STARTUPS, BEWARE! CYBERSECURITY CANNOT BE IGNORED
Photo by Pete Linforth
Last week, the founders of a Pacific Northwest-based startup found themselves helpless as their business became the target of a bot attack. Unable to operate, they were scrambling to find the right expertise to assist them to get back on their feet. Sensitive data were stolen.
There is no place, no time, when a cyber-attack is not carried out. Cyber criminality has been on the rise year after year and 2021 is no exception. The pandemic was a great booster, as vulnerabilities multiplied across enterprises when the physical central office with its compact network and uniform hardware and systems made place to a constellation of individual offices in the homes of executives and employees, creating a patchwork of endpoints in a decentralized configuration. Every company had to adapt to this newly formed highly heterogeneous enterprise network.
As the media tends to feature the most visible attacks reaching large organizations, many entrepreneurs have come to believe that cyber-attacks are almost exclusively aimed at large businesses where so much money is at stake. If, in global value, the damages made by cyber-attacks to large businesses are significant, however, small businesses including high-tech startups have in fact been a much larger targeted group.
In general, most startups are vulnerable, as unequipped to protect themselves against experienced hackers. Entrepreneurs and CEOs, who are focused on executing a business plan, attend to many fires at a time to give any serious thought to the risk of cyber-attack. And cybercriminals know it. They are well organized, competent, and their business model is flawless. Lately CCAS (cyber-crime as a service) has flourished on the dark net.
What kind of threats businesses may expect, why, and what measures can they take to mitigate a risk that is almost certain to hit them one day?
1. Different Types of Attacks
a. Malware and Ransomware
Malware is the most common attack. It consists in attacking the enterprise at its core, its system’s operations. Hackers may use different ways to disrupt operations, the two most prevalent are a full crash of the system and making a point of access available to unauthorized parties in order to provoke data breaches. Such malware, undetected, can remain dormant for months before being activated.
Malware is often the first step of a broader cyber robbery. Ransomware, that prevents access to the system to all authorized users, is used to demand a ransom against the “promise” to reinstate access to the network as it was intended by the business. Such ransom is sometimes requested in digital currency. During the time the hackers hold your data hostage, they encrypt it. In the last few years ransomware attacks have targeted an increasing number of tech startups.
Startups have little resistance to data breaches. Their network is often a conduit to access larger corporations, to which they are connected. Though large corporations are believed to be well protected against such attacks, this simple indirect conduit annihilates all defenses built, when no proper security due diligence is made on the businesses linked to them.
b. Phishing
Phishing is the most common social engineering cyber-attack, by which hackers are tricking users into giving them sensitive corporate information.
c. Privilege Escalation
Privilege escalation occurs when the hacker who managed to compromise the system at a low level takes advantage of vulnerabilities and obtains, through certain technique, access to a higher-level account to undertake its intended attack.
d. Distributed denial-of-service (DDOS)
DDOS attacks are accomplished by congesting the network with connection requests. As a result, the servers crash. This type of attack concerns hard-tech companies little. It is essentially used when consumers are accessing enterprise servers. They are however extremely frequent. An estimated 5.4 million DDOS attacks were undertaken in the first half of 2021.
e. Man-in-the-Middle Attack (MITM)
A man-in-the-middle (MITM) attack occurs when the criminal interposes itself in an exchange, appearing as a legitimate party to the exchange. The goal is to steal information used in log in on an e-commerce platform, or a financial institution. Like for DDOS, there is a lower probability for hard-tech than for other startups to fall prey to this attack. However, B-2-B ecommerce and supply chain startups must have measures in place to protect the credentials of all businesses they supply. Multiple methods of spoofing and credential hijacking exist.
2. Causes of Cyber-Attacks
There are four major causes of cyber-attacks.
(a) Unsecured Wi-Fi Connections:
Hackers can easily compromise public Wi-Fi connections, such as those we use in hotels. They then access credentials allowing them to intercept data, some of it eventually sensitive. Startup employees, including executives, are generally not cautious when accessing their enterprise data network while on the go. If the data is not encrypted, it can easily be stolen and sold if valuable.
(b) Insecure Passwords
Passwords need to be secured, changed regularly. Password management is often overlooked.
(c) The Proliferation of Points of Access
The emergence and spread of Internet of Things (IoT) with connections to enterprises data networks has created a hectic pace of activity both among hackers and security specialists trying to prevent any network compromission. It is a real challenge that startups must overcome to not fall victim of a data breach. Only those with a strong security framework are safe.
(d) Human Error
Human error has been traditionally mentioned as the #1 or #2 cause of cyber-attacks for decades. It is still difficult to bend some habits of negligence, or too time consuming to properly train employees to follow a strict security policy. Security controls and protocols must be in place in all startups. Employees are the weakest link in your network.
3. Reasons for the Attacks
a. Startups are the low-hanging fruit for cyber criminals
Attackers take advantage of the prevailing attitude of startup entrepreneurs and management for whom cybersecurity never becomes a priority until it is too late. It is easier to access a startup network than a large company that invests in security.
b. Startups tend to pay quickly
Because startups are left with two options, pay and recover your operations, or re-create the whole duplicate of the enterprise at a considerable cost that would unlikely be financed by any investor, they pay in whatever form they are told to pay.
c. Startups Are Used as a Conduit to Larger Organizations (see 1.)
A startup system, with its vulnerabilities, is an easier passage to access the robust, more secure systems of large businesses than a direct attempt at penetrating the network of the latter.
d. Espionage
The 2019 Verizon Data Breach Investigations Report mentions espionage as a strong motivator for attackers to access manufacturing companies, mainly using stolen credentials.
4. What Startups Must Do to Protect Themselves
Prevention is better than cure. Cybersecurity can no longer be a reaction to a threat that has already occurred. For a startup it is often a life-threatening event. The objective is to render your business protected enough to dissuade attackers. There is no way your resources would be sufficient to fend off and outsmart the most sophisticated attackers. Unless your enterprise is developing technology for defense systems, chances are no attacker will relentlessly focus on finding a vulnerability in your business if you have taken the necessary measures of protection, with a minimum budget. And if you are working on a secret weapon, it is a completely different game and you are already using defense-grade security demanded by your partners. Below is a list of the various measures to adopt:
a. The Basics
i. Anti-virus: Use, properly configure, and regularly update antivirus and antimalware software on all computers. Outdated systems put the business at risk.
ii. Password security: Use strong passwords and save them through a password manager.
iii. Firewalls
iv. Back Up Strategy: backing up your mission-critical data in the cloud or on an external drive ensures that it is available for restore in the event of a breach or a ransomware attack.
v. Intrusion Detection: comprehensive endpoint security solution enabling multifactor authentication to secure your communication channels and protect your devices. Use encryption for sensitive data. Security systems with behavior-blocking elements are an efficient tool.
vi. VPN: A virtual private network extends a private network across a public internet network and enables users to send and receive data across shared or public networks, ensuring online privacy and anonymity.
b. Prevent Social Engineering Attacks
Social engineering is the use of tactics by fraudsters to convince employees or organizations, to voluntarily give up valuable private information. According to findings published in the 2019 Trustwave Global Security Report, social engineering is now the dominant method for cybercriminals looking to access your data. Preventing social engineering attacks needs to be a top priority for businesses. A data breach sending your intellectual property and other confidential data to the dark web would certainly stop any tentative funding from smart investors.
c. Risk Assessment
Assess risks and vulnerabilities to find possible entry points and act on it. Include an assessment of your cloud service provider’s compliance with industry standards. Your data integrity is at stake.
d. Develop Effective Cybersecurity Processes, Policies, and Tools
Following a good risk assessment, you need to put robust and clear policies and processes in place, such as:
i. Setting specific network access policies: Privileged access management is about restricting access to privileged accounts by using password management, multifactor authentication, and user behavior analytics.
ii. Avoiding Wi-Fi connections that are not password-protected.
iii. Using encryption and verification methods for applications.
e. Train your Employees
Close to 90 percent of data breaches are caused by human error. Untrained employees are one of your biggest vulnerabilities. Provide regular employee training on the importance and practices of cyber security. Startups must implement and enforce specific security policies for their remote resources.
f. Check Compliance with Security Protocols and Policy
g. Put monitoring and alert systems in place.
Network Security Monitoring collects and analyses traffic data, provides threat detection alerts and responds to intrusions.
h. The ultimate cybersecurity:
Zero Trust
Since the pandemic, zero trust has been an approach to cybersecurity that quickly became ubiquitous. As remote working practices have prevailed, the reliance upon conventional security tools (firewalls, VPNs…) became insufficient to offer the expected protection to corporate data. Remote workers became the target of choice of savvy attackers.
Zero trust is an approach based upon the highest type of governance. It ensures verification of any user accessing an application they have permission to access over an authorized channel from an authorized device. The main attributes of zero trust are real-time visibility into user IDs, device behavior, device credential privileges, device location, app update status.
5. Benefits of a Proactive Security Attitude
Observing main security priorities will not only help maintain your business data integrity, but additional, indirect, benefits will ensue.
a. Good Cybersecurity Enhances Productivity
The use of VPNs by remote workers gives instant access to company data. In the same token, any measure that reduces the probability of any disruption in the network helps improves productivity.
b. Employees can work smoothly and not waste time.
c. A Proven Efficient Security Policy Comforts Customers and Employees.
When they trust sensitive information is well protected, they tend to be more attached to your enterprise. It is a way to retain both employees and customers.
Conclusion
Small startups, like any other enterprises, are faced with cyber-threats. They must thrive in resolving them while they already spend countless hours, days, and weeks on building products and acquiring customers. Such challenge can however be wrestled with good discipline. Calling upon outsourced specialists for advice and transfer the risk to a highly qualified expert group is a solution that many startup management teams have selected to take the burden of security away from their hands. We would also recommend following this path, rather now than later.