How your small business could lose everything
Cybersecurity tips for start-ups and SMEs
Data security is rarely a high priority for any small or new business, and investors in startups hardly ever inquire into it – in fact, most probably know little or nothing about it. That’s a dangerous mistake.
Start-ups can have their brilliant ideas and hard work stolen, often without their even knowing it, particularly if they can be applied and built on in other countries. In my work in international expansion and as an “Angel” investor, I’ve seen several cases of new developments in far-away countries that look like carbon copies of businesses I’ve been invited to invest in in the UK. Not only do such developments risk closing down international markets to the original company, better-funded foreign copycats can become a parasite in their domestic market.
You can’t effectively patent software and ideas.
“First to market” usually wins.
Effectively defending against these threats demands a high level of preparedness. Entrepreneurs need to acknowledge cybersecurity risks and to take proactive measures to mitigate cybersecurity risks if their businesses are to survive.
These dangers – and what to do about them – were highlighted to me in a recent conversation that I had with Brad Smith of #TurnOnVPN.
He and others have created #TurnOnVPN as an activist group with a mission to promote free and unimpeded internet for all, and advocate for a safe, secure, and censor-free Internet.
Not so, Brad told me.
“Incidents of cyberattacks and data breaches are becoming increasingly common these days. According to the World Economic Forum’s 2019 Global Risk Report, data breaches and cyberthreats constitute some of the most serious risks that businesses around the world are facing. Cybersecurity concerns have jumped to the number one spot on the list of business concerns.”
“Cyberattacks are also growing in scope and severity”, says Brad. “For instance, the WannaCry ransomware attack in 2017 affected more than 200,000 victims in at least 150 countries. These attacks are harder to detect and almost impossible to come back from.”
Small Businesses Are More Vulnerable to Cyberattacks
But surely this is only a problem for big business, who can afford sophisticated data security measures?
“Actually small businesses bear the brunt of online criminal activity”, says Brad. “Large organizations are investing in robust cybersecurity infrastructure, making it harder for cybercriminals to break into their systems and steal data. Smaller businesses, on the other hand, base their cybersecurity budget on emotion and guesswork. Most of them, especially start-ups, don’t even have a cybersecurity budget.”
According to Brad, nearly half of all cyberattacks target small businesses. Start-ups are particularly vulnerable in their first 18 months of operation. “The consequences can be catastrophic”, Brad told me. “A recent Verizon report put the average loss per attack at around $200,000 – and said that 60 percent of small businesses don’t survive a cyberattack and fold within six months”.
The vast majority of start-up entrepreneurs believe that their businesses are too small to worry about cyberattacks or their data is not worth stealing.
“That is not true”, says Brad. “No business is too small to worry about cybersecurity. Since most start-ups don’t have adequate computer and network security, they’re an easy target”.
Brad went on to tell me about the most common cybersecurity threats start-ups face.
Phishing is the general term for any sort of social engineering where the perpetrator uses disguised tactics to trick the victim into sharing sensitive information such as usernames, passwords, or whatever it is the attacker is after. “Over 90% of cyberattacks targeting businesses are phishing attacks”, says Brad. “Phishing attacks can even be used to target a specific business, a tactic known as spear phishing”.
Malware attacks – and there are many kinds – are very common. “Cybercriminals take advantage of easily exploitable vulnerabilities in your system by launching a malware attack”, said Brad. “Ransomware is an increasingly common malware attack being used to terrorize small businesses. Forbes recently predicted a 300% increase in ransomware attacks in 2020, mostly targeting small businesses.”
The transmission of sensitive company information from within an organization to an external environment is known as a data leak. The ones that we hear about in the news are things like user credentials, card numbers and contact details, but it any kind of data held on a computer is at risk. “Whether intentional or unintentional, employee actions can lead to loss or exposure of valuable company data through data leaks”, says Brad. “Fintech start-ups that have interfaces with financial service providers are particularly vulnerable”.
Such cybersecurity risks are especially relevant to start-up entrepreneurs looking to expand their businesses internationally. Brad highlighted a particular problem. “Many outsource some duties and hire freelancers to meet labour demands”, and that escalates the risk of a cyberattack as malware could easily spread from a compromised employee’s or contractor’s device into a connected office network”.
The good news, I was told, is that there’s plenty that can be done to protect a start-up from cyberattacks, even from afar.
Mitigating Cybersecurity Risks for Start-ups
“Hackers have become very good at finding vulnerable systems these days”, says Brad. “They use automated scripts to find entry points to access valuable data. In the absence of cybersecurity protections, start-ups and other small businesses fall victim to these hacker bots more frequently”.
I asked Brad to recommend cybersecurity precautions SMEs can take to protect themselves from all these “cyberthreats”.
Create a Security Budget
Brad’s top recommendation is that every entrepreneur should have a cybersecurity budget. How much should start-ups allocate to their cybersecurity budget? “Well, that depends – there’s a limit on how much a business can afford to lose in the event of a cyberattack, and that’s unique to every business”. Key factors to consider are what use the company makes of customer data and how it monetizes that information.
“You need to identify, quantify, and prioritize the risks and vulnerabilities in your system”, says Brad. A risk assessment audit should look at all the different aspects of your system including hardware, laptops, customer data, and intellectual property. Assessing system risks and vulnerabilities will help pinpoint the specific cybersecurity risks that could affect these assets. “It’s always a good idea to hire an external consultant to carry out the audit”, advised Brad.
Deploy Antimalware Solutions
Antivirus and antimalware solutions are designed to protect your system from malicious code. Antimalware protects against threats such as viruses, trojans, worms, ransomware, and bloatware.
“You should also consider installing a virtual private network (VPN) for added protection against these threats”, says Brad. “A VPN creates a private network from a public internet connection guaranteeing online privacy and anonymity. VPNs are often used by corporations to protect sensitive data. Secure the network with a VPN to prevent DDoS attacks and provide an added layer of protection against other online threats”.
“Your employees could be the weakest link in your organisation’s cybersecurity”, Brad told me. “No matter how much you invest in security, hackers will always try to find a way in through the staff”.
Phishing and spear-phishing attacks work because of employees’ lack of awareness of these cyberthreats. “It’s essential to train your employees in cybersecurity best practices such as using strong, unique passwords, and how to recognize spoofed or malicious emails. Make sure that your employees know what to do in the face of an impending threat”, says Brad.
Restrict Access to Company Data
Negligent employees and contractors may put company data at risk too. “It’s always safer for start-ups and other small businesses to limit access to company data”, says Brad. “If you have to share sensitive credentials with third-party vendors or other entities, don’t forget to revoke these privileges when these relationships come to an end”.
Update Your Software Regularly
Like everything else in the tech world, cyberthreats are constantly evolving. “Newer threats are more damaging and harder to detect”, says Brad. “Having the latest software updates is essential to your start-up’s digital safety and cybersecurity. Software patches come with the latest security definitions and ensure that your system is protected from the latest threats”.
Brad also advised that all systems should be checked regularly to make sure that they are running the latest software versions, that antivirus and anti-malware updates are downloaded and installed as soon as the provider sends out the alert.
Consider outsourcing IT Services
There’s clearly a lot to worry about, yet start-up entrepreneurs and most SMEs simply don’t have the resources or time to invest in a robust cybersecurity set-up. On the other hand, the risks that Brad outlined to me are far too grave to leave a business unprotected.
“Consider outsourcing IT security duties to a professional service provider with extensive experience of dealing with cyberattacks and data breaches”, advises Brad. “It’s a convenient and reliable way to protect your company’s data, leaving you to focus on finding more customers and expanding your business”.
There is more information about TurnOnVPN at https://www.turnonvpn.org/
Grow through International Expansion is not associated with this group in any way but endorses the contents of this article.
Oliver Dowson offers subscribers to growinternational.org free introductory consultancy on any aspect of international expansion – just get in touch using our contact page