It is thoroughly refreshing to find startups that prioritize security for their users. Typically, these are startups navigating in a more regulated space such as in financial services or the insurance sector. More than often though, we will meet with startups across all sectors that do not share the same sentiment. While their reasonings are completely understandable as we also understand the growing pains that fellow startups experience, there are some undeniably severe flaws to this way of thinking, especially when it comes to implementing two factor authentication (2FA).
1) Small Businesses and StartUps Are Not Attractive to Hackers
The common misconception that smaller digital businesses or start ups are not attractive targets for attackers is exactly that, completely untrue. Take for example, the Israeli startup CoinDash, a cryptocurrency management platform that got hacked and around 7 million dollars worth in crypto assets were stolen. Or Apollo, a sales engagement startup got caught in the headlines when its database of 200 million contacts spanning from 10 million companies was leaked, back in October 2018.
According to the Verizon 2013 Data Breach Investigations Report, 62% of affected businesses were small businesses. Hackers see small businesses and startups as easy targets. Generally due to their size and lack of resources and security expertise, they also have easier to compromise infrastructure and just as profitable data for attackers.
2) Strong Encryption Provides Enough Security For My Platform
You already use strong encryption standards to protect your data, so 2FA is an unnecessary add-on? Although strong encryption should be a gold standard (and common sense) in cybersecurity today it is often misinterpreted that if you are using strong encryption, you will not need 2FA. It is important to remember that strong encryption helps ensure that (if, and when implemented correctly), should you ever get breached, the attackers will not be able to easily read all the stolen data. However it does not change the fact that there are millions of already stolen data sets (including usernames and passwords) that are up for sale on the dark web already at the moment. Users are notorious for having bad password practices, using weak passwords or reusing the same password on multiple accounts and sites. Last year two most popular passwords were “123456” or “password”. If an attacker wanted to gain access to your encrypted platform, they would also be able to decrypt sensitive data using stolen credentials from another site. While two factor authentication cannot thwart every attack, it makes it much harder for an attacker to gain access to your users' data. And remember, hackers are very much profit-driven and will mostly follow the path of less resitance: attacking platforms that do not have 2FA enabled is much easier than going after the ones that have it!
3) Regulators Are Too Busy With Big Players to Care About Startups
GDPR is still a young regulation and how strongly it will be enforced is still unknown so you still have time and leeway to gain compliance with regulatory standards, right? Lots of startups we talk to believe that regulators will be too busy enforcing and controlling bigger players first, before turning their eye to smaller businesses and startups.
However, if you are a B2B startup and apply the same reasoning to this by doing business with enterprises, you will very much fall under their microscope. Typically, before you can do business with a large company, you will also have to prove to your potential enterprise clients that you are able to meet their compliance guidelines. According to Dr. Raphael Reischuk, Head of Cyber Security Services at Zühlke Engineering AG, one of the most important cybersecurity risks that corporates need to take into consideration is the integrity of the entire service supply chain and third party providers' security.
4) We Have Not Been Breached Yet So We Are Safe
The whole concept of “we have not been breached yet, so we are safe”, is the wrong way to approach internet security. Can we all agree that having a breach is the worst case scenario? Yes, but if you have been breached, then you have already lost. Under GDPR, if a company with EU citizens data on it has been breached, then this breach has to be made public immediately with a full damage assessment and evaluation of security measures in place before the attack was conducted. There is potentially nothing worse that a public name and shame can do to the credibility of a growing business to customers and investors.
Prevention is the best kind of protection. By not having any preventive strategies in place, such as enabling 2FA for your users, you are only making yourself an easy target for attacks that will happen - it’s just a matter of time.
2FA doesn’t need to add friction to your customer journey with innovative and secure solutions out there for you to choose from, such as Adaptive Authentication or One-Touch offered by Futurae.
It also doesn’t need to be built in-house, draining engineering resources and accruing high overhead to maintain and support. Typically, you can integrate 2FA solutions via an API. With Futurae, one RESTful API will grant you a plethora of user-friendly solutions and automatic fallbacks. We also offer a Web Widget that will allow for your developers to integrate the Futurae Authentication suite to your workflow in under an hour and require no maintenance whatsoever. Learn more about it here.