Everything Start-Ups Need to Know about Cybersecurity

StrategyDriven Starting Your Business Article |Cybersecurity|Everything Start-Ups Need to Know about CybersecurityManaging a start-up involves skill, dedication and an ability to multi-task. When you are getting your young business up and running, you will likely have to prioritize. When your funding is limited, it can be all too easy to neglect invisible threats like cyber-attacks, however, doing so can signal disaster for the future of your company.

Your Small Business Is Not Immune

Many entrepreneurs, start-up founders and small business owners believe that their company is small so that it can, essentially, get away with flying under the radar, when it comes to cyber-attacks. This point of view is very detached from reality.

One study found that nearly 45% of small and medium-sized businesses report having fallen victim to a cyber-attack in the past. A further 50% of those surveyed reported that they suffered from a data breach that targeted both employee and customer information.

There are a few reasons why a cyber-attacker might choose to target a start-up like yours. Firstly, cybercriminals are aware that small and young businesses tend to have fewer cybersecurity measures in place. For this reason, cyber-criminals might choose to target your business simply because it is easier for them to target you than a more secure company.

Secondly, it is common for cybercriminals to target small businesses as a means of gaining access to larger businesses. One example of this is the 2013 Target cyber-attack. The cybercriminals gained access to Target by first hacking a small partner company, the local heating, ventilation and air conditioning company. This cyber-attack resulted in a huge customer data breach that was eventually settled for a sum of $18.5 million.

The Effects of a Cyber-Attack Can Be Devastating

You might not be going to suffer consequences quite on the same level as Target’s historic settlement, but even a low-level cyber-attack can be devastating for a young start-up. A cyber-attack can affect the long-term health of your business in a variety of different ways, such as:

Reputational Damage

Reputation is everything in business, especially for young start-ups that have so much to prove. A successful cyber-attack can ruin your reputation, a consequence that can forever tarnish the name of your business.

Financial Damages

There are many reasons why a cyber-attack might result in financial damages for your start-up. A cybercriminal might gain access to your data and products to hold them for ransom, or you might be liable to legal consequences as a result of a data loss.

Loss of Productivity

Downtime caused by a cyber-attack could result in a huge loss of productivity that could last for hours or weeks on end.

How Start-Ups Should Protect Against a Cyber-Attack

As USWired outlines, the most effective way of protecting your start-up against the threat of a cyber-attack is to outsource your IT services to experts. With the help of an expert, you will be able to gain access to a customized security solution that meets the needs of your business. This solution can be both proactive and reactive to reduce the threats of a cyber-attack.

In addition to employing the help of a cybersecurity expert, you should also train your staff. Educating your staff about possible cybersecurity threats, and the best ways to stay safe will help you to further reduce potential threats. Since some forms of cyber-attacks, like phishing attacks, target uneducated people, training your staff can be a very effective line of defense.

How to deal with cyber-attacks: publicly or privately?

StrategyDriven Risk Management Article | How to deal with cyber-attacks: publicly or privately?Cyber attacks spiked 164% in the first half of 2017, compared to the same period in 2016, entailing 918 disclosed breaches-according reports on broadcaster CNBC. Threats vary from sector to sector. Healthcare, for example, is more susceptible to crypto-locker ransomware like the infamous WannaCry.

Internet-connected consumer devices often fall prey to malware that shackles them to remotely controlled botnets such as Mirai. Varied though the threat may be, and staggering though these numbers are, the word disclosed highlights a central paradox: While transparency contributes to the overall fortification of cyber-security protocols and procedures, battening down the hatches presumably mitigates further financial risk.

Sure, a disclosure is immensely beneficial in terms of buttressing industrial safeguards, national and global security, and customer protection – not to mention mitigating the longer-term repercussions of an attack – but so too can disclosure exact lasting damage on a bottom line.

Fighting back

The nature, intent, and consequences of an attack notwithstanding, the way companies have responded to breaches is closely related to their designation: public or private. CFOs at public and private companies face different risks and pressures when it comes to cyber-security and disclosure, and exhibit divergent perspectives when it comes to preparation.

Broadly speaking, public company CFOs are more likely to outsource cyber-security to third-party firms, while private CFOs tend to invest in in-house IT teams. Regardless of who secures a company’s network, breaches are often known by CFOs before they are made public. By disclosing a breach, CFOs of publicly traded companies might trigger investor panic and sell-off, whereas private company CFOs risk irreparable harm to consumer and employee confidence.

On one hand, foreknowledge of pending disclosures can put unique pressure on public company executives, who often own considerable amounts of company stock. The ongoing federal investigation of three Equifax C-suite managers for insider trading arose due to alleged stock dumping prior to the revelation of the company’s catastrophic cyber-attack.
Equifax underscores the tension between a public corporation’s responsibility to its board, shareholders, and customers, and the financial implications of both the breach itself and legal requirements governing its reporting and remediation.

On the other, while private companies aren’t under the same legal obligations in terms of disclosure, and while the short-term consequences may be less impactful, these companies still face long-term pitfalls, such as lost trust and tarnished brands. Moreover, a medium-sized business may not have the capital or reserves to recover reputationally or financially after a major data breach the way a multinational corporation can.

Additionally, the moderate scale of many private companies sometimes instills a false sense of security. Middle-market businesses often assume they’ll be overlooked by attackers, whether due to a large number of similar companies, or a lack of enticing assets. After all, isn’t it the bigger fish that stockpile the type of data and info that hackers tend to target?

Be prepared

A lack of proper preparation only exacerbates the panic once an attack does occur. Attempting to deal with an attack on the down low can earn private enterprises a reputation as easy marks, and provoke subsequent attacks. Further, if the rearguard strategy backfires, or is exposed by the press, this can amplify the damage to a company’s brand and leadership, not to mention potential legal consequences if a court can prove negligence.

In terms of the bigger picture, the lack of reliable data pertaining to attacks on private companies leads to lopsided analysis regarding the multifaceted aims and motives driving these attacks, resulting in a sort of half-finished portrait of the threat landscape.

While cybersecurity prevention could be vastly improved by greater information sharing, some surveys of CSOs indicate that only one in seven attacks are reported to authorities. Alas, as it stands, adequate event modeling, and risk and security assessments, are being stymied by a lack of shared intel on private company breaches, effectively hampering the development of comprehensive prevention and management strategies.

This lack has precipitated the introduction of numerous cyber-security regulations around the world, and though the regulatory ecosystem is in a state of flux, the global trend is invariably toward greater transparency. CNBC notes that “governments around the world are introducing legislation which will force more companies to disclose data breaches,” a reach that already extends to private enterprises.

Regulatory environment

Both private and public companies are compelled to comply with local, national and global disclosure regulations, including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and the EU’s General Data Protection Regulation (GDPR).

The GDPR, which regulates the collection and storage of customer information and data, and can levy fines of up to €20 million, requires that private companies disclose if they have a footprint in Europe, or otherwise handle the information of European citizens.

In the US, Sarbanes-Oxley (SOX) indexes the responsibilities of both public and private companies, including rules pertaining to compliance with federal prosecutors, and criminal penalties. Further, HIPAA governs how any company, public or private, handles personal health information.

Though public companies, traditionally, may have shouldered an inordinate amount of the fallout from disclosure, this has left them better readied for the implementation of legislation designed to enforce transparency. Even more advantageous, public companies now have hard-won practice mitigating the financial risks and ramifications resulting from disclosure.

Private companies, by contrast, are less aware and agile in terms of prevention and response; protecting their brand, for example, or proactively communicating with clients. Simply put, having been in battle, public CFOs are stepping up and getting more involved with cyber-security, while private CFOs, hovering on the sidelines, appear far more circumspect.

Make no mistake: this problem is only getting worse. The situation could improve rapidly if execs from companies of all stripes and sizes shared details of attacks with the larger corporate community.

Whether you are a CFO of an international, publicly-traded conglomerate, or a mid-sized regional business, it is well within your portfolio to do everything possible to properly prepare for the threat. Engage with the board, secure funding for proper security controls, and encourage leadership to be forthcoming when not if, your company’s cyber attack occurs.

About the Author

Andrew Douthwaite has over 17 years of technology experience joining VirtualArmour in 2007 as a senior engineer. Now as Chief Technology Officer, Andrew focuses on leading growth in the managed security services business and ensuring VirtualArmour is a thought leader in the security industry.