When do you think startups need to take care about cybersecurity? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.
Just a few years ago, technology strategy followed business strategy. Often, it was just a footnote in the business plan. That changed dramatically as technology has evolved into a disruptive advantage that enables a new startup to move faster than entrenched competitors. Today, the technology strategy often dictates the business strategy. It's the cornerstone for communication and collaboration for all of your employees, partners, suppliers, and customers.
Even if you aren't a tech startup, your emails, documents, communications with customers, financial records, intellectual property, strategic plans, budgets, marketing materials, etc. are all valuable to you - and may be even more valuable to someone else.
Let's imagine a common scenario that I've seen a hundred times as a consultant:
Your early stage startup is working on getting a product prototype to the MVP phase. You are seeking startup funds, and are working on detailed business plans and pitch deck. Somewhere along the way, one of the early employees or co-founders has had their email password compromised- either via a weak password, social engineering, or by clicking malware. It doesn't matter - someone is reading every email sent from the account, as well as every attachment. They may also have access to cloud document storage accounts and SaaS apps.
For weeks the attackers do nothing - they just watch silently collecting data. Over a period of days or weeks they work to quietly, moving laterally and gain more access. They may install a remote access tool on the employee's laptop or compromise another user's email account. They don't delete or destroy anything, and they cover their tracks as they go. At the same time, they look for potential buyers for your information - perhaps a firm overseas who sees the potential of the business and had an interest in replicating it. After all, the startup team is doing all the hard work for them.
As the startup team works on, the hackers monitor and mirror the progress. They see the code the startup developed to make the product work. The R&D for the product. The patent application draft being passed around for review. The results of the market surveys. They take all of it silently in the background and the startup team is none the wiser.
At some point the startup finally does get funded, and the team is close to perfecting the final product before launch. When they file the patent application, they discover that someone has already filed a nearly identical document. A search discovers that an identical product is for sale on a foreign website with near identical marketing. The competitor even took the logo design and product photos.
The startup team works to make improvements and decide on the strategy forward. While they are busy, a ransomware attack encrypts the most critical documents and they get an email demanding payment to get the data back. To make things work, someone has also logged into the payroll system and redirected a few paychecks to a burner card. The startup is bleeding cash, and investors are concerned.
The following week the suppliers begin receiving emails from the company canceling or modifying orders. The customers are receiving requests to redirect purchase orders to a new bank account. Malware is being sent to customers from your email addresses. High value customers also receive emails from a competitor offering a similar product. Amazon is flooded with nearly identical products at a cheaper price. The customer credit card database from the startup website is compromised. Then they get a letter from a law firm alleging your violating their clients patent seeking damages. Unable to deal with the onslaught, they shut down the business.
This isn't fear mongering: I've seen every one of these attacks scenarios in person. Cybercrime is rapidly becoming a major reason that small businesses fail. This happens to firms of every size, but smaller firms are becoming a preferred target as they don't have robust security capabilities.
The hard reality is that the vulnerability to the business starts as soon as you have an email address.
Startup founders need to think about information security needs right from the start. Cyber security planning needs to start with your business planning. You'll be far too busy to work on it "later", and trying to implement security controls once you've been breached is a nightmare. Every time you add a technological capability, you need to think about how you are securing it: email, sensitive documents, online accounts, bank accounts, SaaS applications. You have to think about detection, remediation, and recovery and have those capabilities in place before you need them.
Otherwise, you're just handing your business over to someone else.
This question originally appeared on Quora - the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions: