Don’t feel safe
With the ongoing war in Ukraine, startups feel more vulnerable to attacks from Russian hackers than before. But is it right? After all, these are small, fledgling companies with truncated budgets. And that gives you the right to assume that, on the one hand, they can’t afford the security that larger entities or corporations can afford, so they are easy targets, but on the other hand, they don’t necessarily have the resources (data, money or reputation) that cybercriminals are interested in.
– In my experience, an attacker has no idea what size organization he is attacking unless the attack is targeted. Typically, an attacker will conduct a reconnaissance of the organization in terms of the technical solutions used. Then he tries to gain access to resources using various methods,” says Witold Sobolewski, PhD, creator and lecturer of postgraduate studies related to cyber security at Lazarski University’s Center for Postgraduate Education.
In his opinion, the size of an organization does not matter to an attacker. Dmytro Budorin from Hacken, a consulting company, believes that smaller budgets, lack of security procedures and knowledge about threats and security features make the threat to startups bigger. However, this does not mean that corporations can rest easy. According to my interviewee, those entities that support Ukraine, e.g. by withdrawing their operations from Russia, are on the target of Russian hackers.
The weakest link
– It is important to be aware that cyber security and cyber warfare are not just about advanced technologies. More often than not, the goal is not to break hard security, because big companies invest huge budgets to make those security features better and better. The target is a man, who interacting with applications and programs is not aware that his own decision leads to data leakage – says Piotr Dębiec, venture partner in CyberQuant, the company, which raised 200 thousand euro for development of a tool to fight cyber criminals.
Hackers know that people are the weakest link in the security chain and they take advantage of it. Among popular attacks, Witold Sobolewski mentions phishing and spoofing, which in simple terms are based on convincing the victim to enter a fake website and leave their data there, which will be entered into the attacker’s database. From here, it’s a simple way to further exploration of company’s resources.
On the other hand, Dmytro Budorin suggests to consider also other forms of attacks. He believes that one of the popular threats is DDoS attack. It consists in hackers bombarding the infrastructure with a huge stream of traffic, which overloads the servers and results in the unavailability of the service, e.g. the website is inaccessible. They often then issue an ultimatum – “we will unblock the service for a fee…”.
How to defend yourself? Audit, procedures and technology
– Startups should train employees in cybersecurity so they can recognize basic forms of social engineering threats and know how to respond to them. Appointing a specialist responsible for monitoring and improving security is also an important preventive measure, says Dmytro Budorin.
In addition, he advises to regularly review the systems, as this will allow for the efficient identification of weak points and faults. In addition, he suggests reaching out to external auditors who have experience in cyber security.
– Naturally, there is no escaping the technical aspects of cyber security, the purchase of equipment and its proper configuration, or its subsequent management. Well implemented cyber security is also an aspect of procedures and policies, which must be developed and modified along with the growth of the company – adds Witold Sobolewski.
Secure development – but at what pace?
There is no doubt that data and IT infrastructure security is an important issue that every company should take into account. But one question arises. Won’t implementing procedures and reaching for technologies to increase a startup’s digital security sometimes slow down its growth? This is where you end up testing hypotheses, making pivots, and with them reaching for new technologies that are different than before.
– Being the first in the market to release a product does not mean being the one to ensure competitiveness. Hype in the beginning can lead to a huge fall later on. That’s why I think it’s better to postpone coming out with a product on the market than to launch a product with poor security,” says Dmytro Budorin.
Cybersecurity market an opportunity for startups
The growing number of cyber attacks is a threat. But only from one side. On the other hand, it may turn out to be an opportunity for those startups that want to grow in this market, and there is somewhere to go. According to Astute Analytica’s estimates, the value of the cybersecurity market was over $162 billion worldwide in 2021 and is expected to grow to $346 billion by 2027 – a more than 2-fold increase in just 6 years.
Other data also attests to the potential of this market. Momentum Cyber reports that last year was a record year in terms of capital raised by startups in this segment. In fact, it turns out that VC funds invested more than $29 billion in cybersecurity startups, which is as much as $17.5 billion more than in 2020.
The money went to over 1,000 projects, of which 84 deals were for amounts over $100 million. Among them, the record holder was Boston-based password security startup Transmit Security, which raised $543 million. What will the next year be like for cybersecurity startups? We’ll see. But we can already say that our homegrown projects are also adding to the value of deals done in the cybersecurity VC market. One of them is Secfense, which recently raised over $2 million.
Today at 3 p.m. on Radio 357 there will be another edition of the program’s broadcast entitled Firmament. This time the host and his guests will talk about how to create and run a company that is resilient to cyber attacks. You are welcome!