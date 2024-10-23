BY FastCo Works4 minute read

In 2021, Verkada was a high-flying startup that had emerged from the pandemic with unicorn status and turbocharged demand for its cloud-based security tools, including remotely accessible security cameras. That spring, hackers stormed its network, gaining access to more than 150,000 cameras across schools, hospitals, and jails. According to a subsequent complaint by the Federal Trade Commission and Department of Justice, the company had failed to implement even basic security measures such as strong passwords, multifactor authentication, and regular testing. Although the incident ultimately didn’t deter its growth, Verkada reluctantly agreed to invest in stronger measures under the watchful eye of the FTC.

Founders can relate. The relentless pressure to grow at all costs—often using the lightest, cheapest, fastest technology available—can outweigh the outlier threat of a security breach. According to a recent survey of 500 entrepreneurs by Fast Company and Inc. on behalf of Dell Technologies and NVIDIA, a majority of founders (59%) believe having the wrong tech is an existential risk, while only a third (33%) feel the same about potential cyberattacks. But an even greater share (66%) agree the latter are disproportionately more damaging to the operations and reputations of startups versus larger companies. How do they reconcile these risks? “Most businesses are business-first,” says Oliver Spence, founder and CEO of the cybersecurity consultancy Cybaverse. “They’ve got to grow revenue and the bottom line. Cybersecurity typically comes later, after they’ve launched their product.” It should be the opposite. At a time when customers are increasingly concerned about the integrity of their data, strong credentials and procedures can be a calling card for sales. And their small size can actually be an advantage, as startups lack the patched-together systems commonly exploited by malicious actors. They possess the rare opportunity to build security into their technical stack from day one, transforming it from a vulnerability into a competitive advantage.

SECURITY FROM DAY ONE The grow-at-all-costs mindset can leave companies shockingly exposed to threats. Fewer than half of startups polled have invested in measures the DOJ excoriated Verkada for lacking, including software patches (47%), regular backups (44%), and a multilayered approach (45%). Four percent admitted to having no security at all! The first step is to rectify that with basic protections against malware and phishing attacks, their top two concerns. Cost is no excuse—security vendors targeting small businesses often offer products tailored to startups’ risks, budget, and staffing. In fact, startups have an advantage over large companies when it comes to locking down tech, as the latter may have thousands of employees in different departments using different tools, running on legacy systems difficult to integrate and update. The result is an attack surface riddled with holes requiring enormous resources to play whack-a-mole with potential threats. “Startups do not have legacy technologies, and employees are working in similar ways, so the risks are easier to contain,” Spence notes. “They are also more likely to be a technology-oriented business, so they’re going to understand a little bit more how it all pieces together.”

The advent of generative AI offers startups more tools for spotting threats as autonomous “agents” come into their own. Models such as OpenAI o1 use intricate feedback loops to accomplish complex tasks, including watching for anomalous behavior in computer systems. “Having an environment that can monitor itself and close some of these gaps can be really advantageous for a small shop,” says Nick Brackney, a senior consultant of generative AI marketing at Dell. Increasingly automated systems only increase startups’ leverage and rewards their lack of technical debt. CYBERSECURITY AS A SALES ENABLER The next step is to build that heightened security into the heart of the product or service itself. Luna is a health-and-wellness app for teenage girls whose entire proposition offers a level of care and understanding competitors can’t match. For that reason, the company has understandably taken a rigorous approach to privacy and security. Sensitive personal data is kept separate from other systems, and it expects its cloud providers to do the same.

“From the beginning, we have built to stand the test of time,” says Luna cofounder and co-CEO Jo Goodall. “People would say to us, ‘You are not moving quick enough. You need to just build, build, build, and think of the back end later.’ Cutting corners with cybersecurity will catch up with you eventually in a bad way, unpicking everything that you’ve done previously.” Seen this way, cybersecurity isn’t a box to be checked or a cost center, but a critical point of differentiation against larger competitors: Whom do you trust? This is as true for governments as for teenage girls—as Spence notes, having the right cybersecurity certifications can help win contracts from public agencies and other organizations with rigorous compliance requirements. In this sense, he says, “cybersecurity becomes sales enablement.” Trust that hackers will try to move fast and break things—startups can clean up by moving carefully and fixing them.