Cyber attacks on start-ups may fly under the radar in the media, but they can be just as devastating as any assault on a high-end firm.
Earlier this year, I met a start-up founder affected by ransomware — a malicious virus that locks up and encrypts a company’s data. He did not elaborate, but he must have clicked and followed the link in a phishing email in his inbox. Typically, that’s all it takes.
He had a choice. He could pay $45,000 to free his data or he could start from scratch. A bleak proposition considering that a $45,000 loss can ruin a start-up. I believe the individual ended up paying the ransom to restore his system, but this example cements the need for start-ups to consider security sooner rather than later.
In my role as CEO of a risk consultancy firm, I hear of a major breach to a company’s infrastructure — either by individual hackers, industrial espionage, organised crime, or nation-state actors — on an almost daily basis.
Large corporates are all heavily invested in cyber security. They understand the importance of co-ordinating their security efforts at a C-suite level and investigating and mitigating attacks against their company infrastructure.
An often neglected community when it comes to cyber security is the thriving start-up scene. There is a distinct lack of awareness surrounding the protection of digital information and potential threats faced by young companies.
Penetration testing and resilience may seem boring and unnecessary to the average SME. However, a company’s reputation, and possibly existence, depends on prioritising the issue from the conception through to delivery of the company’s product.
As a start-up begins to scale, this issue starts to escalate. Gaining traction, international growth and raising capital are all triggers that will draw hackers to test a start-up’s security.
A cyber security breach can be damning for a start-up. They face costs around repairing their networks and plugging the vulnerability so it can’t be exploited again. Then there’s potential legal costs from companies or consumers who may want to pursue you for not protecting their data. Regulators may want their slice too.
Aside from the obvious business implication, start-ups all have a duty of care to their investors and their users to ensure their data is protected and remains private. The backlash from this inevitably leads to brand damage. Investors may also be wary before committing to your business.
In fact, we’ve noticed a trend around more venture capitalists and investment funds requiring a level of cyber security and testing before investment or collaboration with a start-up.
Australia has the ability to lead the way on this issue. Securing Australia’s start-ups will assist in making Australia one of the best places to do business in cyberspace and will ensure our start-ups remain competitive in the global economy.
New businesses need to meet a high standard for cyber security, not only to protect their networks, products and intellectual property, but because they have a duty of care to their customers to ensure their personal information remains private and secure.
In the end, good cyber security is just good business.
- Shannon Sedgwick CEO Global Media Risk
As published in The Australian