2022 / Data theft / IT Security / Privacy / Strategy

Start-ups and their indispensable IT security

Start-ups and their indispensable IT security

Startups have recently become a popular target for cyber attacks. Meanwhile, cybercriminals are no longer necessarily trying to catch the big companies, but are nesting in the IT systems of small companies and businesses. Once they have gained a foothold there, all doors are usually open to them, because most smaller companies unfortunately only invest in IT security at the very end or when it is already too late.

The budget problem

Including IT security measures in the budget is essential. If no budget is available, the measures are predominantly small and dedicated employees are also rarely deployed in start-ups. This is a major problem, because it means that the entire infrastructure in a start-up is particularly fragile and therefore easy to attack.

In this article we would like to point out exactly that. In particular, we focus on why IT security has become incredibly important in start-ups and is becoming more important with every month and day of the year.

Ideas in a start-up should be protected

Start-ups are good at prototyping and inventing new products. They engage in marketing, use guerrilla methods to make their company known, and are otherwise particularly agile and thus constantly busy with new ideas. But that is precisely the point when it comes to security.

Often, it is precisely these new ideas that make a start-up in the first place. So start-ups become valuable through new ways or even technologies, things that they handle differently than the veterans in the industry. If an attacker gets hold of these ideas or the source code of a company’s own software, the start-up can lose immense value. It loses its unique selling point.

Such ideas must be protected accordingly in a start-up. Through access controls, locked areas and secure server structures that make intrusion as difficult as possible. This is exactly what can succeed, but for this to happen, a budget must be set for the security sector. Just as the intern will never replace an experienced social media manager, a layperson cannot control all IT security in a startup at any point in time.

Start-ups are a popular target for hackers

Cyberattacks against start-ups are on the rise, with the human factor posing the greatest security risk at 69%, according to a study by the VDE. The big fish on the market have long since ceased to be the focus of hackers and extortionists. It’s the start-ups that have the most to lose, and that’s exactly what the attackers have now discovered for themselves.

Accordingly, small and medium-sized enterprises, including start-ups, are under constant attack. Whether they notice them or not, an early investment defense mechanisms as a shield of their own infrastructure is essential.

In addition, start-ups are growing rapidly for the most part, and attackers know that start-ups in particular are quickly overwhelmed by this. Because where a large amount of data, payments, funds and customers suddenly have to be managed, the technology behind it must also scale seamlessly. If this does not succeed perfectly, major security gaps and vulnerabilities are immediately created, which are then in turn mercilessly exploited.

GDPR entails severe penalties

In addition to data loss or the possibility of blackmail through hacker attacks, there is also the GDPR in Germany. It now reserves the right to impose severe penalties if a start-up or other company fails to ensure that personal data is adequately protected.

The GDPR alone makes it advisable to ensure that IT security meets the current standard. A quick online check is not enough. A security concept already requires an appropriate audit and a security expert who keeps a close eye on the IT systems and regularly checks them for weak points.

Penalties of up to 20 million euros or 4 percent of the respective annual turnover will be due in the event of serious violations of the GDPR. Accordingly, the GDPR is also not to be taken lightly and startups in particular, which do not yet have any experience with securing personal data and mostly rely on third-party providers or SaaS, really have to pay attention here. The fact that the fines are also distributed was evident in 2019. A hospital in Rhineland-Palatinate had to pay EUR 105,000, as we reported in the related article.

When start-ups lose their reputation and their investment

Most start-ups rely on venture capital or are pre-funded accordingly by the founder. Depending on the size, of course, with little difference between the use. There is always a lot at stake and both reputation and invested assets should not be exposed to unnecessary risk.

What is also often underestimated is that comprehensive IT security cannot be implemented or even set up quickly and easily overnight. Instead, a kind of safety culture should prevail in the start-up from the very beginning. Thus, in any process, there must be an understanding that it may be a security-sensitive area that must be protected accordingly. Such a culture develops over years, not from one moment to the next.

So the earlier IT security is addressed, the better it works in a start-up. Right from the start, companies should address the issue of IT security and determine what role it will play in their own company. In this way, weak points are avoided right from the start and typical errors can, in the best case, be avoided altogether.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.