Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace

This post originally appeared in TechCrunch.

In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50.
In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.
Jeremy Grant at NIST reports “a relatively sharp increase in hackers and adversaries targeting small businesses.” According to a recent survey, 20 percent of small businesses in Canada reported cyber losses last year. Who knows how many more fell victim and just don’t know it?
“Startups are incredibly vulnerable to cyber attacks in their first 18 months. If a business thinks that it’s too small to matter to cybercriminals, then it’s fooling itself with a false sense of security.” – Brian Burch, Symantec (CNN)

For many attacks—API disruption, marketplace fraud, IP theft—the smaller the target, the greater the damage. Startups often lose a year or more when targeted by identity thieves, nation-states, hacktivists, competitors, disgruntled employees, IP thieves, fraudsters or Bitcoin miners. Evernote, Meetup, Feedly, Vimeo, BaseCamp, Shutterstock, MailChimp and Bit.ly all fell victim to extortion rackets, and Code Spaces shut downaltogether. “When our API collapsed under a DDoS attack, we experienced more customer churn in that one day than we had in the entire two years since our launch,” recalled one CEO.
StubhubUber, and Tinder struggle to battle fraud in their marketplaces. Uber employees themselves were caught defrauding competitor Gett. EvernoteBit.ly,FormspringDropboxCupid MediaZendesk, SnapchatClinkleMeetMeLastPass (a password security company!) and many others have had to tell users they lost their passwords or payment credentials to hackers. Cyber thieves stole $5 million worth of Bitcoins from Bitstamp, and destroyed Mt. Gox and Flexcoin. Hackers exposed the content and identities of Yik Yak accounts. The CEOs of HB GarySnapchat and many other startups have been vilified following the theft and publication of embarrassing emails. Google routinely blacklists websites for weeks due to malware. Appstudio,SendGridHB Gary and others have been defaced or even permanently shut down by anti-Western hacktivists for political reasons. For OnlyHonest.com, the damage appears to have been fatal.
And even if your startup beats the odds and survives its infancy
BVP-Cyber-Security-Graphic
Continue reading "Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace"

The Failure of Cyber Security and the Startups Who Will Save Us

2014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties -- JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands.

The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.

Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.

The Sprawl of Cyberwarfare

The breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime.

For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent.

The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination Continue reading "The Failure of Cyber Security and the Startups Who Will Save Us"

Disrupting the Market for Souls

Last night at dinner with a group of officers from Facebook, LinkedIn and Twitter, Oxford Professor and legendary evolutionary biologist Richard Dawkins asked me to explain why I signed up to be a Trustee of the Richard Dawkins Foundation for Reason and Science. Later I was asked to share those comments, so here they are:

From inside Silicon Valley, it may seem somehow unnecessary or obsolete to promote science. But it’s easy to forget how fortunate and enlightened we are here. The scientific method is ingrained in everything we do. Instead of A/B testing your apps to improve your conversion funnel, would you ever rely instead on prayer, ritual and miracles?

But in the world at large, and even our country, most people still do not value the proven theories of scientists, either because they themselves do not understand science, or because there is too much social and emotional pressure upon them to value faith over evidence-based beliefs.

Still, so what? Why invest my limited time and capital in a startup foundation that promotes science and secularism?

As I would for any startup investment opportunity, I naturally start my assessment by looking at the incumbents in the vibrant market for people’s souls, to see how vulnerable they are to disruption. And as I deconstruct the businesses of religion, here’s what I see:
  • The largest possible market -- 7 billion customers!
  • Awesome value proposition – immortality – that addresses the most basic human desire.
  • A recurring revenue business model.
  • A Net Promoter Score higher than Apple's, where their customers go door to door on their behalf and build schools to sell their product.
  • An impressively large and distributed field sales organization staffed by product evangelists (literally) who work for low wages.
  • Enormous government subsidies in the form of 100% tax relief, and similar government subsidies for all their customers!
  • Enormously high switching costs – customers who churn can lose their jobs, friends, even family, and in some countries their head.
The only drawback is product quality. Not only is immortality difficult to deliver, but the entire industry agrees that only one of the thousands of products on the market actually works. The good news is that customers pay prior to shipment, and there is no mechanism for rating product satisfaction.

That's a business I would want to own!

The downsides are simply economic externalities – costs that are mostly born by others. Some are obvious, like Jihad and the oppression of gays and women. But the most dangerous externality of all is more subtle, and that’s the marginalization of science.

Broun: "Lies straight from the pit of Hell"
To keep their customers, religions convince them that faith trumps evidence, and in Continue reading "Disrupting the Market for Souls"

Dinosaurs in Space!

PCs and smartphones have pushed mainframes to the brink of extinction on Earth, and yet mainframes still thrive in space.

Most every satellite in orbit is a floating dinosaur - a bloated, one-off, expensive, often militarized, monolithic relic of the mainframe era. The opportunity for entrepreneurs today is to launch modern computer networks into space, disrupting our aging infrastructure with an Internet of microsats. 

Credit DeviantArt.com
So why has it taken so long for modern computing to reach space? Gravity. It’s hard to launch things. Governments have the money and patience to do it, as do large cable and telecom corporations. These players are slow to innovate, and large satellites have met their basic needs around science, defense, and communications, albeit at very high costs.

That’s changing:  several IT trends have come together to herald the extinction of these orbiting pterodactyls:
  • Moore’s law has reached the point where a single rocket launch can be amortized across dozens of tiny satellites, and the replacement cost is so low that we needn’t burden our missions with triple redundancies and a decade of testing
  • Global computing clouds make it easy to deploy ground stations; and
  • Advances in Big Data enable us to process the torrential flows of information we get from distributed networks

These trends have reduced the cost of a single aerospace mission from a billion dollars down to a hundred million just as the early-stage VC community amassed enough capital to undertake projects of this scope. And now that a handful of venture-backed startups like SpaceX and Skybox are demonstrating success, the number of aerospace business plans circulating through Sand Hill Road has climbed faster than a Falcon 9.

With each successful startup, progress accelerates and synergies emerge. As SpaceX makes launches cheaper, it opens the frontier to more entrepreneurs. Pioneers like Skybox and Planet Labs have to build end-to-end solutions for their markets, including everything from satellite buses to big data search algorithms; but there will soon evolve an ecosystem of vendors who specialize in launch mechanisms, cubesats, sensors, inter-sat communications, analytics, and software applications.

So who are the customers for a space-based Internet? At first, aerospace startups will disrupt two large markets:

·       Scientific exploration of space.  In the past, costly scientific missions such as Apollo ($355 million in 1966), ISS ($3 billion/year), Hubble ($10 billion), and Cassini ($3.3 billion) were designed and built by government agencies. Expect startups to disrupt this market with innovations in rocketry, robotics, optics, cloud computing, space suits, renewable energy, and more.

·       Communications. Government defense agencies spend considerable sums on communications to serve their space-based weapon systems and intelligence bureaus. Media and cable companies also commission Continue reading "Dinosaurs in Space!"

The Admins in BVP’s Companies Are No Longer "Unsung" Heroes

With sincere appreciation for the thankless job executed day in and out by the admins at BVP and our portfolio companies, I spent today with a barbershop quartet making our way from San Jose to San Francisco serenading these heroes of Silicon Valley. The final stop, captured below, was at Smule to recognize office manager Erika San Miguel.