. Raymond That’s why we can say that cybersecurity falls into the categories of "not important, not urgent, and invisible". Why does the founders' playbook not consider cybersecurity? When it comes to scaling companies, most founders and managers follow a specific set of procedures that are well-established on the market. This could be named “The Startup’s happy path”. This "happy path" could be summed up in the following steps: Starting with an idea Setting the requirements of the project. Developing a business plan. Start developing your product. Attracting VCs and investors. Hiring your dream team. Focus on scalability Exit strategy or IPO This path has a clear impact on the business in the short and long term. However, there’s a huge issue: cybersecurity doesn’t fit into this playbook. Companies don’t put cybersecurity first because it won’t affect their business directly in the short term. If you don’t have a clear business plan, your company most likely won’t succeed. However, if you don’t run cybersecurity scans and/or pentests your project can still keep going. This is true because even though your brand isn't recognizable to anyone at first when customers start hearing about your product, hackers also will. But when is that moment exactly? At which specific stage does my company need to start worrying about being hacked? That's the tricky part: it might be at a very random moment. Cybersecurity doesn’t respond to a certain milestone in business because it depends mostly on luck. Yes, you may not need high cybersecurity standards from day 1, and your company will grow without them, but you could be hacked anytime, and that "happy path" could be easily altered and erased within seconds. Startup mantra: Fail fast, fail often When it comes to failing, most startups need to take risks in order to learn from their mistakes and iterate their products quickly. That is a well-established practice in Silicon Valley, that had spread around the globe. This mantra is known as "fail fast, fail often", it guides most scaling companies. Even though 20% of startups fail after one year, scaling companies have a culture of trying new things and not being afraid of failure. The more you fail, the more you’ll learn, and the better your product will be in the long term. Here, speed is also a key issue, because the faster the company moves, the more likely it is to succeed. The more speed you have while creating new products and features, the more revenue you’ll get from new clients, and the more investment that can be achieved. This practice has been extremely popular since it helps company iterate fast learning from mistakes, because “what doesn’t kill you make you stronger”. But…what if those mistakes actually kill you? This is why nowadays, companies need to fail in controlled environments rather than throwing features like crazy. This is known as a controlled experiment and is a game-changer. The 4 consequences of being attacked 1. Economic losses Cyberattacks not only involve sensitive data and hacking across entire systems, but also huge economic losses. Since cyberattacks can cost small and medium businesses over $2.2 million a year, the consequences are pretty clear. In the United States, only, more than 22% of the companies lost between USD $100,000 and $500,000. 2. Loss of data: If a data breach takes place within a system with no security measures, the loss of data could be huge. In 2022, for the first time, cyberattacks were the #1 cause of data loss, surpassing human error. Data loss not only involves harm to the web app’s users but only involves the possibility of the company’s full shutdown. According to official statistics, 40-60% of scaling companies won’t reopen after a data loss attack. Loss of sensitive data and also money? Better avoid these types of attacks. 3. Inability to provide services Most companies may have to stop providing services when they suffer massive attacks that lock their entire systems, such as ransomware. In 2021, 82% of these types of attacks are automatically targeted to companies with fewer than 1,000 employees, because hackers know that those are the ones with less interest in developing securely. As a consequence, they can’t give their clients the services they need and will most likely suffer client migration. 4. Violation of regulations Some industries, like finance, healthcare, and chemistry, have different regulations that must be followed or the company will have to pay big fines. In the United States, for instance, fintech is regulated both at the state and federal levels. In Latin America, there are multiple fintech laws in countries like Brazil, Colombia, and Mexico. Unfortunately, it’s much more expensive to defend than to attack: if companies don’t comply with these regulations and suffer a data breach, the loss of money when paying the fines could be huge, and this has direct repercussions for the business. Ideal cybersecurity As we mentioned earlier, creating a software project is like building a house. And if the ground is flaky, the entire construction can fall apart within seconds. As managers are not cybersecurity experts, they often see it as a binary issue. This leads to some leaders believing that in order to be secure they need to implement many controls and slow down the entire operation, finally postponing it forever. While it is true that maintaining high cybersecurity standards can be challenging (especially as it covers different areas such as development, infrastructure, cloud, policies, teams, etc.), not all companies need to handle all of these at once. Most scaling companies are not expected to have amazing cybersecurity standards from day 1. That seems obvious just by having a look at every one of its challenges: 1. Remote work: Since the pandemic, remote work has become more common among big corporations and scaling companies. Even though this has great benefits, there are also some downsides regarding security. Before remote work, a company’s entire system was locked inside a building and was easier to protect. Nowadays - and mostly because of the huge growth in cloud servers like Azure, AWS, GCloud, etc) - systems are everywhere and connected to multiple computers and devices, from a cafe to an airplane. As a consequence, cyberattacks are more likely to happen. Ciberseguridad para Startups_Imagen 2.jpg 2. Insecure supply chain: Even though a company’s system can be protected from the ground up, any attack on its providers can also make the company suffer. This is an issue that keeps growing: in 2022, supply chain attacks will surpass malware attacks by 40%. 3. Incorporation of new technologies: Since innovation is part of scaling companies’ DNA, it’s logical that they constantly challenge their products by incorporating new technologies. However, when the technology is quite new, most of its vulnerabilities are yet to be discovered, making the company's attack surface bigger than expected. 4. Lack of knowledge and resources: Just because someone knows a lot about technology doesn’t mean they are trained in cybersecurity subjects. So when scaling companies start, they may have a lot of people who don’t really know technically how to prevent an attack. 5. Lack of budget to build a team: Even if the founders of a startup want to invest in cybersecurity from day 1, getting a budget and bringing in the right people is hard. Since cybersecurity is such a niche industry, talent is limited, and they usually migrate constantly to companies that can pay much higher salaries. Achievable cybersecurity Even though having high cybersecurity standards is ideal, it can prevent companies from scaling fast, a non-desired outcome. That’s why the most realistic solution for startups is to incorporate a framework that we call Achievable Cybersecurity. This framework ensured that you do 10% of the effort that will mitigate 90% of the potential problems. These are basic recommendations that imply some effort but don’t require lots of resources or huge budgets. The Achievable Cybersecurity framework consists of 7 basic rules that any company can follow. Those are: 1. Protect your system from the most common threats It’s important to gain knowledge of the most important attacks in the cybersecurity landscape. From common social engineering to malware, ransomware, and basic API attacks, it’s important to be protected against superficial threats. This can be easily achieved by performing Automated Scans which are pretty common and not necessarily costly. 2. Implement Multi-Factor Authentication Just like a security alarm at your house, Multi-Factor Authentication is an extra layer of security that could avoid potential attacks with little effort. By enabling MFA on your product, users will be required to enter a generated code that is sent to their phone in addition to their username and password. Also, it seems reasonable to enable MFA on every external software the company uses. This is a clear example of achievable cybersecurity because, with little effort, big changes can be made. Common cyberattacks like phishing could be avoided just by enabling MFA. Even if a hacker gets a password, they’ll need the extra authentication that is only sent to the real user’s phone. 3. Implement data loss prevention There’s no doubt that data loss prevention (DLP) is a safe way to create secure data processes to minimize any accidental leaks. This set of tools is used to make sure that unauthorized users do not lose sensitive data. They perform both content inspection and contextual analysis of data that is sent via messaging applications such as email, instant messaging, file servers, or cloud applications and cloud storage. Ciberseguridad para Startups_2.jpg On the one hand, the technologies that enable DLP are the enterprise, which is packaged with agent software for desktops and servers, physical and virtual appliances for monitoring networks and email traffic, and virtual appliances for data discovery. Then, the integrated DLP technology, which is limited to secure web gateways (SWGs), secure email gateways (SEGs), email encryption products, enterprise content management (ECM) platforms, data classification tools, and data discovery tools (CASBs). 4. Protect your app’s source code Most startups develop amazing apps that come to change their industry. However, most of the time, founders spend more time thinking about the app’s functionality and UX design rather than the protection of its source code. These codes are the base of your software, and they often have an IP attached to them. As a consequence, if they are not well protected, hackers are more likely to access them and exploit high-impact vulnerabilities. How can you achieve this protection? The answer is quite easy and cost-effective: it involves knowledge of where the code is, which services are being utilized, and where the data needs to be protected. If the code is adequately protected and not public, hackers are less likely to access it. The same goes for cloud services, which should be secured from day one. 5. Keep your software updated Software updates are just as important as scanning your code when it comes to avoiding potential attacks. This action can repair security holes, remove computer bugs, and even remove old features that may be potentially dangerous. Also, software updates can patch security flaws that could potentially be exploited by hackers to perform malware attacks and also protect all of your data. 6. Give cybersecurity training to your team This action requires a little more effort, but it makes a difference in your team’s mindset. In scaling companies, most of the team members come from a tech background and probably have a clue about cybersecurity. By giving cybersecurity training to your teams and teaching them basic concepts such as social engineering attacks, malware, and ransomware, they can be aware of simple actions they can take in order to avoid these attacks. If you don’t know where to start, Strike’s Cybersecurity Guide could be a great place to begin. 7. Incorporate data encryption Encryption is a relatively cheap alternative because most of its technologies come inside big software. Some examples are BitLocker on Microsoft Windows and encryption features on iOS and Android. By encrypting your files, you can translate the data into another form or code and limit access to those who have the correct description keys to the files. As a consequence, your employee’s data will be more secure, mostly if they work remotely. Some other actions that should be taken into account are using virtual private networks (VPN) to prevent potential attacks on public Wi-Fi connections. Who can take care of cybersecurity at scaling companies? The 7 rules listed above show that having some kind of cybersecurity standards could be a reality for most companies. However, an important point to remember is that someone should be responsible for this task. Someone who has some understanding regarding cybersecurity and can take responsibility for the company’s future. Even though not every startup needs a CISO (Chief Information Security officer), they all should have at least a CTO who is aware of these issues and can implement cybersecurity standards from day 1. The first thing they should do is make sure there’s a calculated ROI in their security operations. Knowing how a potential cyberattack can affect the business is going to make your VCs and investors more aware of the damage not having cybersecurity standards could cause. Also, it’s important to find a balance between the business’ growth and safety measures. In conclusion For most founders and managers, having great cybersecurity standards is an action that should be taken into consideration as their company grows. However, if a company doesn’t incorporate cybersecurity standards from day 1, cyberattacks will certainly happen, and the business may have more chances of not being successful. Just like a building, if it doesn’t have solid ground, the higher floors are most likely to fall. Implementing the Achievable Cybersecurity framework is an easy and cost-effective way to make sure some basic standards are met, and 90% of potential threats could be avoided. And focusing on the topic once in a while can make a team more conscious of possible scams, and be likely to be a victim of any attack. In addition to the Achievable Security measures you can take, there are also extra actions that could help you go from 0 to 100 really quickly. Some automated tools like Automated Scans or Attack Surface Management (ASM) could be a great option to see your vulnerabilities in a continuous way and also analyze your attack surface. Also, pentesting is the best solution in the long term, since it implies manual pentesting with high-skilled ethical hackers - or as we call them, Strikers. Taking care of your business’s cybersecurity requires attention and, most importantly, knowledge. Since knowledge is power, we hope this article was deeply helpful and your startup can scale fast with high cybersecurity standards.