Cybersecurity for Startups: Why Small Businesses Can be Big Targets for Cybercrime

By Brendan Franca

BC Law EIC Student

April 2023

Cyber-attacks have become an inevitable reality of today's online world. Criminals target organizations in every industry, extracting sensitive customer data to sell on the dark web or locking down computer systems until a ransom is paid [1]. These attacks have grown in both sophistication and frequency since COVID-19 established remote work as the new normal [2]. 2022 saw a series of high-profile attacks, with the average data breach costing companies over $9 million [3]. But it is not just big businesses that are vulnerable. Startups are not immune from cyber-attacks, and founders should not assume that their businesses will fly under the radar.

In fact, many cybercriminals see startups as prime targets. Startups do not usually have the resources of a large company such as dedicated information technology staff, enterprise-level security tools, and a thorough understanding of cybersecurity risks [4].

Cyber-attacks also carry more severe consequences for startups. Businesses can face loss of revenue from suspended operations and even lawsuits from customers who have had their personal data compromised. Furthermore, the reputational damage from an attack can erode customer trust and reduce interest from investors. For these reasons, an estimated 60% of small businesses close within six months of a cyber-attack.

Startups can take several steps to build an effective cybersecurity strategy and reduce the risk of cyberthreats.

Conduct a Risk Assessment

The first step of a solid cybersecurity plan is conducting a comprehensive risk assessment. This will allow a company to understand the threats it faces and develop a plan to protect itself against them. A startup should take stock of the types of data it handles, evaluate the current security measures in place, and identify any gaps or vulnerabilities that can be addressed.

As part of this assessment, startups should also ensure they are complying with applicable cybersecurity laws. The United States has no single law regulating cybersecurity, but there are several laws that apply to specific operations. For example, the Children’s Online Privacy Protection Act regulates how websites directed at children collect, use, and/or disclose personal information.[5]

Data Encryption and Backups

Startups should regularly back up all critical data to ensure it is not lost in the event of a cyber-attack. It is best practice to keep these backups encrypted and stored in a secure cloud server or an external hard drive.

 Secure Passwords and Two-Factor Authentication

 An estimated 81% of data breaches result from stolen or weak passwords.[6] Startups can protect themselves by setting minimum password requirements that are special, complex, and difficult to guess. In addition, all accounts should be secured with two-factor authentication. This provides an additional layer of security in the event that sign-in credentials are compromised.

 Check the Security Reputation of Vendors

Startups often must rely on outside vendors for many of their operations, such as cloud computing and payroll services. These vendors can have extensive access to sensitive company data. It is essential to monitor what data vendors have access to, how the data is used, and whether they have adequate security measures in place. Startups may want to include security provisions within their vendor contracts to set minimum expectations.[7]

Be Prepared for Failure

No cybersecurity strategy will guarantee protection from cyber-attacks. It is therefore essential to have a plan in place specifying how a company will respond to a security breach. This plan can include assigning certain individuals to a response team, outlining steps to isolate the problem and minimize damage, and procedures for restoring data from backups. Having this plan in place can help reduce panic and allow a company to resume operations as quickly as possible. Startups should also consider purchasing cyber liability insurance to offset the cost of business interruption.

When drafting an incident response plan, companies should also be aware of state notification laws that may be triggered by a cyber-attack. For example, Massachusetts requires businesses that handle personal information of Massachusetts residents to notify the Office of Consumer Affairs and Business Regulation when they learn of a security breach.[8]

Conclusion

It is critical for founders to be proactive in developing a cybersecurity strategy to protect the assets of their growing businesses. Having strong security protocols in place will allow startups to safeguard their reputations and operate with confidence.