Web and mobile apps are now a dime a dozen as more ventures join the rush to roll out the next killer app. According to AppBrain, there are nearly 2.8 million apps on the Android market to date. Search for a particular interest or functionality and there is likely a dozen or so web and mobile apps that would pop up. The volume and pace of app creation lead to a sizable percentage of poorly developed apps that almost a quarter of users abandon them after first use.
What is worse, these bad apps can leave users exposed. A study by Codified Security found that 40 percent of published apps leave vulnerable backdoors that can be exploited by attackers. These vulnerabilities can leave user data exposed or allow malicious actors to gain access to computers and servers used in testing and development.
The competitive nature of the industry demands ventures to ship software quickly. However, shoddy coding and careless testing can leave the venture and its users exposed to cyberattack risks with potentially disastrous ends. The issue becomes even more pressing as new technology trends such as the wider adoption of financial technology and internet of things (IoT) devices is set to bring forth a new wave of apps and services.
Security must be at the center of all tech startup activities.
1. Threats are rampant.
2016 had no shortage of high profile cyberattacks that involved large tech companies, internet infrastructure providers, banks and government institutions. But, for every big name company, there were numerous other smaller organizations that also suffered attacks. Among the top threats that persist today are ransomware, distributed denial-of-service attacks (DDoS) and data breaches.
Ransomware are consistently identified by security firms such as Kaspersky as top threats to organizations. Ransomware are malware that encrypt a computer or network’s files. Attackers then demand ransom from victims in exchange for a chance of getting their files back.
DDoS attacks seek to deny access to a website or service by overwhelming its server with traffic. The biggest DDoS attack on record happened last year when DNS provider Dyn was hit. The outage also affected popular sites and apps that were under Dyn’s network such as Netflix, Spotify and The New York Times.
Among these attacks, data breaches pose the real threat to end users. Stolen confidential information are commonly shopped around to criminal entities in the dark web. Data containing personal, financial or proprietary information can return a profit when sold in the black market. Sites and apps that store customer information are prime targets for such attacks.
2. Getting attacked is costly.
Any form of downtime or disruption is costly for any business. Network security solution Incapsula estimates the cost of downtime caused by DDoS attacks to an ecommerce site to average $40,000 per hour. Other attackers also perform DDoS attacks for ransom knowing that companies may be willing to pay in order to avoid the costs of downtime.
An IBM and Ponemon Institute study says that each stolen record costs the company $158 each in damages. Getting hit by a data breach can heavily impact a company’s valuation as well. The sale price of Yahoo! has dwindled since its disclosure of past massive data breaches. Verizon asked for a $3$350 million discount after the data breaches were publicized.
As for ransomware, while attackers may only ask for $722 on average, getting locked out critical files can be catastrophic for organizations that do not have backup systems in place. There is no assurance access will be restored even if the ransom gets paid.
Beyond the outright financial impact, businesses also risk loss of customer trust and reputation when hit by cyberattacks. For a startup, such fallout can sink the whole venture before it even gets off the ground.
Related: The Worst Hacks of 2017 -- So Far
3. Tech startups should have higher standards.
Businesses get exposed due to a variety of reasons. Non-tech startups are especially vulnerable. Often without dedicated personnel to oversee the proper use of IT resources, it is common for computers and networks to be left unsecure. Lack of training on fundamental IT security practices also leave staff vulnerable to social engineering attacks such as phishing which in turn pave the way for more serious attacks.
Tech companies should know better. If they intend to market themselves as experts with superior products, they should be making security a critical part of their work. A good portion of tech startups effort is involved in product development so ensuring that their software is secure is vital.
Mirai, the malware responsible for a number of massive DDoS attacks last year, exploits unsecure IoT devices and use them to carry out attacks. Many of these devices, which include IP cameras and network devices, were poorly designed and lacked security features that could have prevented Mirai infections. Leaving out security in the product design and making product development shortcuts can have serious consequences.
The Codified Security also revealed that the app vulnerabilities are often due to careless coding. Developers may leave out information in their published code such as server credentials. As some apps use the same server instances when they go live, access to those servers can ultimately compromise all server data which, by that time, may already include customer information.
Making security a priority
So how can tech startups mitigate these risks?
For developers, security should be a fundamental consideration in the software design. Code should be vigilantly reviewed in order to track vulnerabilities which can be exploited. It is critical to subject all software to intensive QA. Testing and should not be skipped in favor of accelerating shipping or launch dates.
Organizations should perform security audits to identify vulnerabilities in their operations. Educating staff regarding the best practices ensure that IT resources are used in a secure manner and that no company or customer data get compromised. Tech ventures should also be implementing security measures to cover other business activities especially those that involve customer data such as sales and marketing.
Customer information should be held in the strictest confidence. Startups owe it to their customers to safeguard the privacy and security of those who entrusted the company with their business.