How startups can prevent virtual threats in the new world order

During the lockdown caused by coronavirus, remote working in Spain became an obligation for all those companies that could implement it – according to a study by IvieLab it went from 5% to 34% of workers. E-commerce has also skyrocketed in Latin America and Spain, with more companies offering it via various platforms and increasing numbers of consumers using it.

All these new behaviour models have something in common – strong digital foundations. This increase in online presence implies an increase in risks, with cyber criminals taking advantage to escalate their wrongdoing. “Attacks on users have increased: we are no longer working under office security umbrellas, computers and networks are shared with the rest of the family, and concern about the pandemic has made us more vulnerable to certain attacks, such as phishing attacks on public institutions“, explains Roberto Ortiz, Global Head of People Information Security at BBVA.

Digital natives are not risk free

Contrary to what we might think, since they are digital natives by definition, startups are no more secure than other companies when it comes to the risk of cyber attacks. In fact, they might even be particularly vulnerable “as cyber criminals consider them easier targets”, suggests Oliver Moradov, Head of Partnerships at security firm NeuraLegion, which took part in the most recent BBVA Fast Track. “Larger businesses have more mature and strict security equipment, procedures and tools that they invest heavily in, whilst new companies do not generally invest in security”, he adds.

Experts at Grupo Zerolynx, a startup that works with BBVA, agree. “There are companies that were born 100% digital and yet they do not allocate any budget to digital security because they think that, with everything being saved in the cloud, they don’t have to worry about their systems, environments and architectures”, says Jesús Alcalde, DevOps Security Manager at Zerolynx.

Post-COVID-19 attacks

The main attacks happening after coronavirus tend to be focused on the theft of personal data and bank details to carry out unauthorised operations. For example, the CEO scam attack. “They pass themselves off as a member of senior management staff whose credentials they have stolen, send an email to the purchasing department and request a transfer. The money vanishes, and for an SME or a startup that can mean ruin“, Alcalde explains.

The Spanish National Cybersecurity Institute (INCIBE) warned of phishing attacks that use COVID–19 as bait to deceive a company’s employees and distribute malware. “Frequently the most vulnerable point is within the perimeters of the company itself, since people are often the weakest link“, notes Ortiz.

On another note, “43% of data leaks are the result of web application vulnerabilities“, says Moradov, echoing the 2020 Data Breach Investigations Report by Verizon.

It’s also common to see digital systems being infected and information systems being hijacked, so-called ransomware. “They get into the system, take out the information and ask for a ransom. Sometimes the data is not taken, rather they threaten to make it public if the owner does not pay”, explains Alcalde.

Many of these attacks also hide a surprise – they are not detected at the time. “It takes about four months from the first attack to identify hacking. So now we’re going to start to come across companies that were attacked in May and June; the figures are going to go through the roof”, indicates González.

Advice for staying protected

How can an emerging company, with growing financial muscle, get ahead of this? The best strategy is pre-emptive defence. From BBVA, Ortiz provides a series of basic guidelines:

• Create a cyber security strategy, which identifies and evaluates the main risks to which the startup is exposed.
• Have robust remote access controls to secure situations such as remote working, use secure channels and ensure that there is clear separation between the professional and the personal space so as not to put company systems at risk.
• Monitor the network from which you gain access. If you share it with your family, be careful with downloading documents to your computer and compromising data.
• Protect the devices and technology used. For example, always work from your company’s computer, and keep devices and applications up-to-date.
• Beyond simple anti-virus, use monitoring and alert systems and carry out internal audits to analyse the risk from within the company.
• Invest in training employees so that they respect a culture of cyber security and remain alert.

Final call – cyber security is critical

The pandemic has given a boost to digitisation, but also to the cyber risks that this brings with it, and “a faster business transformation, in which the struggle to increase income and get a bigger market share mean that security is a notion that gets left for later”, Moradov reminds us.

And security cannot be left for later. González makes this prediction: “We’re departing from a start point where people didn’t do a thing and the number of attacks is going to be on the increase. If companies stop investing in cyber security, the landscape in 2021 is going to be nightmarish”.

Ortiz too reminds us that cyber security is also a business opportunity and a way of proving quality to customers: “Designing security from the end user perspective is key for digital companies, since it is the main vector for maintaining digital trust and providing leverage for new business”.

Faced with the changing situation of the pandemic and digitisation, Moradov concludes: “Security must evolve and continuously improve, irrespective of the size of a company. Security is a journey, not a destination”.