Headline
When Startup Founders Should Start Thinking About Cybersecurity
Most investors aren’t demanding cybersecurity preparedness from startups, but founders should still be worried about the risks.
Source: Illia Uriadnikov via Alamy Stock Photo
It was a tale of two startups.
“A company that I invested in — about, oh, five years ago — happened to be in the proptech [property technology] space,” said David Rose, managing partner at Rose Tech Ventures, during a panel at Cybertech NYC last week. The property tech startup he was referring to helped people build their credit by paying their rent with credit cards. “So it was a really cool company, [and] it was going great. And then it turned out they had been hit by scammers, who were setting up fake buildings and fake credit cards, using them [for fraud]. And the entire company blew up because of that.”
Another company from one of Rose’s protégés had a similar idea and business model, but because the company had better security, it was able to grow. “So you see a company that had really interesting ideas, demonstrated a great potential, smart guys, but the company got killed because of cyber,” Rose noted.
Startups are valued for their forward thinking, their financials, and their talent. No investment negotiation has ever broken down over the issue of cyber preparedness. Yet, clearly, an incident can be catastrophic to a promising but volatile new business, and anecdotal evidence suggests investors and founders alike are starting to take that risk seriously.
The Threat to Startups
Volt Typhoon, the Chinese advanced persistent threat (APT) du jour, has compromised critical infrastructure providers of every kind — Internet service providers, electric utilities, wastewater treatment, energy, and more — on multiple continents, targeting military organizations along the way. Its attacks are of the highest caliber among known APTs. But a few weeks ago, it went after a different type of prey: a startup.
Versa Networks attracted a lot of attention with its secure access service edge (SASE) software-as-a-service offering and earned $120 million in pre-IPO funding in October 2022. Less headline-grabbing was a bug in its software-defined wide area networking (SD-WAN) technology (CVE-2024-39717). The vulnerability — rated as “high” severity with a CVSS score of 7.2 — allowed Volt Typhoon to push a custom, credential-grabbing Web shell through the Versa Director platform, allowing the attackers to breach four Versa customers in the United States and one in India.
Though attacks and breaches can happen to any company, startups like Versa Networks, security camera firm Verkada — which was fined $3 million by the FTC last month following its breach where attackers took over customer cameras — and Rose’s proptech failure are particularly vulnerable. Like any small or medium-sized businesses, they might struggle with budgets and resource allocation. More so than other businesses, though, startups sell excitement and promise. Where a typical business might aim to be secure, but simply lack the money and manpower to do it right, startups that aim to move fast and break things might simply deprioritize a cost that does not incur growth.
As Rose told Dark Reading at Cybertech, “In the case of the company that I mentioned, it [cybersecurity] hadn’t even occurred to them. They were thinking about the upside [of the business], not the downside.”
Unfortunately, the answer to securing startups isn’t straightforward.
When Startups Need to Think About Security
When established companies shift their attention to beefing up their cybersecurity, they typically invest in personnel, training, and layered security software (among other things). But as Rose points out, “Virtually no founders we are speaking with are facing cyber security challenges because they don’t have any product!”
Startup security is a more nuanced matter which largely rests on timing, explains Bob Ackerman, founder and managing director of the early-stage VC company AllegisCyber.
“When you’re looking at a stage zero startup, security probably is not the number one consideration. It’s, 'Is this a good idea?’, 'Can this team perform?’, ‘Is there actually a business here?’ But as companies gather steam, establish critical mass, the consequences of getting cybersecurity wrong increase,” Ackerman says.
“Usually a mid-stage or later-stage company has enough cybersecurity questions for it to be obvious that we need a security team, a security program, [and] a security budget as well,” says Will Lin, author of The VC Field Guide. “If I were to force a number, I would say that for companies over, say, 3,000 employees, it starts becoming more of a key topic for investors.”
Lin cautions, though, that needs vary widely across companies of different kinds.
“You might find very, very large organizations — even above 3,000 people, for example — that have a tiny, three-person-or-less security team, and then you might find a small organization of 200 people spending quite a lot per year on security. Security budgets and programs and everything tends to be more reactive than [saying] 'Obviously, the next step of the company is we need to do X, Y, Z,” Lin explains.
The variation occurs not just due to size and maturity, Ackerman adds, but also industry.
“Maybe a financial services company is going to have cyber risk exposure, and so [be] aware of it from a very early stage, particularly in sectors like financial services, where there is a lot of personally identifiable information, or anything in supply chain, where a compromise could be disruptive and have an adverse consequence,” he says.
Nudging Security to a Higher Priority
According to a February survey from business insurance company Embroker, more than two thirds of founders have experienced a cyberattack against one of their businesses.
Founders seem to be extra cautious about security. In the survey, 86% reported owning some kind of cyber insurance, and 71% were considering additional security protections in addition to having insurance. About a third (31%) of the respondents reported being more concerned with security than they were the year prior.
Those who aren’t thinking about cybersecurity may be nudged into doing something by the investors themselves. As Rose points out, “One of the things that we have on our standard investor checklist when we do full-on due diligence is: What is your cybersecurity plan? How is it going to work? Actually, in many cases, it’s the first time anybody ever asked the startup founder about security.”
He continues, “I would be very happy if they have something in their deck — at least in their appendix to their deck — which would say: ‘Here’s our thoughts, here’s our plan, here’s our vulnerability.’ Just tell me that you’ve actually given more than two-and-a-half minutes worth of thought to the subject, and you will be ahead of 95% of other companies.”
More mature, later-stage startups need to start making material investments, and hiring for executive positions, he explains, “And if you’re a platform business that is open to the public, and you’ve got any kind of money going anywhere, then you damn well better have a really serious plan.”
“If the world was under my control, I would say: Yes, as a startup founder with no paying clients until next year, I want you thinking about building in security from day one. But because that doesn’t tie out to dollars day one — and startups are always pressed for dollars, always trying to move fast and break things — that’s a very hard sell,” he admits.
About the Author
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.
Related news
China's National Computer Virus Emergency Response Center (CVERC) has doubled down on claims that the threat actor known as the Volt Typhoon is a fabrication of the U.S. and its allies. The agency, in collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, went on to accuse the U.S. federal government, intelligence agencies, and Five Eyes countries of
Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.
The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a security flaw impacting Versa Director to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The medium-severity vulnerability, tracked as CVE-2024-39717 (CVSS score: 6.6), is case of file upload bug impacting the "Change Favicon" feature that could allow a threat actor to