Startups + lack of Cybersecurity culture = #Cyberhacks

Posted by Ray Mercedes | Scott Myers | Raymond Norwood on Mar 26, 2020 11:41:31 AM

group of young business people having fun, relaxing and working in creative room space at modern startup office

Pattern Group, a boutique consulting company with a full product offering for fast-paced startups recently conducted some research to understand the challenges that Startups face in the cybersecurity space.  Here are some highlights of our research and interviews. 

More than half of companies hacked are startups. Business spread opens up risk when resources are spread thin.  Startups that lack expertise in this area become easy targets. 


A recent report by KMPG shows that 51% of small businesses do not understand their risk, while only 33% of them feel entirely prepared for a cybersecurity breach. (KPMG).


Some recent reports claim that

70% of the companies hacked were small and medium-sized businesses.  Another huge problem companies face is the loss of reputation. 


The KMPG report shows that 89% of the small businesses that have experienced a cyberattack confirmed that it affected their reputation, and therefore future growth potential.

All victimized companies will suffer immense brand damage that may prevent them from both attracting new and retaining loyal customers or more importantly securing their next round of funding.


Every business is a potential treasure trove of information for hackers. It is entirely possible that many startups don’t properly secure their customer and employee data, such as credit card details due to the lack of scale in their operations and lack of expertise.


From the devastating malware attacks like WannaCry and Petya last year to the latest, KRACK – that makes practically every Wi-Fi vulnerable to hackers – the business world has been made painfully aware of the importance of cybersecurity.


A startup has an advantage that it is starting from scratch, which makes it easier to incorporate a security-orientated approach as a part of conducting everyday business operations. It is an interesting

observation in many startups that they assume cybercriminals only target larger organizations. The fact is that startups are not exempt from cybercrime and breaches.


Startups may lack an adequate budget for security, but some steps can be taken with a smaller budget to mitigate and control risks. 


A startup needs to pick the most important and crucial objective and build a cybersecurity posture that keeps their business and their customer’s data safe and secure.  A general understanding is that many security threats and vulnerabilities come from within an organization.  A lot of cyberattacks have a root cause in some form of employee negligence, in which some reports put the root cause of all breaches at 80%.


Here is a checklist of security activities startups should implement:

business checklist

1-Risk or vulnerability assessment every year and implement key controls for high risks assets.


2-Endpoint security protection on desktops, laptops, mobile devices, and other connected devices.


3-Unified threat protection or next-Gen firewall for network protection.


4-Security scanning of external-facing high-value assets, both at the network level and at the application level.


5- Security monitoring for assets that have sensitive data or intellectual information.


6-Manage user identities and access on a need to know basis.


7-Stronger authentication for privileged and high-risk accounts.


8-Business Continuity Planning (BCP) for critical processes.  Information security awareness and training for all employees.  It is important to understand the consequences of weak cybersecurity infrastructure. 


The ramifications of suffering a hack vary and mainly fall into the same categories of financial and reputational loss.  Startups usually employ very few people and have a close-knit working environment; therefore, there is an easy opportunity to implement a culture of high awareness that drives towards best practices on security.


Now, let’s have a look at External Cybersecurity Risk -


1-Malware, Phishing, DDoS attacks, Ransomware; these are some of the viruses and methods used by hackers externally to gain access to websites, software, or network.


2-After entering network infrastructures, these cyber-criminals remain inside the system, sometimes for months and even years unnoticed, and continue to extract information. 


3-Penetration tests help startups and help create proper security guidelines, and gives some of your top client’s visibility into your cybersecurity posture.


4-Internal Cybersecurity Risk -

Internal data leaks often stem from employees. It could occur accidentally or due to malign intentions. 


5-The main objective for cyber-criminals is to steal the credentials of an employee or admin and then move through your infrastructure with complete access to all of your data. 


6-This is where education and training on cybersecurity become extremely valuable for all employees as well as your IT leadership staff.


7-Internal cybersecurity breaches often let your competition know about your organization’s trade secrets and can directly leak your inside information. 


8-External cybersecurity risks could involve something link-restricted or no-access-to-systems related until there is a  demand for ransom executed by the hacker. 


In either case, your company would suffer monetary and reputational damage.  If an organization doesn’t have an internal cybersecurity team it must use external resources to prevent and mitigate these potential loss risks.  A new business is often not aware of the threats posed by a weak internet security framework.  The damage that can be done could potentially eliminate the very idea of the business itself.


We understand the challenges startups face because we invest in startups, and the calls we field from some founders are scary.  With the right partner, your startup can mitigate these risks.


Schedule a Cybersecurity call with an Expert