- Why Investors (and You) Need to Care About Cybersecurity - June 27, 2018
It makes sense that startups tend to underestimate cybersecurity. After all, they are small targets with limited amounts of data to steal. Many entrepreneurs believe that they are not even on hackers’ radar. That attitude is understandable, but unfortunately, it’s also inaccurate.
In reality, a cyberattack is one of the most common and consequential problems for growing enterprises.
Cybersecurity is a concern even if a problem never arises. Simply having weak security measures in place makes it harder to attract customers, partner with suppliers or secure buyout offers. Insecure companies are seen as looming liabilities, which is a reputation no ambitious entrepreneur wants. So even if hackers have yet to target your business directly, showing a disregard for security best practices could be holding you back.
News outlets are quick to report on breaches at behemoths like Equifax and Yahoo, but largely ignore startups and small businesses that are ruined by cybercrime. This unfortunate story happens all the time, and every small business is potentially a victim.
Why cybersecurity is so critical
The frequency and severity of cyberattacks are rising rapidly. At the same time, governments are beginning to take cybersecurity seriously and impose strict penalties when companies fail to protect data. The General Data Protection Regulation rules could pose multibillion-dollar fines for the worst offenders. Added to that is the declining public tolerance when personal data is repeatedly exposed to hackers.
In terms of acquisition, investors understand that the final cost of any cyber incident is likely to be high and has the potential to be catastrophic. Those investors may have spent significantly on their own cybersecurity, but when their network is integrated with the network from a company they’ve purchased, they inherit whatever risk exists in that network, as well. Trying to combine a secure network with an insecure network typically just degrades network security overall.
It’s understandable that cybersecurity is becoming an important part of the due diligence that precedes an acquisition offer. It’s now up to the startups and small businesses of America to protect their valuation and make effective cybersecurity a priority.
Protecting against old and new threats
Just because a company has some basic security protections in place does not mean it is secure. Most legacy security tools were designed to identify known threats and protect against common attack strategies. That was effective when hackers were taking a one-size-fits-all approach and targeting the lowest-hanging fruit.
Now, however, hackers are using sophisticated and persistent attacks to target specific data at specific companies; they are designing attacks to bypass whatever defenses they encounter.
It’s important for startups to understand that as they grow, stabilize and possibly court buyout offers, investors are not impressed by a good-faith effort to improve cybersecurity. They want to see companies implementing specific protections in response to today’s (and tomorrow’s) threats. For most companies, that means taking a smarter and stronger approach to security.
The essential elements in a cybersecurity strategy
Startups must accomplish two things with their cybersecurity strategy: first, make effective improvements to their security tools and policies, and second, make improvements that can be demonstrated to potential investors.
Here are several ways to achieve both objectives:
Focus on the weakest point
Hackers direct most of their efforts at the weakest point in the IT network: the email inbox.
Huge amounts of sensitive data are sitting idly in the inbox and are being sent in and out daily. Email is also ideal for distributing social manipulation in the form of phishing schemes, which account for 91 percent of all cyberattacks. Email advanced threat protection should be considered mandatory, and the use of email encryption is prudent. Companies are exposed to much less cyber risk overall once the inbox is secure.
Adopt a cloud-first approach
The cloud is not ironclad, but it is most often more secure than on-premise deployments. Cloud providers attract users by building world-class protections into their platforms. They also have dedicated teams for monitoring and improving security. Most small businesses could not afford these same security resources in-house, but the cloud makes them cost-effective and reliable.
Make employees the best defense
Employees are responsible for the vast majority of cybersecurity incidents (in the form of human error), but they can also spot red flags that security tools cannot. User education and training help to eliminate a lot of risky behaviors, and detailed policies and practices ensure that threats are dealt with properly. A culture of cybersecurity, combined with the right tech tools, is a formidable defense against hacking.
Develop a response plan
The damage of cyberattacks is exacerbated when companies fail to identify and eliminate issues ASAP. Avoiding threats entirely must be the priority, but it’s risky to ever assume that protections are perfect. A detailed response plan outlines exactly who will act when, where and why after an attack. Having a viable plan in place is an easy way for small businesses to prove their understanding and commitment to cybersecurity.
The scale may be different for startups, but the stakes are the same. All organizations are under cyberattack, and every incident creates lasting damage. Once entrepreneurs begin to systematically prepare for the risk, they can prevent disruptions from becoming disasters.