Small Fish Beget Big Fish: How Lackluster Cybersecurity Plans May Be Affecting Your Bottom Line

• Working for a startup often means you’ll wear many hats, some of which you lack experience. When tasked with overseeing a company’s cybersecurity plans, many startup employees lack the professional background to make the right decisions. 
• Hackers know that startups and SMBs are easy targets. By breaching the startup’s database, they gain information that makes it easier to attack large companies. As a result, these large companies are more thoroughly scrutinizing the cybersecurity practices of potential partners. 
• Remote work has complicated the threat landscape. IT professionals face new and unique challenges that come with employees using various non-company vetted devices to complete their work. 

Cybersecurity threats continue to surge, and while the media focuses on high-profile data breaches involving companies that are household names, there’s a growing concern that early-stage startups and small to medium-sized businesses (SMBs) are easy targets. 

On top of that, hackers are becoming increasingly industrious with their strategies. Just recently, reports surfaced of a new phishing scheme that uses links at the end of YouTube videos to spread malware. 

In our increasingly digital-dependent landscape, nobody is safe. 

“It’s not a question of ‘if,’ but ‘when’ you will get attacked,” warns Brian Fritton, co-founder and CEO of Havoc Shield, on an episode of Burkland’s Startup Success Podcast.

He discusses why cybersecurity insurance isn’t a foolproof solution, how cybersecurity strategies impact revenue and how COVID-19 has changed the threat landscape. 

Don’t get too comfortable: Your cybersecurity insurance will only kick in if you’re taking the right steps  

Many SMBs and startups discount the importance of taking security precautions. After purchasing cybersecurity insurance, leadership pushes the concern to the back of their minds, believing they are financially protected. It’s a short-sighted approach and not just because of the reputational harm that can come to a business whose systems have been infiltrated. 

Insurance companies are getting savvier. If companies aren’t following the insurance provider’s requirements, policies are likely null and void. 

“You might get some coverage,” says Brian. “But if you can’t prove that you’ve done enough with your efforts to protect your business and protect your customers, they might not pay at all. [Even with insurance], you’re substantially more at risk of having to pay for the impacts of a breach than ever before.” 

It’s a frustrating and discouraging reality for startups. 

Often the individual given stewardship over a company’s cybersecurity plans has little to no training in the area. Unfortunately, it’s a reality of startup culture that early-stage employees wear numerous hats, which is one of the reasons startups and SMBs have become such a desirable target for cybercriminals. Fewer safety measures in place means easier access. 

As threats become more rampant and creative, businesses must adapt their strategies. 

You’re not just risking your safety, you’re also risking your revenue

Protecting yourself and your company against cybersecurity attacks isn’t just about protecting your data. Your revenue is also at risk. 

Beyond the possibility that insurance policies may not kick in due to negligence, you’re also potentially losing out on business because you lack a plan. 

Small fish are the gateway to big fish 

Hackers are known to target smaller businesses whose services support more prominent companies. These “squishy targets,” as Brian calls them, are much easier to infiltrate due to a lack of resources and skeleton crews. 

By hacking into systems that serve larger organizations, cybercriminals gain access to information that makes it easier to then pursue the actual, intended target. 

It’s a strategy that large-sized companies are well aware of, and it’s the reason that b2b startups are now asked to complete cybersecurity questionnaires as part of the vetting process. 

Assessing your risk can be the make or break

These lengthy, complex and jargon-filled forms can be challenging to navigate when a startup lacks the knowledge-base to speak confidently about their cybersecurity safety measures. 

Companies want to ensure their partners:

• Have a cybersecurity program
• Train staff on cybersecurity issues
• Have backups in place  
• Follow industry-specific compliance standards  

Assessments extend far beyond determining whether or not your company has antivirus software installed on your computers. If you don’t pass the test, you won’t land the contract. 

Many startup companies don’t invest in understanding these issues and cannot speak to them in depth. But to underinvest in this area is short-sighted and will cause your company to lose out on a lot of business, particularly with large-scale companies. 

“From a revenue perspective, using security as a competitive advantage is a strategic route that smart businesses are taking,” explains Brian. “We’ve proven this with a lot of our customers who put our trust badges on their website and list their policies on a security page. That conversion rate from traffic to trial goes up.” 

The magnification of cybersecurity in the age of coronavirus

The relevance of prioritizing cybersecurity measures has only heightened with implementing remote work and hybrid work solutions. As a result, companies are more vulnerable than ever before due to three unique problems that have emerged since businesses have had to adapt their practices in the wake of COVID-19.

1. Personal devices create additional risk 

When employees use personal computers and other devices to conduct their work, they’re putting the company’s data (and their personal information) at heightened risk. Especially in the healthcare and financial industries, this is a crucial issue that needs to be taken seriously. 

Not only is company information being accessed through unvetted programs and devices, but it’s also more challenging for the company to monitor security and assess threats when devices are used that IT teams can’t directly access. 

2. SaaS products aren’t automatically trustworthy 

The switch to remote work was sudden. Businesses had little time to prepare for the shift. Unfortunately, this meant that many companies scrambled to identify software solutions that would allow teams to work remotely. 

At the time, leadership embraced whatever solved the immediate problem without considering the safety and security risks that came with the product. 

The assumption that all SaaS companies on the market are automatically secure is a critical misconception. 

Sometimes the solution can be as simple as turning on multi-factor authentication services, but these safety measures often have to be turned on and aren’t activated in the software’s default mode. 

3. Stress heightens human error

Living in a global pandemic is stressful. With heightened social isolation and ongoing uncertainty, many individuals struggle with mental health. The new challenges that come with life during a pandemic present their own security risks.  

Brian shares a typical example familiar to many working parents: When a child’s daycare closes unexpectedly for the day due to COVID-19 exposure, the parent is now suddenly juggling childcare with work commitments. That heightened stress can affect decision-making. 

When individuals are stressed, their judgment abilities are down, making them more susceptible to social engineering hack attempts and other strategies used by cybercriminals.