“A cyberattack is an unwelcome event for any company, but the effects can be especially detrimental to a startup, with 60% or more of small businesses that experience a data breach going out of business within a year of the breach.”
Imagine the following scenario: You have an idea for a new mobile application. Believing in this app’s ability to compete in the highly competitive market, you quit your current job, invest your savings, form a company and begin developing your app. Sometime later you have a working prototype, and as you begin beta testing and introducing your app to the marketplace, you hire your first employees, acquire space for your business operations, and start marketing the app.
As adoption of the app picks up, so does your business, and you hire more employees to provide sales and support assistance. You are on your way to transforming your startup into a successful business. Needing additional capital to scale the business more quickly, you identify a strategic partner interested in investing in your business. Before you can close on the funding, several employees report that they did not receive their paychecks through the direct deposit system.
The investigation reveals that several months ago, your organization received a series of spear phishing emails. You learn that multiple employees opened the email and its attachment giving the cybercriminals access to your systems. Not only are you out the payroll money, but you also learn that in addition to your employees’ banking information, the criminals had access to your customer contact information and the source code for your app.
While you are generally aware of privacy laws, you did not consider your business a likely target; after all, you are a startup and cannot possibly be attractive to a cybercriminal. Because of that, neither cybersecurity policies and procedures nor cyber insurance had made it to the top of your priority list. You engage a lawyer and forensic specialist, and ultimately, to ensure the system is secure, you are forced to shut down operations for several days. It takes weeks to fully assess the extent to which the system was compromised, causing you to miss deadlines for reporting a data breach. Insurance might have covered the cost of the investigation and remediation, but you had not yet purchased that insurance.
Not only are you dealing with the disastrous impact on your business and a significant interruption to your customers’ use of the app, but your strategic partner rethinks its investment in your business given the extent of the damage from this attack. You are now faced with significant expenses to stabilize your system and begin rebuilding trust with your customers, and if you are lucky, you will not be subject to significant fines for failing to report the data breach in a timely manner. This cyberattack has not just interrupted your business for a few days, it has put the entire future of your business at risk.
A cyberattack is an unwelcome event for any company, but the effects can be especially detrimental to a startup, with 60% or more of small businesses that experience a data breach going out of business within a year of the breach. It is impossible for any size business to guarantee a system that is fully secure. However, not all companies have millions of dollars to invest in cybersecurity and by allocating even limited funds to assessing your data privacy risks, implementing a protection plan and creating an incident response plan, a startup can significantly improve its chances of surviving a cyberattack.
Potential Cybersecurity Risks
The cybersecurity risks faced by startups are directly related to the type of information they maintain and the extremely limited funds available to invest in cybersecurity. First, like any other business, startups must maintain employee information. Additionally, a startup may hold various information about its customers. A startup creating a mobile app is likely to have individual consumers as customers and therefore have billing information for those users as well as possibly having customer locations or other personally identifiable information. All such types of data, among others, offer value to a hacker.
Even though a startup may have a smaller database of such information compared to a large corporation, cybercriminals may be more inclined to target the startup knowing that the startup’s limited resources mean a system that is more easily breached. By investing their limited funds wisely, startups can implement basic security measures and incident response plans that can greatly improve the startup’s chances of adequately responding to a data incident and limiting the resulting damages.
When conducting an initial security assessment, a startup should focus on the industry it serves and identify all the types of data it stores. First, if the startup is in a highly regulated industry such as healthcare or financial services, investment in data protection is not an optional expense because failure to comply with the industry data protection requirements can mean certain failure for the business. In that case, the cost of data security should be a required part of the budget. Second, all businesses should identify the different types of data they store. Such data may include personnel data in human resource records, product specifications, business plans, health care records, manufacturing data, service plans and methodologies, customer contact information and preferences, customer payment information, research efforts and results, among other information.
In order to accurately assess the business’s vulnerability, the startup should consider all of the types of information it receives, confirm where and how the data is stored once collected, determine the information’s value and susceptibility in a breach, and then tailor its cybersecurity plan accordingly.
Creating a Cybersecurity Plan
Some larger companies’ cybersecurity protocols are very complex requiring significant financial and personnel commitments to create and maintain. However, for startups hoping to obtain cybersecurity protection on a budget, the key is to focus efforts toward the protection of the business’s more critical data. Therefore, a startup’s cybersecurity plan should:
- Identify the most critical data by ranking the categories of data according to risk levels.
- Identify the type of cyberattack most likely to be used with each category of data.
- Know where and how each type of data is stored within the company’s system.
- Discuss with a technical expert the types of products and services available to help block, identify or contain cyberattacks.
- Create an incident response plan that identifies individuals responsible for responding to the incident and their respective duties, including contact information for all such individuals, and store a hard copy in case the electronic version is not accessible.
- Select and retain legal counsel and forensic specialists to be on call in the event of an incident and call them at the first sign of trouble.
- Decide if you will purchase cyber insurance, and if you do, be certain the policy is suited for the type of data the business maintains and that you are aware of and prepare to meet the requirements for asserting a claim under the policy.
- Maintain a list of all company vendors and consultants and ensure that a list of their contact information is always up to date.
By enacting a cybersecurity plan, a startup can act more quickly and effectively when an incident does occur. In the event of an incident, immediately contact legal counsel with experience in data breaches. This allows the business to protect the results of the investigation and can help ensure the business meets reporting requirements under applicable data privacy laws. Prompt and effective action can not only limit financial damages from the incident, but it can also minimize the chances of unrecoverable reputational damage.
Tips to Improve Security Within Your Company’s Infrastructure
While it is imperative to have a cybersecurity plan in case a cyberattack occurs, a startup can take measures to improve security in its infrastructure to help prevent cyberattacks and reduce the effects if one does occur. A business’s security measures should include:
- Developing and consistently and timely implementing patching strategies, including standard protocols to evaluate, develop, and apply patches to the company’s systems, or contractual commitments for your vendor to do so if the company relies on a third party to maintain its computer systems;
- Developing and maintaining proper security policies tailored to the startup that focus on the most critical data;
- Developing and testing an incident response plan;
- Making the security policies manageable and accessible to all employees;
- Implementing regular offsite backups combined with a business continuity plan;
- Conducting personnel training to identify suspicious emails, websites, links and behaviors; and
- Obtaining cyber insurance.
Relevant IP Concerns
Of the four primary intellectual property focuses—patents, trademarks, copyrights and trade secrets—data breaches largely threaten the protection of trade secrets.
To qualify as a trade secret, the information must meet three key criteria. First, the information must be information that is a formula, process, technique, program, etc. providing a competitive advantage to its owner. Second, the information must be economically valuable to the company because the information is not generally known or easily ascertainable by a third party. Third, the owner of the information must make a reasonable effort to keep the information confidential. Because disclosure of a trade secret may destroy its status as a trade secret, it is important to take steps to minimize the chances of disclosure. A large percentage of startups have at least some information they consider to be trade secrets.
In addition to traditional steps to protect trade secrets, including having all employees sign nondisclosure agreements and limiting access to the information to only those employees actually requiring access to perform their jobs, steps to ensure the trade secrets are not compromised in the event of a cyber incident are just as important. In addition to password protection, consider encrypting the trade secrets, or if appropriate, storing them only on computers that are not connected to the rest of the company systems. If no one at the startup is particularly skilled in setting up computer security measures, engage a trusted data security specialist to consult on the configuration of the computer system and the storage of the trade secrets to ensure the most appropriate protection.
Practice Based on Recent Breaches
If you are still questioning the value of a startup as a target for a hacker, consider the hacker who targeted first Evite, and then Canva, earlier this year. Far from a small startup at this point, Evite suffered a data breach when a hacker stole Evite’s customers’ information. According to the highly popular electronic invitation provider, the cyberattack seized customers’ “names, usernames, email addresses, passwords, …dates of birth, phone numbers, and mailing addresses.” Per ZDNet, the hacker, who was identified as Gnosticplayers, then attempted to sell Evite’s customers’ data.
Around the same time, a hacker using the same name also targeted the Australian startup company, Canva. Canva, which provides web design services, also experienced stolen data including “names, usernames, email addresses, city, and country information.” While some consider Canva the “most successful tech startup out of Australia for years,” its data breach affected 139 million people, resulting in loss of money and public favor. Canva’s lack of a cybersecurity plan that could be implemented in the event of a breach exacerbated the effects of the attack.
The cyberattacks on Evite and Canva illustrate that, no matter how big or small the company is, no one is immune to cybersecurity risks. By keeping an up-to-date response plan to minimize the effects of a breach, a startup can reassure investors that, although a breach may occur, the startup is prepared to handle the situation and limit the impact on its customers and the company.
Get Your Response Plan in Place Now
Although startups are targeted by the same cybercriminals as large corporations, startups also experience unique cybersecurity challenges because of their quick moving businesses and tightly stretched resources. Should the worst occur without a response plan in place, engaging proper counsel and technical support as soon as possible is the best defense. However, the risks associated with relying on that approach make it clear that even though managing cybersecurity risks may be time consuming and costly, the benefits to a startup can be far-reaching in the business’s ultimate success, even if the budget for such efforts is limited.
Image Source: Deposit Photos
Image ID: 140896086