Cybersecurity Imperatives for Startups
Incidents of cyberattacks and malicious hacking seem to be dominating the news cycle of late, but computer system crimes have been increasing since the late 1980s. Many of the early occurrences were not meant to be harmful—skilled young programmers, often on a lark, sought to challenge the defenses of cyberspace.
Today’s attacks, however, have been far more nefarious—like the May 2017 WannaCry ransomware outbreak that affected more than 200,000 victims in at least 150 countries. While such high-profile cyberattacks tend to grab headlines, it’s really small businesses and startup companies that are the most vulnerable targets for cybercriminals. Yet, due to inattention and lack of resources, these businesses often have the least-protected IT infrastructures.
A May 2016 cybersecurity survey published by smallbiztrends.com shows that, “small businesses are not only at risk of an attack, but many have already been attacked. 55% of the respondents said their companies had experienced a cyber attack and 50% had data breaches involving customer and employee information over the prior 12 months.”
Perhaps the biggest cybersecurity risk facing small businesses is their failure to recognize the potential losses they could face. Research published by Towergate Insurance indicated that, “82 percent of small business owners believe they are not targets for cyberattacks because they don’t have anything of value to steal.” But the reality is that even small businesses have a lot to protect including their intellectual property, brand, reputation, and customer information.
Furthermore, if a cyberattack results in significant system down time, that loss of income may be unrecoverable. U.S. Congressional lawmakers in proposing legislation to help small businesses have stated that, “60 percent of small businesses that suffer a data breach go out of business within six months.” And according to its annual Cost of a Data Breach Study, the Ponemon Institute found that the average cost of a data breach increased from $3.79 million to $4 million in 2016.
TYPES OF CYBERTHREATS
There are many different types of cyberattacks with new techniques continuing to evolve daily. While cybersecurity and IT professionals work tirelessly to uncover and neutralize malicious threats, hackers are doggedly working to expose and exploit new vulnerabilities. While monetary gain is the most common motive for cyberattacks, disgruntled employees, vindictive competitors, angry customers and more can also pose a threat. The following list includes the most pervasive types of cyberattacks perpetrated today.
Malware is a broad term for a range of cyberthreats including Trojan horses, viruses, worms, spyware and the particularly notorious ransomware. These types of electronic infections typically enter systems via email attachments, software downloads or operating system vulnerabilities and often spread to other connected computers in a network.
Denial-of-Service/Flooding refers to attacks meant to intentionally overload a website or network with data requests as a means of crippling the system and blocking those with legitimate reasons to access system operations or functions.
Password Cracking efforts strive to discover passwords using techniques such as Brute force Attacks, which methodically try every password possibility one by one, Dictionary Attacks, which test various combinations of dictionary words and Keystroke Logging Infections, viruses that track user keystrokes.
Phishing usually employs an official-looking email or pop-up advertisement to entice customers or employees to click on a link and reveal their user names, passwords, account information or credit card numbers.
Man-In-the-Middle Attacks are a ruse whereby the perpetrator pretends to be both parties on either side of an online exchange. For instance, the criminal would trick a bank customer into thinking he or she is communicating with his or her online bank and once the customer logs in to the bank’s secure server, the criminal has full access to the customer’s accounts.
Pharming occurs when website visitors are redirected from a legitimate website to a bogus, imitation website. Once on the phony site, the customer can unknowingly share personal details such as credit card numbers and account information.
Inside Attacks can be the most disheartening for companies to face because they are the result of the deeds or misdeeds, whether malicious or unintentional, of their own employees. Disloyal and disgruntled employees in particular can pose a grave threat when their vindictive motives are unknown.
Once the various methods of cyberattacks are understood and the potential motivations for cybercrimes are explored, the question that remains is how small business and startups can protect themselves. To that end, the Federal Communications Commission has provided the following guidelines.
Ten Cybersecurity Tips For Small Businesses
- Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines with penalties for violating company cybersecurity policies. Establish rules of behavior describing how to protect customer information and other vital data.
- Protect information, computers, and networks from cyber attacks. Keeping clean machines with the latest security software, web browser, and operating system is the best defense against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
- Provide firewall security for your Internet connection. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
- Create a mobile device action plan. Mobile devices can create significant security challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information through public networks. Be sure to set reporting procedures for lost or stolen equipment.
- Make backup copies of important business data and information. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
- Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
- Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
- Employ best practices on payment cards. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
- Limit employee access to data and information, and limit authority to install software. Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
- Passwords and authentication. Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
To lend further context to this vital subject matter for small businesses and startups, we’ve tapped a couple of industry experts who are in the trenches day after day and have seen more than their share of the cyber underworld.
Gilad Peleg is CEO of SecBI—Security Business Intelligence—a well-known organization in the cybersecurity field for its adaptive investigation platform designed to help security experts and organizations investigate, respond to and prevent breaches. Here are some of his thoughts:
Don’t Forget to Protect Your Most Valuable Asset—Your Idea
As Peleg pointed out, “Every startup’s main asset is its Intellectual Property. They usually invest heavily in creating it, and very little in protecting it! Startups work fast and in distributed environments employing myriad tools, platforms and locations (on premise, cloud, VPN and remote work) and often put less emphasis on security. Even little things like ensuring that their employees’ laptops are password protected and are not left in the car [should not be] ignored.”
Think Beyond the Basics
Peleg said, “Startups need to deploy the basic security controls such as firewalls, anti-virus, secure web gateways, etc. However, deploying such systems is not a foolproof solution. Hackers might (and probably will) get through to access your network and possibly exfiltrate sensitive data. Today’s cyber security attacks utilize very advanced techniques that are extremely hard to detect, requiring great skill and expertise to perform what is called ‘threat hunting.’ Most startups do not have dedicated security personnel. This means they need to employ very efficient technology such as machine learning and artificial intelligence to enhance their security posture.”
Consistently Test Cybersecurity Systems
Peleg emphasized, “You can’t close all holes, but you can make a serious attempt to do as much as you can and then test yourself. Once all security controls have been deployed, utilize a solution that can quickly assess whether the network [has been] compromised or if there are active breaches or signs of data exfiltration.”
We also spoke with Yoni Shohet, Co-Founder and CEO of SCADAfence, a pioneering organization that delivers innovative cybersecurity solutions to the pharmaceutical, chemical, food and beverage, automotive and building automation industries.
As this article has stated, many startups underestimate their exposure to cyber threats. Shohet said, “Today, cybercriminals are able to gain financial benefits from hacking any organization – big or small. This is mainly thanks to ransomware attacks where the adversary takes control over sensitive data/devices and demands money in return. Any company that has Internet connected computers can easily become victims of such attacks where they can lose control over their intellectual property or sensitive customer data. Therefore, all companies must take the proper measures to ensure safety from these types of attacks—including proper backup of data, strict access control, strong authentication and encryption.”
Be Wary of Third-Party Vulnerabilities
As Shohet would point out to startups, “You are only as strong as your weakest link. This is true when it comes to third party vendors and your supply chain. Startups need to make sure that when they allow external parties to access their data, they should always make sure that they only have access to required information and that the maximum protection is put in place. This will allow these companies to better contain the potential damage caused by third parties.”
Start With the End In Mind
A final piece of advice Shohet offered is that, “Startups should build their own products with security in mind. This means ensuring that during the entire development life cycle that the products they develop are not vulnerable to attacks. For example, certain products cannot afford to risk an attack that might interfere with their operation or switch them off completely—such as lifesaving medical devices or smart home devices. Therefore, these products must be tested for security issues and vulnerabilities throughout the entire development process.”
FINAL WORD: MAKE CYBERSECURITY A TOP PRIORITY
As evidenced by the increasing number of cybercrimes targeting vulnerable small businesses, cybersecurity is a risk that startups must be prepared to actively manage. That means everyone in the organization—from owners to employees—must recognize the importance of protecting the company and its customers and be an integral part of the solution.