Insecure venture

Here are two completely different companies in terms of their revenues, size and business profile: the tech giant Yahoo! and the French construction company Vinci. They have one common feature: they were both hit by hackers. Cyber criminals stole the personal data of more than 1 billion Yahoo! service users and falsified news about Vinci's financial performance.

As a result, Yahoo! sold its web assets to Verizon $350 million cheaper than had been planned (moreover, the companies agreed to share all the future legal fees connected with the leak), and Vinci shares slumped 18%. And if big companies are hit that hard, promising new startups may be completely destroyed by hacker attacks.

In 14 years of cyber-crime investigation, we, Group-IB, have learned it like a mantra: most cyber attacks have financial motives. Hackers want to steal money from bank accounts or snatch information to sell on the black market. Criminals yearn to gain access to correspondence or other important data to extort money for non-disclosure. Finally, they will be glad to take your files or even your whole business hostage by blocking all information needed for work and demanding a ransom for that (for example, that is what happened during the recent WannaCry outbreak).

Most often, the damage caused by cyber attacks far surpasses the financial advantages gained by the cyber criminals. Imagine that a manufacturing plant's computer systems are infected with a cryptoworm. In such cases, we recommend not paying the ransom, since there are no guarantees of information recovery (the people you interact with are criminals!) and, moreover, it will stimulate more criminal activity of that type. But, for purposes of our case, let's assume the plant management decided to pay the ransom – $300 for each of the infected computers with the most important data.

To save money, the head of the IT department proposes uninstalling all noncritical systems and installing everything anew. Consequently, expenditures to redeem the information stored in accounting department computers, as well as on mail servers and in backup systems, amounted to only several thousand dollars – if we speak only of the benefit to the cyber criminals.

In this case, we had a business that was mainly represented offline and used the Internet only for communication and payments. Now imagine the cost of down time for a business represented only on the web:

• an online business will suffer losses from advertisements that are ineffective during a hacker attack

• an online shop will not be able to sell goods and it may result not only in the loss of profit, but also in cash deficiencies

• for some services connected with access to users' personal data, such an attack may imply the end of the business

After the Panama Scandal and the leaking of information about thousands of offshore companies, the whole world came to know about Mossack Fonseca. But do they have any more clients now? Most likely, they will lose their users. The hacked data storage system is a blot on their reputation – no one would store their files in a 'leaky' cloud. Stealing money from a bank's correspondent account (or massive hacking of client accounts) and the resulting publicity may result in customer outflow and in lots of questions from regulators.

Perhaps the potential damage caused by cyber attacks is underestimated most of all by venture capital funds, especially those investing in hi-tech startups (immersed in the web) or financial startups (immersed in the finance). Investors' money is usually invested in business development, testing business models, acquisition of customers and employees and other areas that are often a far cry from security issues. We cannot blame founders for wanting to earn money for their investors and not wanting 'extra' expenditures. In my observation, security is definitely not the top priority for most startups. And that's wrong.

Researchers from Oxford Economics found that public companies irrevocably lose an average of 1.8% of their value as a result of cyber attacks. For the 100 companies with the highest market capitalization on the London Stock Exchange (FTSE 100), 1.8% is £120 million! And that's the average, because, in some cases, the damage may amount to 15%. But according to one survey, 87% of people working for such companies, to their credit, call cyber attacks a key risks for their organizations. The second emerging trend is the more noticeable negative impact of cyber attacks on stock prices as compared to the past.

Investors – whether venture capital funds or business angels – that invest their time and money in an asset are interested in growth of the company's value. Of course, shareholders prefer not to intervene heavily in business development and they do not ask questions about security – this is done by the team of founders (at least with great presentation skills).

Being a provident investor, don't be afraid to ask about security, if you don't want to lose your assets tomorrow. Founders should be prepared: a generation of thoughtful investors is coming up and soon they'll be asking inconvenient questions. After that, one of key points in your elevator pitch will be "our security and the security of our users."

Venture investments are called that for a reason: they are based on risks, but the potential double-digit profit attracts many people, as does the long-shot chance of creating a new Facebook, Uber or Snapchat (or whatever people dream about nowadays). Thus, the high risk is justified by a high yield.

The cyber environment is highly insecure. Anyone who ever reads the business press understands that. Neglecting cyber threats today is a real crime against yourself and your business. On the other hand, such a business can also be called a venture – because if you turn a blind eye to cyber threats, the risks for your business will also grow!