Cyberattacks are nothing new, but until recently the general consensus in the world of startups and small business was that only big, public companies with plenty of cash, clout and valuable data had to worry about them.
That mindset is changing. While a cyberattack can do serious damage to a large company, most likely they will recover and move on. For a small, growing business, the results can be absolutely devastating.
With what seems like an endless list of high-profile attacks making headlines in recent months, along with the Biden administration’s urgency to tighten our national defenses, it’s become clear that cybersecurity is something that can no longer be ignored or taken lightly, regardless of the size or stage of your business.
The research bears that out as well. Accenture’s incident response analysis for the first half of 2021 reported a triple-digit increase in intrusion volume and, according to the Small Business Administration, in a recent survey 88% of small business owners said they felt their business was vulnerable to a cyberattack.
Speaking from an industry insider’s perspective, awareness is a great first step, but it is often not accompanied by action. From a founder’s perspective, I understand why it is an easy item to dismiss when you’re busy with launching a new venture, but I can’t stress enough how important it is.
Another important thing to note is that it’s not just the threat of a cyberattack that can put your brand and your bottom line at risk. Enterprise companies and the federal government are now pushing their requirements down into their supply chains to broaden their own defenses. We’re seeing this firsthand with our own customers. Being unprepared to demonstrate a strong security posture can have a direct impact on your ability to retain current customers and win new business.
What makes startups an attractive target for cyberattacks?
Before we get into the basics of protecting your growing business, I think it’s important to understand why startups and small businesses are being targeted and why the trend will likely continue. According to the 2021 Verizon Data Breach Investigations Report, “when it comes to the number of breaches and organizational size, the gap between large and small is closing.”
After spending more than 20 years in the cybersecurity industry, it is a trend I’ve seen coming for a while.
Cyber criminals know startups and small businesses are often unprotected or underprotected for reasons such as prioritization, cost, internal knowledge and lack of dedicated security staff. They also know it’s likely these businesses won’t notice a breach until it’s too late to do anything about it.
An entry point to the enterprise
Remember that very public Target breach from a few years ago? The point of entry was an HVAC subcontractor. Hackers understand leveraging weak points in the supply chain can lead to even bigger rewards.
A great ROI for hackers
Customer data is valuable no matter where it comes from. Just like the rest of us, cyber criminals understand the value of time and effort, so it makes good business sense for them to shift their attention to easier targets.
Common threats and how to avoid them
The Small Business Administration (SBA) defines the top threats facing small and midsize businesses as:
The good news is all of these threats can be addressed, some more easily than others, but with some effort and focus (and you’ll have to get your team on board) it can be done.
It’s also important to keep in mind that just like most things in life, nothing is foolproof. But don’t let that dissuade you. Just as you would take basic precautions to protect your physical environment, there are a few basic things you can do to protect your virtual environment, which these days is often a more attractive target.
Here are the top cybersecurity best practices we recommend for startups:
Assess your current defenses
A great place to start is to take an assessment of your current IT security defenses. The National Infrastructure and Security Agency (NIST) provides a good framework to follow. Especially if you plan to do any business with the federal government. Some of the basic questions to consider are:
● Do we have a firewall in place?
● What security applications and software tools do we currently leverage for cybersecurity?
● What company security standards do we have in place?
● What is our plan in the event of a breach?
● Which areas do we need to consider employing the help of an external service provider?
● Where are we most vulnerable?
Keep your systems and your software up-to-date
It’s tempting to ignore those messages to update your software and operating systems. But those small disruptions can save you from even bigger issues down the road. Many software updates contain critical security patches so the sooner you implement them, the better. If you don’t have an IT manager, consider designating a point person to communicate with the rest of your team when new updates are available and send reminders to make sure they run them.
Leverage a password manager
Is your team still writing their passwords on sticky notes, or storing them in a spreadsheet? Are they still creating passwords that barely meet minimum standards for password strength? If you answered yes, you’re putting your startup at risk. Weak and reused passwords can be easily guessed by hackers creating a point of entry to your systems and applications. The very public example of this is the attack on Colonial Pipeline, which was caused by one stolen password. To make it easy for your team and keep your data protected, we strongly recommend using a password manager to create, store and audit the health of your passwords. NIST also offers some excellent guidelines for passwords here.
Protect your accounts with multifactor authentication
With the increase in cybercrime, using a multilayered approach to cybersecurity has become even more critical. One of the best additional layers of protection is to use multifactor authentication, which is sometimes referred to as two-factor authentication or 2FA. This method keeps criminals out of your applications by requiring multiple forms of authentication that always include some combination of something you have (i.e., a device or bank card), something you know (i.e., a password or PIN) and something you are (i.e., biometrics such as a face or fingerprint). Most applications allow you to enable this in the security settings. When possible, we recommend using a third-party authenticator app versus an SMS method.
Protect your endpoints
Part of any good multilayered approach to cybersecurity is making sure that your endpoints (devices) are protected. More commonly known as antivirus software, the more advanced endpoint protection and response (EDR) version employs new technology like machine learning. EDR goes beyond traditional antivirus protection in that it can detect changes in system or user behavior and quarantine anything suspicious to mitigate potential threats. Like any software, it’s critical to designate a point person in your organization to ensure the version you are running is up-to-date and develop a plan for mitigating any potential threats.
Train your team to spot suspicious links and emails
User behavior remains one of the most common reasons businesses are breached. Make sure everyone in your organization, from your leadership team down, understands how important it is to think before you click or respond to requests. Phishing attacks can come in many forms, from emails from your boss asking you for bank information, to fake texts from Amazon, with the end goal of getting you to click on a malicious link or provide proprietary information. We recommend educating your team to follow these basics with frequent reminders to keep them on track.
Make sure your cybersecurity practices grow with your startup
As your business takes off, so does your exposure, and that can make your business a more interesting target for hackers. As you continue on that rocket ship to success, make sure not to neglect your cybersecurity. In addition to the best practices we’ve recommended above, as your budget grows, it’s important to make investing in more sophisticated cybersecurity tools and practices a priority. Leveraging more comprehensive software and the services of an external service provider are some things to consider as your business continues down the path to success.
The risk of cyberattacks for startups and small businesses is real—and growing. But when you start by taking small steps today, and continue to develop a good cybersecurity posture to protect your team, customers, and sensitive information, those efforts will pay off for years to come.
Originally published on Oct. 4, 2021.