When Startup Founders Should Start Thinking About Cybersecurity

It was a tale of two startups.

"A company that I invested in — about, oh, five years ago — happened to be in the proptech [property technology] space," said David Rose, managing partner at Rose Tech Ventures, during a panel at Cybertech NYC last week. The startup he was referring to helped people build their credit by paying their rent with credit cards. "So it was a really cool company, [and] it was going great. And then it turned out they had been hit by scammers, who were setting up fake buildings and fake credit cards, using them [for fraud]. And the entire company blew up because of that."

Another company from one of Rose's protégés had a similar idea and business model, but because the company had better security, it was able to grow. "So you see a company that had really interesting ideas, demonstrated a great potential, smart guys, but the company got killed because of cyber," Rose noted.

Startups are valued for their forward thinking, their financials, and their talent. No investment negotiation has ever broken down over the issue of cyber preparedness. Yet, clearly, an incident can be catastrophic to a promising but volatile new business, and anecdotal evidence suggests investors and founders alike are starting to take that risk seriously.

The Threat to Startups

Volt Typhoon, the Chinese advanced persistent threat (APT) du jour, has compromised critical infrastructure providers of every kind — Internet service providers, electric utilities, wastewater treatment, energy, and more — on multiple continents, targeting military organizations along the way. Its attacks are of the highest caliber among known APTs. But a few weeks ago, it went after a different type of prey: a startup.

Versa Networks attracted a lot of attention with its secure access service edge (SASE) software-as-a-service offering and earned $120 million in pre-IPO funding in October 2022. Less headline-grabbing was a bug in its software-defined wide area networking (SD-WAN) technology (CVE-2024-39717). The vulnerability — rated as "high" severity with a CVSS score of 7.2 — allowed Volt Typhoon to push a custom, credential-grabbing Web shell through the Versa Director platform, allowing the attackers to breach four Versa customers in the United States and one in India.

Though attacks and breaches can happen to any company, startups like Versa Networks, security camera firm Verkada — which was fined $3 million by the FTC last month following its breach where attackers took over customer cameras — and Rose's proptech failure are particularly vulnerable. Like any small or midsize business, they might struggle with budgets and resource allocation. More so than other businesses, though, startups sell excitement and promise. Where a typical business might aim to be secure but simply lack the money and manpower to do it right, startups that aim to move fast and break things might simply deprioritize any cost that does not incur growth.

As Rose told Dark Reading at Cybertech, "In the case of the company that I mentioned, [cybersecurity] hadn't even occurred to them. They were thinking about the upside [of the business], not the downside."

Unfortunately, the answer to securing startups isn't straightforward.

When Startups Need to Think About Security

When established companies shift their attention to beefing up their cybersecurity, they typically invest in personnel, training, and layered security software (among other things). But as Rose points out, "Virtually no founders we are speaking with are facing cybersecurity challenges because they don't have any product!"

Startup security is a more nuanced matter that largely rests on timing, explains Bob Ackerman, founder and managing director of early-stage VC company AllegisCyber.

"When you're looking at a stage-zero startup, security probably is not the No. 1 consideration. It's, 'Is this a good idea?', 'Can this team perform?', 'Is there actually a business here?' But as companies gather steam [and] establish critical mass, the consequences of getting cybersecurity wrong increase," Ackerman says.

"Usually a mid-stage or later-stage company has enough cybersecurity questions for it to be obvious that we need a security team, a security program, [and] a security budget as well," adds Will Lin, author of The VC Field Guide. "If I were to force a number, I would say that for companies over, say, 3,000 employees, it starts becoming more of a key topic for investors."

But needs vary widely across companies of different kinds, Lin cautions.

"You might find very, very large organizations — even above 3,000 people, for example — that have a tiny, three-person or less security team, and then you might find a small organization of 200 people spending quite a lot per year on security," he explains. "Security budgets and programs and everything tends to be more reactive than [saying], 'Obviously, the next step of the company is we need to do X, Y, Z.'"

The variation occurs not just due to size and maturity, Ackerman adds, but also industry.

"Maybe a financial services company is going to have cyber-risk exposure, and so [be] aware of it from a very early stage, particularly in sectors like financial services, where there is a lot of personally identifiable information, or anything in the supply chain, where a compromise could be disruptive and have an adverse consequence," he says.

Nudging Security to a Higher Priority

According to a February survey from business insurance company Embroker, more than two-thirds of founders have experienced a cyberattack against one of their businesses.

Founders seem to be extra cautious about security. In the survey, 86% reported owning some kind of cyber insurance, and 71% were considering additional security protections in addition to having insurance. About a third (31%) of the respondents reported being more concerned with security than they were the year prior.

Those who aren't thinking about cybersecurity may be nudged into doing something by the investors themselves. As Rose points out, "One of the things that we have on our standard investor checklist when we do full-on due diligence is: What is your cybersecurity plan? How is it going to work? Actually, in many cases, it's the first time anybody ever asked the startup founder about security.

"I would be very happy if they have something in their deck — at least in their appendix to their deck — which would say, 'Here's our thoughts, here's our plan, here's our vulnerability.' Just tell me that you've actually given more than two-and-a-half minutes worth of thought to the subject, and you will be ahead of 95% of other companies."

More mature, later-stage startups need to start making material investments and hiring for executive positions, Rose adds.

"And if you're a platform business that is open to the public, and you've got any kind of money going anywhere, then you damn well better have a really serious plan," he says. "If the world was under my control, I would say, 'Yes, as a startup founder with no paying clients until next year, I want you thinking about building in security from day one.' But because that doesn't tie out to dollars on day one — and startups are always pressed for dollars, always trying to move fast and break things — that's a very hard sell."