Why Startups Should Consider A Cyber Resilience Strategy
The Middle East offers enormous opportunities for startups but as new businesses grow, so does the opportunity for cybercriminals.
The Middle East offers enormous opportunities for startups but as new businesses grow, so does the opportunity for cybercriminals. The more organizations there are, the more users there will be, which increases the number of entry points for criminals to infiltrate organizations and make off with money or confidential data. So, how should you protect your startup in 2019?
Firstly, it's becoming easier to set up shop, with the UAE recently announcing a 10-year visa for entrepreneurs and scientists. With falling rents, solid infrastructure and a central geographical location, it's likely that the coming year will see more entrepreneurs flocking to our shores.
These startups need to keep costs low while letting their teams focus on their day jobs. Yet, startups are so focused on growth, they can sometimes neglect the right level of data security, not realizing that a breach or downtime can have serious long-term implications. Startups strive for simplicity and are far more likely than many established organizations to use outsourced IT services from the cloud.
Step one for a startup business is often to find an email and collaboration solution. In our region this is typically Microsoft Office 365 or Google G Suite. Software startups often also host data inside these services rather than setting up infrastructure. For a startup, this data is the future of the company, the intellectual property that could be the difference between success and failure. These environments need to be protected quickly and easily and soon become the lifeblood of the organisation as it grows, and security and availability are essential. According to IBM's 2018 Security report, data breaches cost companies in Saudi Arabia and the UAE $163 per lost or stolen record. The loss of data can impact reputation, trust and customer loyalty, all of which have financial implications and can even cripple a startup if a significant volume of data is stolen.
So, how do startups protect these critical applications?
Attackers turn their attention to easy targets Cybercriminals will shift focus to weaker countries, industry verticals and small businesses that lag in their adoption of more advanced cyber defences. Companies, particularly in the Middle East and Africa, often assume their security is sufficient without realizing that the threat landscape is drastically shifting. This is particularly true for small and medium businesses. Attackers will shift their attention from larger organizations because smaller businesses have the right combination of Intellectual Property (IP) and money but have limited security maturity. This makes them easy targets for cybercriminals who tend to follow the path of least resistance. In 2016, PWC revealed that the Middle East was the region most prone to cyber threats. And while most large organizations have improved their cyber defences by investing in improved technology, skilled resources and better processes, what we're finding is that smaller organizations are still failing to invest in adequate protection.
More effective, not different, cyberattack types Email – it's the number one method to attack global organizations of all sizes, even governments. Our threat research teams expect emails attack execution to improve in 2019, as criminals continue to hone their techniques. Threats are becoming incredibly tricky to detect as phishing attacks are becoming more advanced and criminals are becoming smarter with social engineering. Gone are the days of receiving emails that were easily identifiable as fraud. Criminals now spend time researching their victims online and send highly targeted emails that often impersonate colleagues, partners or suppliers. Most users don't think twice about clicking on a malicious link or attachment infected with ransomware or a virus, because the email is so cleverly crafted. Without close inspection it's hard to spot the suspicious email address or unsafe URL, and if the employee's CEO or CFO is being impersonated, it's possible that the receiver could hand over confidential data or make a wire transfer to the criminal's account.
Every startup needs a plan for how it will appropriately protect employees from email attacks. Having a robust awareness training programme is important. Cybersecurity needs to become everybody's responsibility and an effective awareness training programme can dramatically lower the risk of cyber breaches by changing the behaviour and security habits of all your employees. Cybersecurity awareness training, which according to a global Mimecast and Vanson Bourne study is only continuously conducted by 11% of global organizations.
Monetization of data breaches Password re-use by employees now creates significant risk due to large array of highly successful high-profile data breaches over the past few years. From Equifax to Facebook, eBay to JPMorgan, hackers have made off with sensitive data for hundreds of millions of user accounts. Just recently, Marriott announced that its Starwood database was hacked for approximately 500 million guests– one of the largest breaches in history. Many of these victims were from the Middle East as the hotel operator has dozens of hotels in the region and is planning a rapid expansion.
We're likely to see cybercriminals use stolen credentials from the past few years' data breaches to compromise the security of even the most secure organizations. Even companies with good cyber protection have little protection against the reuse of passwords that have been collected in other breaches. Criminals might have user information of an employee in your business, which means you could be a target.
Intelligence informs resilience Threat intelligence is now within closer reach of growing startups. This can help you better deploy the right security controls and prioritize which known vulnerabilities should be mitigated first. As a lean organization, you might lack the budget, resources or skills for threat intelligence but that doesn't mean you can't outsource to your trusted IT partners and vendors.
We can't predict exactly what 2019 threats will look like, but we can confidently say that risk to critical business operations will continue to increase. Every organization, whatever size, needs to ask the hard "what if' questions about business continuity. Startups should consider a cyber resilience strategy, ensuring they have the right defences before, minimize disruptions during and quickly recover data after an attack.