Surviving the First Year: It’s Risky Business Being a Startup

Posted on behalf of Brian Burch

There were 388 million entrepreneurs globally starting or running a new business last year.[i] These startups play a huge role in our economy and are leading the recovery in job creation – 85 percent of all new jobs in the European Union between 2002 and 2010 were created by small businesses,[ii] while 70 percent of new jobs in the U.S. come from startups and young businesses.[iii] But being a startup is no walk in the park. It takes more than a brilliant idea, a solid team to work on it and an endless supply of single-serve coffee for a startup to survive and thrive.

Your business is at its most vulnerable when it’s just starting out – finances are often on a knife-edge, you worry about who to trust with your business plan and who to hire. But risks go beyond poor cash flow and personnel – in today’s digital economy, information is money, and cybercriminals are stealing whatever information they can from businesses large and small, young and old. Startups are not escaping their attention. In fact, the largest growth area for targeted attacks last year was businesses with fewer than 250 employees; 31 percent of all attacks targeted them in 2012, a threefold increase from 2011.[iv]

What makes startups so attractive to attackers?

First, you’re seen as easier targets. As soon as a new business is formed, creating an online presence is of immediate importance – you depend on having a website up as quickly as possible to start driving traffic and conducting transactions. Many new websites are designed without considering security in detail, so they are particularly vulnerable to attackers, and for a startup business the effects can be devastating. Even if no financial information or sensitive data is lost as a result, an attack can put a website down for weeks on end – or worse, infect your customers’ computers.

And it’s not just your own assets that cybercriminals are after; smaller businesses can also be a gateway to larger enterprises that depend on small businesses for the goods and services that keep their businesses running. The top 500 global businesses have an average of 60 alliances each.[v] We’re seeing an alarming trend where the small business increasingly is not the final target of an attack – it’s just a stepping stone. The bad guys are sneaking in the back door, through their small business partners, to infiltrate bigger corporate targets.

The First Year

You may think that being new to the market means you have some time before attackers will notice you, but you’d be wrong. Cybercriminals are quick to capitalize on new businesses. Once the Web domain is set up and the first emails or IMs are sent or received, attacks begin on user accounts almost immediately. These attacks can take many forms. Some of them you are already familiar with, such as spam emails that contain malicious links. Web-based malware also abounds, hijacking machines that visit infected websites. In 2012, the number of Web-based attacks increased by 30 percent.[vi]

Within two months a typical user account will receive dozens of spam emails, among which are a few malicious messages. By the time the business is five months old this increases to hundreds of spam messages containing dozens of malicious links or attachments. Some businesses experience severe ‘spikes’ because their domains have shown up prominently on cybercriminals’ radar; this can be due to an employee simply using their work email account to register for a forum or blog used by hackers to harvest email addresses. Within 10 months malicious messages expand to other accounts throughout the company, each of which only needs to click on one innocent-looking message to potentially compromise your information.

Figure 1. Spam and malware per user in first 18 months (source: Symantec, Is IT Security the Achilles’ heel of your Small Business?)

 In addition to these broad, general threats there are more sophisticated targeted attacks, whereby criminals identify specific individuals within an organization and tailor their tactics accordingly, often through a well-researched spear phishing campaign. These attacks are successful because they are highly believable. The targeted individual thinks they are participating in a completely legitimate business email conversation, but which was carefully engineered to dupe the user into clicking a link or opening an attachment which contains the payload.

What can you do protect your big idea?

A new business that is not properly protecting itself against attacks is taking more risk than necessary because it takes just one successful attack early on to tarnish your reputation before your business is even off the ground properly. Startups must plan for complete information protection out of the gate. Consider these five tips to start right:

1. Know what you need to protect. The first step is do not think of yourself as small, at least not when it comes to your technology needs. Startups should carefully consider their market segment. A pizza shop may have relatively little in the way of IT resources, beyond a couple registers and the need to protect customer payment information. On the other hand, even a small financial services company is in an industry with strict encryption requirements that require they know and demonstrate where data is being stored. Their needs might be more closely aligned with a large enterprise. Startups should hold candid conversations about their needs with technology providers, to ensure that they receive the level of security appropriate for their business.
2. Secure your online activity. One of the best ways to safeguard your new business and your customers is by protecting your website with strong authentication and Secure Sockets Layer (SSL) certificates. The Internet is full of malicious websites that look legitimate, but aren’t. These sites steal information when would-be customers try to make payments. Having an SSL certificate authenticates the identity of your new business and is a visible indicator that you consider security important, instilling confidence in your website’s visitors. The SSL certificate also enables encryption, which means that the sensitive information exchanged via the website cannot be intercepted and read by anyone other than the intended recipient.
3. Use anti-malware software. While securing the Web domain is typically higher on the list of things to do, securing email and endpoints is too often a secondary consideration, making startups vulnerable to a variety of other threats. And, anti-virus alone is not enough. Today's security solutions do more than just prevent viruses and spam; they scan files regularly for unusual changes in file size, programs that match known malware, suspicious e-mail attachments and other warning signs. It's the most important step to protect your information. And, stay up to date. A security solution is only as good as the frequency with which it is updated. New viruses, worms, Trojan horses and other malware are created daily, and variations of them can slip by software that is not current.
4. Harness the cloud. Moving security to the cloud is more than just a cheaper way to tackle a necessary expense. With cloud-hosted security, startups can quickly and effortlessly protect your business – these solutions are easy to install and easier to manage. Most security issues occur because systems haven’t been patched and aren’t properly configured. By using cloud-hosted security, everything happens seamlessly over the Web and updates take place automatically, so you know you’re always protected against the latest viruses or malware. The cloud is also ideal for backup, protecting against damage or loss of data that is stored on-premise. It also typically requires less capital outlay than purchasing an on-premise solution, and reduces the ongoing costs of in-house management. Cloud-hosted security and backup provide the same level of protection whether you’re a large enterprise or small business, so without major investment your startup can be as well protected as multinational corporations.
5. Find a trusted partner.Cash-strapped startups typically don’t have IT staff to help them with protecting their information. Take advantage of the growing number of managed service providers (MSPs) who are sprouting up to deliver backup and security services. These MSPs are utilizing the same cloud technology to deliver a better lower cost solution, with minimal need for employee management. “Set it and forget it” should be the goal, particularly since you likely will not have permanent IT presence. You should also look for a provider that can supply a full range of technologies, including anti-malware, Web security, backup, encryption and data loss prevention.

So what’s the bottom line? While you’re burning the midnight oil to make your brilliant idea a reality, cybercriminals are working night and day on new attack vectors. And, when you consider that four in five small businesses experience an IT security incident in their first year[vii], it’s clear that startups need to view cyber security as a critical investment that is part of the entire business set-up process – as vital a step as getting your business license and buying computers. Today’s startups can benefit greatly from comprehensive solutions that effectively block threats across email, Web and IM to keep you and your information safe. Otherwise, you’ll be unnecessarily exposed to danger from the day your domain goes live.