Why Hackers Target Startups
The Federal Bureau of Investigation reports a 400% surge in online crimes since the pandemic began and Americans’ activities moved increasingly onto the internet.
“The profitability for criminals is through the roof,” explains Melissa K. Ventrone, leader of the Cybersecurity, Data Protection, and Privacy team at Clark Hill, an international law firm. “Companies will pay millions of dollars to get their data back."
Compounding the problem, businesses with distributed workforces aren’t catching issues as quickly. “There’s none of that social interaction about threats, like ‘hey, does that look odd?’ So when damage happens, it’s more extensive."
“I worked with a client who had multi-factor authentication (MFA) on an account someone compromised. The employee got tired of the request ‘authenticate this, authenticate this.’ So she just hit ‘authorize.’”
Hacking: From ARPANET Worries to SolarWinds
Vulnerabilities like this date to the dawn of the internet, when an engineer raised red flags prior to the 1967 launch of ARPANET, which later became the technical foundation for the internet. Those fears manifested 30 years later: a hack traced to the Russian Academy of Sciences invaded military facilities and stole data.
Today, the U.S. government is still reeling from multiple breaches. Skilled, coordinated attackers spent months piggybacking on updates for SolarWinds, a network-monitoring tool. Some experts questioned over-reliance on a handful of third-party vendors, especially with so many people working from home during the pandemic. Others renewed calls for a global treaty on cyberwarfare. President Joe Biden says his administration will impose “substantial costs” on those responsible. In a statement, he stressed: “A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place.”
His approach echoes the advice of cybersecurity experts: it’s easier to bake protection in than to retrofit it.
Startups Face Greater Risks
“Think of security, privacy, and the resiliency of information at the beginning,” Ventrone says. “Once you’ve been working for a couple of years, it’s extremely hard to go back and re-architect your system. Make security part of the culture, not an add-on.”
This remains especially important for startups, which sometimes rely on a “flat network” that’s not segmented or firewalled. If an attacker gets in, they can take out the entire system. Additionally, early-stage startups don’t have long-standing reputations and customer relationships to help them weather turbulence.
No one is safe anymore, stresses Pieter VanIperen, managing partner at PWV Consultants and a New York University adjunct professor of code security. Hackers often avoid large corporations with robust security and target newly launched businesses that might have budget constraints or a lack of knowledge. “They [hackers] no longer care how much your business is worth, they want whatever information they can get.”
Biggest Threats & Solutions
“Cyberattacks most commonly involve malware,” VanIperen says. “This includes ransomware, worms, viruses, etc. Malware can get on a device via a phishing scheme where the user clicks on a seemingly legitimate link that opens a backdoor to their system. It is generally easier to trick a person than a well-protected server.”
He also flagged bad configurations and failures to patch as a trend in 2020, along with poor application security, which can invite a SQL injection attack.
In an ironic twist, COVID-curbing measures increase the risk of digital viruses and other intrusions, according to a guide co-authored by Attorney and Certified Information Privacy Professional Sara H. Jodka. “Cybercriminals love a good crisis to manipulate and exploit… they also use newly-implemented technologies to try to penetrate a business’s systems,” she writes. Areas of vulnerability include:
- Remote access, via personal and company-owned devices, on home or public networks
- Increased phishing (fraudulent attempt to obtain sensitive information or data) and other scams, which have recently led to the infiltration of platforms like Google Workspace and Office 365
- Fraudulent invoices, which replace contractors’ bank-wire details with hackers’ information
- Privacy concerns about teleconferencing apps, which stretch far beyond trolls Zoom-bombing
- Employees exposing sensitive corporate information via tools like Siri, Alexa, Google Assistant, and Ring cameras
Preventative measures include MFAs, remote-access devices, and encrypted virtual private networks. Also, VanIperen advises: “have security in place—antimalware/antivirus software that regularly checks for known vulnerabilities. Secondly, consult an expert! Third, have an incident response plan to deal with a security attack or breech.” He recommends Identity Access Management controls as well. “Employees should only have access to the systems they need in order to do their jobs.”
A Year Of Unique Obstacles
The world faced unprecedented challenges from the pandemic in 2020, including an explosion of cybercrimes like ransomware and phishing. But one of the greatest vulnerabilities—distributed workforces—can be turned into a super-strength.
Invest in your people, Ventrone explains. “Companies tend to spend a lot of money on technology and not as much on training. But it’s one of the least-expensive, biggest-return security controls you can put in place. Train [employees] on what phishing looks like and what encryptions look like at the start. They’re the ones who will see if something is happening, who can respond and protect the environment.”