[BreachExchange] What Every Startup Needs to Know About Cybersecurity

[Audrey McNeil]

https://www.inc.com/quora/what-every-startup-needs-to-
know-about-cybersecurity.html?cid=hmhero

Just a few years ago, technology strategy followed business strategy.
Often, it was just a footnote in the business plan. That changed
dramatically as technology has evolved into a disruptive advantage that
enables a new startup to move faster than entrenched competitors. Today,
the technology strategy often dictates the business strategy. It's the
cornerstone for communication and collaboration for all of your employees,
partners, suppliers, and customers.

Even if you aren't a tech startup, your emails, documents, communications
with customers, financial records, intellectual property, strategic plans,
budgets, marketing materials, etc. are all valuable to you - and may be
even more valuable to someone else.

Let's imagine a common scenario that I've seen a hundred times as a
consultant:

Your early stage startup is working on getting a product prototype to the
MVP phase. You are seeking startup funds, and are working on detailed
business plans and pitch deck. Somewhere along the way, one of the early
employees or co-founders has had their email password compromised- either
via a weak password, social engineering, or by clicking malware. It doesn't
matter - someone is reading every email sent from the account, as well as
every attachment. They may also have access to cloud document storage
accounts and SaaS apps.

For weeks the attackers do nothing - they just watch silently collecting
data. Over a period of days or weeks they work to quietly, moving laterally
and gain more access. They may install a remote access tool on the
employee's laptop or compromise another user's email account. They don't
delete or destroy anything, and they cover their tracks as they go. At the
same time, they look for potential buyers for your information - perhaps a
firm overseas who sees the potential of the business and had an interest in
replicating it. After all, the startup team is doing all the hard work for
them.

As the startup team works on, the hackers monitor and mirror the progress.
They see the code the startup developed to make the product work. The R&D
for the product. The patent application draft being passed around for
review. The results of the market surveys. They take all of it silently in
the background and the startup team is none the wiser.

At some point the startup finally does get funded, and the team is close to
perfecting the final product before launch. When they file the patent
application, they discover that someone has already filed a nearly
identical document. A search discovers that an identical product is for
sale on a foreign website with near identical marketing. The competitor
even took the logo design and product photos.

The startup team works to make improvements and decide on the strategy
forward. While they are busy, a ransomware attack encrypts the most
critical documents and they get an email demanding payment to get the data
back. To make things work, someone has also logged into the payroll system
and redirected a few paychecks to a burner card. The startup is bleeding
cash, and investors are concerned.

The following week the suppliers begin receiving emails from the company
canceling or modifying orders. The customers are receiving requests to
redirect purchase orders to a new bank account. Malware is being sent to
customers from your email addresses. High value customers also receive
emails from a competitor offering a similar product. Amazon is flooded with
nearly identical products at a cheaper price. The customer credit card
database from the startup website is compromised. Then they get a letter
from a law firm alleging your violating their clients patent seeking
damages. Unable to deal with the onslaught, they shut down the business.

This isn't fear mongering: I've seen every one of these attacks scenarios
in person. Cybercrime is rapidly becoming a major reason that small
businesses fail. This happens to firms of every size, but smaller firms are
becoming a preferred target as they don't have robust security capabilities.

The hard reality is that the vulnerability to the business starts as soon
as you have an email address.

Startup founders need to think about information security needs right from
the start. Cyber security planning needs to start with your business
planning. You'll be far too busy to work on it "later", and trying to
implement security controls once you've been breached is a nightmare. Every
time you add a technological capability, you need to think about how you
are securing it: email, sensitive documents, online accounts, bank
accounts, SaaS applications. You have to think about detection,
remediation, and recovery and have those capabilities in place before you
need them.

Otherwise, you're just handing your business over to someone else.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171103/64725425/attachment.html>