We’ve heard of being “too big to fail” – what about “too small to be hacked”?
Despite their small user bases and smaller bank balances, startups are three times more likely to be targeted by cybercriminals than larger businesses.
The stereotypical masked hacker bringing down tech giants and stock exchanges isn’t the most common enemy. Amidst a climate of global political unrest and exploded reliance on digitisation, hackers are also hunting smaller game.
Hackers know that scaling startups lack sophisticated infrastructure and defences. They know their smaller-fry banking and accounting systems come with fewer safeguards than tightly locked-down corporate accounts.
There’s no honour among thieves. Critical, human-focused infrastructure like health care, food distribution, and energy make up 25% of hacker targets. Cybercrime is far from just a corporate issue – governments have their work cut out for them too.
Complex problems, complex solutions
Australia’s track record of addressing cyber threats is fairly strong. The Cyber Security Strategy was implemented in 2016 to “secure our prosperity in a connected world”. It invested $230 million over four years into building a ‘cyber smart nation’ with stronger defences and wider reach.
But cybercrime still costs Australia over $1 billion each year, and counting. 67,500 reports were made during the 2020-21 financial year – a 13% increase from 2019-2020. That’s one incident nearly every eight minutes.
This month, in a world first, the issue was given a government representative. Former minister for Home Affairs Clare O’Neil is now Minister of Cyber Security – the first position of this nature to exist among G20 nations.
The truth is, we don’t yet have the sophistication to protect our nation’s small businesses. Startups and SMEs must take matters into their own hands. But where do you turn if you don’t know how to defend yourself – or even what you’re defending against?
Giving startups access to world class cybersecurity
If you are a digital business, you have a cyber risk profile. If you store and handle customer data, you have a responsibility to protect it.
CTRL helps ASX 100, Fortune 500, and other scaling businesses understand exactly what this means and how to do it. It uses a trusted partner model that, in Head of Growth Sahand Bagheri’s words, is “very different to the short term view and transactional model most of the market has not moved away from”.
Each startup has a unique risk profile, so CTRL always takes a tailored approach. But despite every startup founder carrying risk, few grasp the importance of addressing it.
We spoke to Sahand to unpack the mystery and understand the urgency. And we started by asking:
What does cyber security actually mean?
Cyber security is a practice in risk management, and a way to provide assurance to your investors, stakeholders, and customers that their data is safe and well protected.
What kind of threats are we dealing with here? ‘Script kiddies’? Black hats? Hacktivists?
The threats are very broad. There are many sorts of “threat actors” out there. What we’re looking at is not so dissimilar to movies. The deeper you go in terms of analysing the threat landscape, you find their level of sophistication, resources, the tools available to them get much bigger, and the damage they can do is huge.
You can have a group of activists like Anonymous who combine their expertise and resources to address a philosophical cause. Or you can have a state-nation that combines powers from different departments and disciplines, from military to intelligence to tech, to conduct whatever they need to do.
This threat landscape exists because the world is very complicated. In this context, cybersecurity is a domain for war. Many nations are currently at war, but we’ve moved away from the classical interpretation of the word – from weapons to technology.
Society does not understand what data really means and the value it has. But when you understand what can be done with it, what it means in the bigger picture… A lot more people would take it seriously.
How do these threats vary depending on industry?
Every industry is very specific in their profile and how they’re designed. In the logistics industry for example, there’s a lot of interconnectivity with IoT (Internet of Things) devices. Ecommerce websites are heavier on BYOD (bring your own devices – employees using personal smartphones and laptops to connect to their organisation’s networks). Some are heavily cloud-based.
So the way each company has built their business and what makes it tick operationally is different. Hackers will design a strategy to get what they need based on that.
One thing we have to appreciate is that it’s getting a lot more sophisticated. The tooling used, the application of automation, artificial intelligence… It’s highly tailored and it’s being done at scale. Hackers’ strike rates are only going to get better unless we improve not only our defences, but our awareness of what cybersecurity is and how to identify attacks.
Why do startups need to be concerned, and not just larger enterprises?
Small businesses typically just get caught in the crossfire. There are hackers legally operating out of some countries – whether it’s Thailand or Eastern Europe – who are there to systematically conduct phishing and vishing campaigns to scam people. They write code that spreads far and wide – they cast a wide net. And small businesses get caught.
Startups and small businesses are often part of the game as opposed to direct targets. They have a very small digital footprint compared to enterprises – what hackers can get out of it is really not much. But if their defences are weak, it’s low-hanging fruit.
Can you give examples of incidents that have had really bad consequences?
There are a lot. It’s always in the news. I think we’re numb to it now, because it’s very hard to truly understand the value of your data until it matters, especially as it relates to the concept of privacy as a human right.
Society does not understand what data really means, so when they read ‘British Airways got hacked’ or ‘Red Cross got hacked’, they can’t connect the dots. But when you understand what was procured, what can be done with it, what it means in the bigger picture in terms of the agenda of the hackers… I think a lot more people would be afraid.
Which industries do you think are lacking in their defences?
This is hard. I’m talking more as an observer as opposed to someone in the weeds – but the health industry is in a critical situation.
Think about how many things are connected to the internet when operations are happening. You can take those down. You can alter the blood pressure showing on the gauge. You can change someone’s information in the booking system. You could mislead. It’s very possible if the intent is there. Several hospitals have been attacked over the last two to three years.
What about VC and the investment side? What’s the threat level there?
Not that many VCs have been hacked. VCs typically have great controls when it comes to allocating capital. When you give someone money, there are a lot of checks and balances along the way. It’s much harder to trick a VC into doing something as opposed to hacking, for example, a simple invoicing system.
The one thing with VCs is: if they have shoddy and poorly managed controls around their devices, you can very quickly leak their terms, along with valuations of the companies they’ve invested in. Those companies have to send back reports on a quarterly basis for the VCs’ health checks. That’s potential reputational damage, if not financial.
Who do startups need on their team to get cybersecurity up and running? Can they lean on their IT departments?
IT and cyber are very different disciplines that should be segregated in a perfect world. There is an overlap in the Venn diagram, but they require different skill sets. Cyber should be fundamentally driven by the board and the CEO.
It has many layers to it, but the guy taking care of your printers is probably not the best guy to be doing your security code reviews. They shouldn’t be making capital allocation calls on what defence solutions you need and how to automate them. They’re completely different fields. It’s like getting a ping pong player to play tennis.
Let’s talk budget. How should a founder approach finding the funds to be cyber secure?
We need a fundamental shift in that view. It’s not a cost centre, it’s a business enabler.
If you view it as a cost centre, you’re just going to kick the can down the road. But if you look at it as a growth enabler – in terms of business valuation, customer acquisition, reputation, then I think you make better decisions along the way.
If you scale too fast and you’ve completely forgotten cyber, you’ll have to pay consultants crazy money to come and fix things up.
You will have less of a debt to pay in the future on uplifting your cyber posture if you get it right from day one.
Let’s get to your process. How do you risk-test a new client?
Penetration testing is a big pillar of our services. What that means is companies pay us to hack them.
We hack them using the best and most relevant methodologies out there. We also replicate what hackers do. We go on forums and read their posts about successful attacks they’ve done, the tools they’ve used, and everything in between. We apply a real-world sort of application to penetration testing – it’s a real life simulation without going all the way and causing business disruption.
How do you figure out what a startup needs from there?
Startups are tech-enabled from day one now, from design all the way to the environment they’re built upon. Few founders use legacy or on-premise systems – they’re all on the cloud. That’s been a big transition over the last decade.
We’ll look at the data they’re holding and transacting, their role in society, how their applications are used. What are the honey pots of data? And then look at what they have to adhere to – applicant law, applicable standards and/or regulations. From there, a plan can be drawn on what they need to do to comply. It’ll be based on where they need to allocate capital on solutions, protective measures they have to purchase, the kinds of staff they have to hire.
Can you expand more on the ongoing strategy behind your interactions?
As for an actual strategy, I’m more of a traditionalist. Cybersecurity is not a list of bullet points to follow and you’re fine. It is a highly sophisticated discipline. There’s a lot of human psychology involved within it. A lot of strategy, a lot of architecture. It’s a lot of different work across many different disciplines.
Security needs to be woven in from day one. Simple stuff, like if you’re writing code, you do a security code review. If you’re pushing new app features, do a pen test before going live. If you’re an e-commerce website doing a lot of transactions, you want to make sure your gateways are safe in terms of the API.
A lot of the work we do with founders is writing up and developing their Incident Response protocols. We do a readiness assessment of their environment and how quickly they can detect an incident. We conduct a threat simulation exercise with their team and board. And then we observe how they do things based on different scenarios, and update their Incident Response protocol.
From there, we create their action playbook.
Regulations are changing all the time. Can founders really be expected to keep on top of them?
If you’re a good founder, you just do it. If you understand your business landscape, you already know what regulations you have to comply with to win that client’s work or that big partner opportunity. It’s the same with security.
If you have good foresight, understand risk, and manage it accordingly so that when regulations do come it’s not a very expensive endeavour to comply, then you’re going to be in a much better position. New regulation isn’t coming in once a week – it’s more like every six months.
Do you have any final key takeaways for founders?
Embrace security by design from day one. Understand its positive impacts and consequences. You will have less of a debt to pay in the future on uplifting your cyber posture if you get it right from day one. This helps if you want to secure investment or sell the company. It’s a great way to get the right certifications and build a good reputation in the market.
The pain of regret is worse than the pain of discipline here. If you’re disciplined and you go through the hassle of preparing, you’ll be very happy when an incident occurs, because you’ll know exactly what to do and how to manage it quickly. I suppose it’s like insurance in that way.