Investing in software startups can either reap great rewards or bust your bankroll. Venture Capitalists spend hundreds of hours evaluating promising early-stage companies, including technology, vision, total addressable market, product/market fit, and GoToMarket strategies before deciding to invest. Once they invest, the goal is repeatable business growth and/or exponential growth. However, there is one hidden, key risk factor for every technology startup that many investors neglect: cybersecurity. Best practices can make or break any startup. VCs need to add cybersecurity to the top of the list of concerns for both protecting their current portfolio companies and their due diligence process for new startup investments.
Traditional investor due diligence focused on the software company’s financial records and sales stream. The rise of Software-as-a-Service (SaaS) applications and the potential for becoming the next high stakes winner in real-life roulette now come with new risks. In July 2019, a global hospitality company announced in its U.S. Securities and Exchange Commision (SEC) filing that the United Kingdom’s Information Commissioner’s Office (ICO) had fined the company more than $124 million, roughly 2.5% of its worldwide revenue, as the result of a November 2018 data breach from one of its acquired companies. The lesson? A lack of cybersecurity due diligence during the merger and acquisition process can translate to a loss rather than a gain. Similar to a merger or acquisition, venture capital firms need to follow a due diligence checklist for cybersecurity to protect their money and their companies.
Although common sense dictates the importance of reviewing your portfolio from the cybersecurity perspective, the data proves the value further. According to the 2019 Verizon Data Breach Investigations Report data should make you wary:
The short and, now, tiresome story? Small businesses are often the victims of external malicious actors gaining unauthorized access to data to make money off the stolen information on the dark web.
While the number and type of data breach occurring in 2018 may not surprise you, the disproportionate impact of a data breach on the smaller organizations, the ones in which you are more likely to be investing, should surprise you.
The 2019 IBM Cost of a Data Breach Report should at least give you pause. According to the Cost of a Data Breach Report, small businesses face smaller total costs per breach, but when the cost is averaged by the number of employees, the breaches impact them far more significantly.
For example, a data breach cost organizations with more than 25,000 employees an average of $5.11 million compared to $2.65 million for organizations with 500-1,000 employees. However, when spreading that cost out to account for size, the data breach at the larger organization was $204/employee while for the smaller organization it was $3,533/employee.
Overall, while the costs may be overall greater for a large organization, the smaller organizations lack the resiliency necessary to maintaining solvency in the aftermath of a data breach.
Digital transformation makes startup software companies a compelling investment. Today’s new software can become tomorrow’s Lyft or Doordash. However, instead of playing a game of roulette with your portfolio, you want to make risk aware decisions to protect your company’s reputation and your investors. To do this, you need to know the risks that can be mitigated and ensure that the companies you fund are enforcing the appropriate controls.
Web application attacks were the number one breach pattern detected in the Data Breach Investigations Report. Malicious actors attacked by exploiting code-level vulnerabilities and by undermining authentication mechanisms.
Before investing in a web application software, ensure that the company incorporates controls to mitigate risk, such as:
Nearly 24% of the incidents reported in the Data Breach Investigations Report involved malware. Malicious actors continuously evolve their threat methodologies, meaning that most ransomware and malware are not new strains but updated versions of old ones. Equally concerning, many new malware attacks no longer require users to execute files. The fileless attacks act as parasite code within legitimate system processes.
As part of your due diligence, you should ensure that the company in which you want to invest:
Most software companies use Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) for development environments. These new cloud locations increase the attack surface and lead to new risks. Unlike legacy DevOps, modern developers spin up new instances, workloads, and containers in cloud-based ecosystems like AWS or Oracle. Relying solely on code, a single mistake can leave a misconfigured cloud location open to the public, making it a cybersecurity risk.
As you engage in your due diligence process, you need to ensure that the DevOps environment is:
Whether it’s a text, social media private message, or email, social engineering is still a primary threat vector. According to the 2019 Data Breach Investigations Report, although phishing simulation click-through rates fell from 24% to 3% over the past seven year, 18% of people who clicked through were using mobile devices. As more employees use mobile devices to check email or access collaborative tools, this threat vector becomes more dangerous.
When engaging in due diligence, you want to determine:
The cost of a data breach is compounded by the hidden financial losses. Business loss arising from a data breach cost $1.42 million, or 36%, of the total data breach costs according to the 2019 Cost of a Data Breach Report. Equally important, organizations unable to retain customers after a data breach spent 45% more on average for a data breach.
Your due diligence needs to include a review of the potential investment’s cybersecurity risk insurance policy to determine whether it covers:
At Zeguro, we understand startup culture. As an investor, you have stakeholders whose money you need to protect, and any additional risk to your financial security can be devastating. That’s why we built our product to help small and mid-size businesses - so that they can secure data and obtain the necessary insurance to protect against future risks.