Payne and Associates - Cybersecurity for Startups

The Problem

Cyber Criminals, Ransomware, and Hactivism

Gone are the days when businesses only had to worry about a few fringe characters trying to break into your systems. Todays threats come at you with automated attacks, funded by criminal enterprises, intent on extorting your profits. Some of you may have to deal with hacktivists, intent on damaging your site to bring you hardship, bad press, or to force you to change your business practices.

The unwary can find their systems hacked within minutes of being placed onto the internet. One of my clients measured how often they were rejecting requests to their B2B website at 6 times a second or 500,000 times a day. The hackers are out there, and they're poking at your defenses all the time. Eventually, they will get in.

When a small or even medium sized business suffers a major breach, particularly if it's a service business, that can spell financial disaster. When this does happen, and it's not uncommon, the impacted business is generally closed within 8-9 months of the breach. This may not apply to very 'sticky', B2B companies, but B2C companies are decidedly at risk for an early end.

If we take as true that the attackers will get into your systems, then early detection, and a plan for stopping/containing, removing the intruder, and returning things to normal, needs to be a major focus of your security program. Yet many companies spend the vast majority of the security budget on security controls which only focus on blocking breaches - things like firewalls, VPN, and the like. They nearly ignore installing good detection measures to catch likely breaches early, and also the planning and testing of response procedures for when the detections fire. Shifting some resources to detection and recovery the planning will almost certainly limit damage and losses from breaches.

Financial Risks related to Cybersecurity and Data Privacy

Risks related to cybersecurity and/or data privacy attacks fall into several broad categories related to both financial and reputation losses. The direct costs relate to:

costs of investigating, containing, and recovering from a breach
regulatory costs including fines, audits
law suites initiated by customers and/or end users, potentially across multiple jurisdictions
costs related to efforts to help retain customers following a breach (e.g. credit monitoring)
losses related to the downtime your business experiences

We tend to equate "breach" with "data disclosure". This is certainly not always the case. For example, crypto-miners, intent on stealing time on your systems can have an enormous financial impact in very little time if they can spin up a fleet of the fastest, most expensive machines available under your IaaS account to do their mining calculations.

Recent statistics suggest that the average time between when an attacker gains access to your systems, and when they've extracted and/or encrypted your data is less than 48 hours, down from about 7 days a few years ago. You can imagine where this trend line is going.

And there are indirect risks as well:

loss of existing customers based on a breach
loss of corporate good will and brand loyalty

Finally there are other longer-term risks relate to poorly implemented security and data privacy:

lower purchase price for your company in any acquisition (purchaser will likely over-estimate the cost to implement the security your company has failed to - and take that off the top of their purchase offer)
inability to meet SEC Security Rule requirements when going public

Understanding Risks

Risk is the likelihood of a specific "bad" event occurring, multiplied by the cost to the company if it does.

Ascribing a concrete percentage of likelihood for some 'bad' event is very difficult, especially for new companies. Established companies which have already suffered computer crime have a better idea of what sorts of things have happened in the past, and how frequently to them. That helps us understand likelihood better. We can also look at security research that has been able to draw conclusions about the sorts of attacks that have been occurring against specific market segments. This can sometimes also help clarify the likelihood for a given company.

Quantifying risk costs can be a difficult process, except where the costs, or reasonable estimates for them, are known. This is the case for things like costs per user when financial records are breached. In some cases, estimating costs may require an understanding of which data privacy or cybersecurity laws apply to your company, or will soon. In many US states there are minimum numbers of users, within that state, before the law applies. In Europe, China and many other jurisdictions, that's not the case. There a single EU-based user would expose your company to all the requirements, and remedies that individuals, or regulators may impose.

Defenses to reduce risks

There are many best practices in the areas of security and data privacy. Some of them will apply to almost every company. But many will have no direct applicability for smaller businesses, or businesses which don't depend on processing much data for their profit.

One common mistake is to spend resouces exclusively on controls intended to block/prevent problems. This is great - if it works. However, if your controls are incomplete, you'll have no idea that the data has been breached until the FBI shows up at your door... Monitoring of critical data is an absolute necessity, if you wish to notice breaches early, when you can stop them before lots of data is gone.

For these smaller businesses, you can likely reduce that set of best practices down to a much smaller set.

For business' with significant amounts of critical data, data regulated by privacy laws, data regulated by finance laws, etc. you'll want more security controls in place.

A good starting point would be any of the general security audit regimes such as SOC2 in the US, or ISO/IEC-27001 for more internationally focused businesses. These audit regimes are fairly similar in their requirements/recommendations, and for the most part cover the same areas of interest. Even if your business is not a B2B business, basing your security practices on the applicable parts of these audit specs would be a good choice. The requirements are broken down into a number of different areas including things like "access controls", "HR controls", "secure coding", and "system acquisition controls". There are often 15 or more areas in a given general purpose audit regime.

Profit or Revenue enhancing Security and Privacy

All companies are increasingly concerned with the security of their suppliers in the digital space. As a result, suppliers which are in a position to show: One, that they have security in place, and two they can show the controls are adequate to their customers, will be seen as more trustworthy, and less likely to cause their customers cybersecurity or data privacy problems. This can lead to improved sales numbers, and sales with larger, more security-oriented enterprise B2B customers.

In the privacy space, recent research shows that some types of businesses can expect a 25% increase in "intent to purchase", when the end user is given more ability to control and understand the use of their own personal data. Who doesn't want 25% more revenue!

Let me help you create a Security/Privacy Strategy

Having a strategy will get your company to a place where costly security breaches are minimized. If you are in some industries, or if you're a B2B company, your privacy features and practices can increase your profits.

Let's get you looking like this guy below, and to a point where you don't need to worry so much about the cyber criminals.

To schedule your 1 hour free consultation, click here.