Data breaches continue to dominate the headlines. A worrying observation is the steep increase of smaller third-party suppliers who get hacked: so-called third-party vendor breaches. Hackers are using the lower cybersecurity maturity of startups and scale-ups to their benefit in hacking large enterprises, such as banks and insurance companies. Sometimes it is as easy as hacking a third-party plug-in or a chatbot in order for perpetrators to use that as a bridge head and steal data.
Sometimes the impact trickles down multiple layers: in May 2017 a company called OneLogin got hacked. OneLogin provides identity and authentication services (SSO) to other websites. They were hacked as an attacker was able to break into one of their Amazon AWS accounts. One level down the chain is a company called Zendesk, who offers a tool that is used by companies to deliver support to end users and customers. Zendesk, who had experienced its own data breach in 2013, offers their users an additional embedded service strengthening its authentication process using… yes, right: OneLogin, which was just breached. Next level down could be your tech company who offers a service to a bank, and uses Zendesk as an embedded support tool. Imagine the finger pointing and lawsuits when the bank customers would get impacted by a security incident at your tech company, originating from your support tool Zendesk, originating from its authentication mechanism OneLogin.
Or imagine your tech company uses Typeform to collect all kinds of information from your customers. Typeform is a very popular data collection platform as it offers all kinds of forms, questionnaires and integration tools that allow web developers to embed Typeform seamlessly into their solutions. However, in a data breach earlier this year a hacker was able to download a backup of all data collected up to May 3rd. The question now is: what would you do if your startup made use of Typeform? What about the GDPR notification obligations? Did you notify your customers?
These kinds of third-party breaches, spreading like wildfire, are the new normal. Fast forward two or three years and imagine the spaghetti when Open Banking-based API integrations will be mainstream… the cascading effects of a single breach can be huge.
This is why at B-Hive, we've designed the Trusted Fintech Program aiming to increase the CyberSecurity awareness and readiness of Fintech startups and scale-ups and give them a Trust Label after successful completion, or a “Label of Love”, as Forbes put it.
However, when talking to founders of tech companies about our CyberSecurity program, I often find myself having to explain WHY they need to invest in CyberSecurity, and why security by design is so important from day one. Saying that “it’s too early” to think about CyberSecurity just doesn’t make sense.
So here are the 5 key reasons I refer to when explaining why startups and scale-ups have to step up their cybersecurity game NOW.
Reason 1: TRUST
“Building end user trust takes years. A data breach voids it in seconds.”
There is a quote saying: "Trust takes years to build, seconds to break, and forever to repair". While maybe not entirely true in the digital age, the cost of having to repair trust may be simply inhibitive for startups to survive such an incident. As an executive at RSA described the year after their data breach: “It was hell to live through what we did". Bottom line: for a digital startup to survive a data breach is very challenging. The best way to avoid it is to have “Protecting Customer Data” as one of the core values of your company, and make sure you all live by that credo every single day.
If you’re a digital company and “Protecting Customer Data” is not a core value of your company, you’re simply not trustworthy.
Even though a data breach can have a devastating impact on your business, the odds of your company experiencing one is quite high nowadays. According to the Ponemon Institute “Cost of a Databreach” report, you’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent).
Once it does go wrong, despite all your preventive efforts, it is crucial that you have a well designed and tested Incident Response Plan. In the Trusted Fintech program, we spend quite some time on designing the right plan, and also testing it during a Data Breach Simulation Game, where all participants will have a fictive role and budget in a fictive company that has just been breached. The role play, a true roller-coaster, confronts the participants with different scenarios and let them test their response in a safe environment.
Reason 2: INVESTOR RISK
“Investors don't want to see their money void on the fall-out of a data breach”
The report from SecurityIntelligence calculated that in Financial Services organizations, the average cost of a databreach is $208,- per record stolen. The math is easy: if 20,000 records get stolen, you're probably looking at a total cost of more than 4,000,000.
Did you know that 60% of all Small and Medium sized companies that have been hacked go bankrupt within 6 months?
Investors are already taking a calculated business risk by investing in a startup, they don't want to take the additional risk of that startup losing its data to hackers, thereby destroying shareholder value at lightspeed.
Frank Maene, an investor at Volta Ventures, confirms how the label would add weight when they were choosing a fintech to invest in. “Such a trust label can make it easier for start-ups to convince us that they are serious and corporate-ready, we’re definitely in favor of such a trust label.” he said.
Reason 3: THIRD-PARTY SECURITY
Enterprise customers and partners will grill you on this topic anyhow
The speed of digital transformation forces large enterprises to increasingly make use of smaller software-based tech companies in order to keep up with the pace of their competition. As a result, large enterprises are increasing the time and energy they are spending on making sure their suppliers have implemented the highest security standards through recurring cybersecurity risk assessments and by using lengthy questionnaires. After all, there is a lot at stake; if consumer data is breached, the enterprises remain responsible. Most large enterprises have a rigid approach to procurement and third-party vendor risk management, and they often try to transfer their risks to their suppliers. In reality, however, most of the often-smaller suppliers don’t have sufficient financial backing to survive in case their end customers’ data would be breached.
Jan Nys, General Manager Information Risk and Infrastructure Architecture of KBC, confirms: “The result of Digital transformation and Open Banking is that our risk landscape is more and more including external solutions that we don’t operate and protect ourselves. We see that with smaller startups and scaleups there is often a gap between their notion of CyberSecurity and the level of protection we require them to have. That is why we are so supportive of the B-Hive Trusted Fintech program, as it really aims to immerse the staff of those companies, from the developers to the founders, in the world of Information Protection. Organizations joining this program give us an important signal of how much they value the safeguarding of information, ultimately protecting brand and reputation.”
As part of the program, a Third-Party Security Assessor will explain all the ins and outs of such an assessment: what they look for, what responses they expect, and how they should best anticipate.
Reason 4: LIABILITY
“You don't want you to get entangled in a bankruptcy due to damage claims and fines”
While the title is a bit scary, and it will probably not yet happen as a result of a data breach, it is a fact that all kinds of new legislation increases the liability of a company in case of a data breach, and also allows making the board and/or founders personally liable in case a serious professional error can be proven.
For example: if in the past you have received warnings from customers about security issues of your companies' solution, and you consistently neglected to address them, that could be considered a case of serious professional misconduct. My advice: potential personal liability is a serious thing, don't take the risk and make CyberSecurity a priority.
As part of the program we’ll dive into obligations under GDPR and the NIS Directive, discuss benefits and caveats of outsourcing the DPO role, and share real life experiences from the field.
Reason 5: SECURITY BY DESIGN IS CHEAPER
“Implementation cost: the earlier the cheaper”
Research has shown - especially with regards to software development - that if cybersecurity is seen as something on the roadmap for version 2.0 later on, that will cost exponentially more than if you've adhered to secure coding principles from day one, while keeping a secure architecture in mind.
I've personally witnessed a digital startup who had to go for a profound change in their software architecture in order to pass a simple security assessment of their first banking customer. This re-architect exercise delayed their product launch with more than 6 months while the weekly cash burn rate had reached a high.
As part of the program Secure Code Warrior will offer access to their gamified platform to teach developers how to increase their secure coding skills. We’ll also share best practices for a secure architecture.
Check out our B-Hive Trusted Fintech program here: https://b-hive.eu/trusted-fintech/