No startup is too small or too new to be a target for cybercrime. Hackers now run startups in their own right, experimenting and iterating their tactics so they can spot every vulnerability and exploit them. As a result, startup leaders need to be more vigilant than ever in their security approach.
In an interview with BetaKit, Microsoft Canada Chief Security Officer Kevin Magee shared the six trends that all small business and startup leaders need to be aware of.
1. Cybercriminals think like tech founders now
Cybercriminals are often portrayed in the media as solo hackers working to exploit a small loophole in your system to steal some money before running off into the digital night. But this is no longer the case: the dark hat ecosystem has evolved to the point where hackers run whole companies dedicated to exploitation.
In this new ecosystem, cybercriminals employ the same growth hacking techniques that startups do. Magee said there are even review forums for tools, outsourced customer support, and freelancer networks in the cybercrime world.
“You’re up against an entire industry trying to extort money from you in different ways,” said Magee.
2. Entrepreneurs have a secret weapon
The increasing sophistication of cybercriminals also reveals a secret weapon for entrepreneurs: if the cybercrime ecosystem uses growth hacking methods designed by entrepreneurs, that means entrepreneurs can turn this to their advantage. Since entrepreneurs designed the growth hacking playbook, they can use that same playbook to outwit cybercriminals and build more powerful cybersecurity protocols.
“Entrepreneurs invented the tactics,” said Magee. “That means you can think like the adversary in a lot of ways.”
3. Size and age don’t matter to hackers
Magee said one of the biggest mistakes startups make is assuming they are not a target because they are small. However, this can actually make you an even bigger target. Magee said young startups are particularly vulnerable to cyber attacks, since they usually haven’t established adequate infrastructure. Established small businesses are also less likely to invest in cybersecurity than large enterprises. So while you might have less to steal, your company may be relatively easier and faster to attack.
Like most critical initiatives, security needs to start from the top. But in this case, it goes higher than the CEO: it has to start with the board.
While being young and small puts your company at greater risk, Magee said the silver lining is that you’re also easier to protect because “there’s less attack surface” for cybercriminals to go after. Startups also benefit from a culture of agile operations, which helps them move more quickly once security becomes a priority.
“It’s a chance to not fall into the old habits or the old patterns,” said Magee.
4. Make sure you think about your data’s CIA
In the security world, there’s a lot of talk about data CIA: confidentiality, integrity, and availability. Hackers first attacked data availability. If you clicked on a spam email, it would download ransomware onto your computer that took away your data. The hacker would then charge you to restore data access. Attackers then evolved to target confidentiality. Hackers would steal files and doxx you by sharing them online, or hold information for ransom under threat of revealing it.
Now, Magee said hackers are coming for data integrity. There’s a new risk that hackers could break into a database and change private information, for example changing vaccination statuses in a hospital database or altering someone’s credit score. Magee explained that this kind of integrity attack could result in significant damage to someone’s life, creating prime opportunities to extract a ransom.
5. Security starts above the CEO
Like most critical initiatives, security needs to start from the top. But in this case, it goes higher than the CEO: it has to start with the board.
Magee explained that board members are often not within a company’s security infrastructure, and might use personal emails for highly confidential company information. Beyond being a security risk themselves, they are also critical in setting the company’s strategic agenda. If they deliver a “growth above all else” directive, it tacitly tells the CEO to take shortcuts or ignore long-term priorities in order to achieve short-term growth.
6. Cybersecurity should learn from accounting (no, really)
Following the stock market crash of 1929, the accounting industry developed the Generally Accepted Accounting Principles (GAAP). These standards made it clear what was required of a company to remain financially compliant, both as an organization and when handling customer information. For example, standards included the concept that one person would reconcile a balance sheet while another vetted the file for accuracy and compliance, which drastically reduced financial fraud.
Magee thinks the same thing needs to happen in cybersecurity as the industry is currently lacking a similar set of generally accepted standards. For example, the same IT professional who delivers a security patch to the company’s customer portal is the one who signs off that the patch was implemented correctly. Aside from malicious actors, this process leaves significant room for human error and massive vulnerabilities.
“[GAAPs] worked well to stem fraud in financial accounting. We need to think about how to do this in security,” said Magee.
Emerging solutions rely on shared resources
While there is currently no GAAP for cybersecurity, many businesses are starting to realize that they don’t have to work alone. Emerging solutions in cybersecurity leverage shared sources and rely on technology instead of humans to scale.
Magee said it’s easier than ever to share security resources with advancements in cloud infrastructure. Companies can build on top of a cloud provider, so they benefit from that provider’s security investments as well as their own. And cybersecurity professionals are already designing standards about who should access what information, and how work should be validated.
“A new generation of cybersecurity professionals are taking a first principles and entrepreneurial approach to the challenges of not only defending but creating and sustaining resilient organizations,” he said. “This requires investing in and developing disruptive technologies leveraging things like AI and SOAR (Security Orchestration, Automation and Response) that are purpose-built for defence.”
This investment will lead not only to more secure businesses, but also business opportunities.
“New solutions and startups are beginning to emerge with truly disruptive technologies that enable and empower defenders while also building profitable and successful businesses,” Magee said.
Feature image courtesy of Unsplash.