{"id":13161,"date":"2019-04-16T16:16:21","date_gmt":"2019-04-16T12:16:21","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/startup-cybersecurity\/13161\/"},"modified":"2019-11-15T15:22:21","modified_gmt":"2019-11-15T11:22:21","slug":"startup-cybersecurity","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/startup-cybersecurity\/13161\/","title":{"rendered":"Startups and information security"},"content":{"rendered":"

Startups tend to be created by people who burn with an idea and want to put it into action as soon as possible. Money is usually tight, and expenses run high, what with product development, promotion, and all the rest of it. When managing priorities, emerging businesspeople often neglect matters related to information security. This post is about why one shouldn\u2019t do that.<\/p>\n

A hacker\u2019s meat is a startup\u2019s poison<\/h2>\n

Many startups try to save on security, confident that a small company with limited resources holds no interest for cybercriminals. The truth is, anyone can fall victim to cybercrime. First, because many cyberthreats are massive in scale, their originators aim wide, trying to hit as many as they can in the hopes that at least some will generate a return. Second, commonly being weakly protected, startups present attractive targets for cybercriminals.<\/p>\n

Whereas corporations sometimes spend months to recover from a cyberattack, a small company may simply not survive one. In 2014, hostile cybercriminal actions brought about the closure of a startup called Code Spaces<\/a>, a hosting provider with tools for joint project management. The attackers accessed the company\u2019s cloud resources and destroyed a considerable portion of its clients\u2019 data. The service owners restored as much data as they could, but they were unable to return to normal operation.<\/p>\n

Mistakes that may cost you your business<\/h3>\n

To properly safeguard your startup, given a limited budget, you might want to build a threat model before you go ahead with the launch\u00a0\u2014 to figure out which risks are relevant for your business. Here, we help you by covering the typical mistakes of many first-time entrepreneurs.<\/p>\n

1. Lack of knowledge about personal data storage and processing laws<\/h4>\n

Many governments try to safeguard the security of their citizens. Europe has the GDPR<\/a>, and in the U.S. there are multiple acts for different industries and states<\/a>. All of these laws apply, regardless of whether you have read them.<\/p>\n

The punishment for breach of the related legal requirements may vary, but negligence is very likely to cost you a pretty penny: a fine at the very least\u00a0\u2014 and a big one, too. At worst, you will have to suspend operations until you\u2019ve eliminated any nonconformities with the relevant laws.<\/p>\n

One more important detail: Sometimes the law has a wider coverage than you might expect. For example, GDPR applies to all companies that handle European citizens\u2019 data, even those from Russia or the U.S. So the best policy is to study both your domestic regulations and those of your partners and clients.<\/p>\n

2. Weak protection of cloud resources<\/h4>\n

Many startups rely on public cloud services, such as Amazon AWS or Google Cloud, but not all of them use proper security settings for such storage spaces. In many cases, containers with client data or Web app code end up protected by nothing but weak passwords \u2014 and internal corporate documents can be accessed with direct links and are visible to search engines. As a result, anyone can get hold of critical data. Sometimes, in their quest to keep things simple, startups leave important documents available to anyone in Google Docs for good\u00a0\u2014 simply because they forget to restrict access to them.<\/p>\n

3. Unpreparedness in the face of DDoS attacks<\/h4>\n

DDoS<\/a> is an efficient way to down an Internet resource. On the darknet, such services are relatively inexpensive and therefore quite affordable both for competitors and cybercriminals, who need them as cover for more sophisticated hostile attempts.<\/p>\n

In 2016, a cryptocurrency e-wallet service called Coinkite was forced to close down<\/a> because of continuous DDoS attacks. According to its developers, they hadn\u2019t had a moment\u2019s peace since they launched the service. After holding out for several years, the company gave up and refocused on hardware wallets.<\/p>\n

4. Poor employee awareness<\/h4>\n

People are often the weak link in any given business. Attackers know it full well and use social engineering<\/a> tricks to penetrate the corporate network or fish out confidential info.<\/p>\n

Poor awareness is doubly dangerous for companies employing freelancers: It may prove quite a challenge to control what devices and what networks they use for work. Therefore, it is very important to motivate and steer all workers toward a security-focused attitude.<\/p>\n

How can your startup stay afloat?<\/h3>\n

To avoid exposing yourselves to cybercriminals and stay in business, give proper consideration to cybersecurity when mapping out your business plan:<\/p>\n