Why startups are easier targets for cybercrime (and what founders can do about it)

Cybersecurity Phone

Even after big fundraises and significant traction, startup leaders have to focus as much as possible on revenue and growth. In many cases, this means putting other operational considerations like cybersecurity on the backburner. Unfortunately, a high level of publicity following fundraising coupled with lax security protocols means open season for cybercriminals.

In an interview with BetaKit, Microsoft Canada Chief Security Officer Kevin Magee explained why startup leaders need to think about cybersecurity differently – and how they can prioritize security without impacting growth potential.

Cybersecurity is a business value problem

Security is often discussed begrudgingly in startups, viewed as a potential cost-centre if not a distraction from higher priorities. However, it’s a critical element of startup survival. A single data leak could destroy trust with early customers, souring a potential market. A clever hacker could drain a bootstrapped company’s resources before anyone notices something is wrong. The solution, said Magee, is to think of cybersecurity differently.

“Limiting loss is everything for a startup,” said Magee, adding that startup leaders should think of cybersecurity as a way to keep the company safe while it grows.

Magee advised startups to focus not on the arrows of cybersecurity attacks, but the archer.

The problem with brushing off security work as a cost-centre, said Magee, is that it ignores the opportunity cost of lost business due to poor security operation. Many enterprises and governments assess a startup’s security protocols before buying, meaning startups could lose procurement deals at the finish line if their security is not up to snuff.

Further, VCs and even non-institutional investors now check on a startup’s security protocols before investing. They know the fines a company can incur for not following privacy or compliance regulations and the huge financial risk of a breach. Magee indicated that it can be hard for startup founders to conceive of their company getting hacked, but blowing the diligence process with a customer or investor is a much more tangible problem to avoid.

Focus on the archer, not the arrow

For those startups taking cybersecurity seriously, Magee explained that many try to plan for all possible “arrows:” the different types of attacks they might have to face, such as ransomware or an email phishing scam. However, Magee said the best way to build a successful risk portfolio is by thinking about the “archers:” the types of attackers who might want the data or resources you have.

A good risk portfolio should identify the biggest threats to your company – for example, a vaccine research company might face threats from nation-state actors trying to get a vaccine formula, while an ecommerce DTC brand might face threats from individuals trying to steal money or materials – then start building a two-pronged approach to increase your cybersecurity base:

  1. Build up your defenses so it’s harder or more expensive to hack your systems.
  2. Secure your internal ecosystems so even if one area is breached, other areas of the company remain secure.

The idea is to make your company more trouble than it’s worth for the archer to choose you as its target.

As a baseline, Magee recommended a couple of best practices, such as multi-factor identification and privileged ID management on a zero-trust model. He also cautioned all companies against thinking that money alone can guarantee security, encouraging them to focus on the highest priority risks first, just like any other business challenge.

“I don’t think you can spend your way out of these problems,” said Magee.

Building a culture of security with digital empathy

Unfortunately, security within companies large and small is often a name-and-shame game: breaches are an example of someone “messing up” rather than an opportunity to work collaboratively and identify the root cause of the problem. All this approach does, said Magee, is push potential problems underground, causing a higher uptake of shadow IT and people hiding mistakes.

For startups that want to create a true security culture, Magee recommends cultivating what he calls “digital empathy.”

This kind of collaborative approach – one that focuses on community building and cultivating inclusion – is also exactly what cybersecurity leaders across Canada say the ecosystem needs in order to grow.

For Magee, a culture of digital empathy starts with some best practices:

  • Use mistakes as an opportunity to learn. Focus all efforts on solving the problems that a mistake caused. From there, dig into the root cause of the mistake and use it as a way to educate staff on the correct (and safe!) way to do things.
  • Don’t expect everyone to be a cybersecurity expert. Use tools that make it so employees don’t have to constantly think about security to be secure. For example, Single Sign On (SSO) makes it simple to sign onto secure programs and difficult or annoying to remember passwords for everything else, so people are more likely to comply.
  • Think of shadow IT usage as a feedback mechanism. If someone is using a piece of software outside the company’s portfolio, Magee said to “recognize they use the tool because they have a need.” With that mindset, Magee said to ask employees why they started using an additional platform. You’ll either have an opportunity to educate employees if your existing technology has the same feature, or you’ll learn something about your team’s needs, which could result in bringing that shadow IT platform into the fold.

If you’re a new company or haven’t had significant cybersecurity issues, Magee suggested taking a ripped-from-the-headlines example and running table-top exercises, role-playing through your company’s approach to see if how your team and company would respond to the problem or situation.

“It’s a great opportunity to train people, set culture, and generate ideas on how to do things better for the organization,” said Magee.

An investment, not a cost

Cybersecurity can cost money, but Magee advises startups to think about it in terms of an investment, not a cost. The money you spend should produce a return for your business in the form of both secure data and new business and investment opportunities.

It’s not just about dollars out the door, but the overall resources (time, energy, and money) that you put into cybersecurity. This is also why it’s so critical for founders and boards to prioritize security: it sets the tone for the rest of the organization. It’s a big investment, but done well, it keeps a company safe for years to come.

“If founders don’t prioritize security, no one else will,” said Magee.

Feature image courtesy of Unsplash.

Stefan Palios

Stefan Palios

Stefan is a Toronto-based entrepreneur and writer passionate about the people behind tech. He's interviewed over 100 entrepreneurs on topics like management, scaling, diversity and inclusion, and sharing their personal stories. Follow him on Twitter @stefanpalios or send an email to stefan.palios@gmail.com.