Guest Contributor January 05, 2016
The following post was written by Jeremy Sutter, a tech and business writer
Cybersecurity is quickly emerging as one of the most important threats to businesses in 2015 and beyond. The last few years have seen a massive rise in the utilization of Big Data, automated software tools, cloud storage, and other techniques and systems that involve harvesting customer data. These are lucrative, especially for marketing, but they also have created a whole new set of risks. All of that customer data is valuable for identity theft and similar unscrupulous uses. Hacker groups dedicate their time and resources to attempting to steal customer data. This poses an especially grave threat to startups, who typically have less resources of their own to dedicate to security. In this post, we'll outline three major forms of attacks and why they are so dangerous.
Some hacking groups try to target businesses directly and breach their security. They might be obvious or subtle, but their goal is the same—to break into the company's network and find any valuable data or software around. That data could be anything from industrial secrets to credit card records or social security numbers—it need not be customer data, although that is the most common target. Direct attacks pit the ingenuity and dedication of hackers against that of the startup, and the greater experience of the hackers means they can frequently find some kind of hole. On the other hand, they are in it for the money, so if they can't locate an opening easily, they are likely to move on to a softer target.
Sometimes it doesn't take a real breach to get access to sensitive data. Hacker groups frequently use social engineering to get passwords or permissions. This involves manipulating employees by, for example, posing as an IT worker and asking for a password to verify an account. They might also try calling up the ISP of the startup and try to obtain some information that way. Social engineering is easy to do, as well as cheap, so a hacker can spend their time sending emails or making calls instead of coding. It is faster and frequently just as effective, because they only need to find one link. The best way to defeat social engineering is to have strong security policies and ensure everyone follows them. That includes things like never putting passwords in emails, always verifying the identity of anyone purporting to be from IT, creating new passwords frequently, and conducting regular internal tests to probe for weaknesses.
One of the biggest problems for startups is that they cannot control all of the software they use. Every business relies to a greater or lesser extent on external vendors. If the vendor becomes compromised, all of their clients are also at risk. It is common for hackers to target vendors first and then use corrupted vendor software as a springboard for getting into bigger targets, like banks and retailers. It is difficult to completely vet all vendor software, because the whole point of using a vendor is the convenience and speed compared to internal development.
This last point especially is leading to major changes in cybersecurity. There are growing calls for laws governing liability for breaches, both for companies in charge of data and the vendors that supply them. In addition, the market for insurance that covers data breaches is growing. More and more startups are getting business insurance quotes online for policies that pay off if they are hacked, lessening the expected risk of such a breach. The fallout from an attack can be severe. The loss of customer trust and negative publicity is enough to doom a startup, to say nothing of any damage to the network or loss of essential data. Worse, some hackers slip in quietly and stay within a company for months or years, siphoning off data. The growing complexity and scale of the cybersecurity threat means that startups are finding it worthwhile to invest in insurance rather than try to go head to head with the hackers. It is hard to do when resources and time are already stretched thin moving the business forward.
Jeremy is a tech and business writer from Simi Valley, CA. He's worked for Adobe, Google, and himself. He lives for success stories, and hopes to be one someday.
To read previous guest contributions for PitchBook, click here.
[Related: Where will your information be safe? A PitchBook datagraphic on venture investment in cybersecurity startups]