In an interview with Silicon Luxembourg, Koen Maris, PwC’s Cybersecurity Leader talks about the cybersecurity challenges that startups might face when launching and starting their own activities. No matter the size of your company, data and user protection have to be taken seriously. “If they do not implement proper measures, this could ruin their business forever,” warned Koen.
Photo: According to Koen Maris
Koen, how concerned should startups be about cybersecurity?
People tend to forget that cyber threats are omnipresent, no matter the size of the company. Startups should invest in cybersecurity to the full extent that their budgets permit. They do not need to have the same state-of-the-art technology and the sophisticated level of security that a national institution would need to preserve the data of the whole population. But it needs to be sufficient for the business to run securely and for the users to operate their solutions safely. Even if the goals are different, the risks remain similar.
What resources should a startup dedicate to cybersecurity?
The number of people working for a business is not an accurate measure to determine the extent of investment needed in cybersecurity. Instead, the number of systems and the data volume that needs to be protected are a more relevant and useful measure. These will help startups to determine the size of the team to allocate for these tasks. A one-person company (an individual entrepreneur) with a cloud provider hosting their data and offering sound protection features could manage cybersecurity tasks alone. It might be enough for the entrepreneur to follow the practices available on the Internet, such as the information provided by websites like cases.lu or smile.lu.
In terms of budget, I suggest startups allocate around 10-15% of their IT spending to cybersecurity solutions, including a firewall, protection against viruses, a data-encryption program, and a security alert. A relatively limited budget shouldn’t be an excuse for not having a decent cybersecurity infrastructure. Cybersecurity expenditure has to align with the business model and budget.
For instance, a simple PC of approximately EUR 800, plus EUR 100 to acquire the operating system, and another EUR 30 per year for an antivirus or a firewall are sufficient. People usually spend much more money on their smartphones.
What would you suggest to startups who want to implement a decent and desirable Internet security protection scheme?
Startups should at least have a firewall and a web filter ensuring that their staff do not go everywhere on the Internet from the company network. A decent VPN infrastructure is, of course, key nowadays. Furthermore, an antivirus solution with some monitoring features is also desirable. This application shall enable the tracking and logging of everything in case something goes wrong.
What should startups look at, particularly when using cloud storage services?
A clear distinction needs to be made: cloud suppliers are responsible for the security of the cloud itself. But the security in the cloud remains the user’s responsibility.
A key takeaway: the user—the startup in this case—should perform its own updates and be the master of its own encryption keys. They also need to ensure that the access to these resources is protected adequately, namely, with a multi-factor-authentication solution.
“If startups do not implement cybersecurity measures, this instead is what could hold them back or ruin their business.”
Some companies prefer to have their data hosted in Luxembourg-based data centres. What is your view on that?
This makes life easier for companies that deal with regulators in the Grand Duchy, such as the CSSF or any other regulatory bodies. It also makes their life easier on matters such as GDPR. The world is changing and we definitely need a European-based cloud.
Cybersecurity is also about human behaviour. What is your take on that?
Dealing with such issues is easier for startups, due to the small number of employees and the proximity of their staff. But of course, the tone has to be set from the top.
If the founders do not care much about security, the staff, therefore, will follow the trend. Creating a perfect culture of security is however a bit utopian. It is like dreaming that there will be no car accidents anymore. As long as humans are driving, car accidents will always happen, and that applies to cybersecurity as well.
What cybersecurity practices and processes should startups implement with their suppliers and clients?
They need to be very transparent with their clients regarding their data. Transparency is key, so they should not operate security through obscurity, because this will not work in the long-term. If suppliers are important for business operations and the overall business survival, startups should impose security requirements and include them in their contracts.
They should also assess, periodically, their suppliers’ stand on security. And if they do not have time to do that, they should turn to a partner that does. We see an increasing demand – from big corporations and now small companies that have just passed the startup stage – for a third-party assessment of their suppliers.
Could cybersecurity slow down startups’ business development?
If startups do not implement cybersecurity measures, this instead is what could hold them back or ruin their business.
“Data and user protection will become the most important issues we are faced with.”
Is encryption something startups should bet on?
If you are transferring data, then data should be encrypted. Today, one can’t trust networks anymore, not even local network suppliers. The same applies to data stored outside your controlled environment. It even applies to data stored on a laptop: there is no reason why you should not encrypt your laptop. Encryption technology is there and it’s free. You have it on Windows even. So use it!
How should startups engage in ethical hacking? And what are its benefits?
Startups need to hire an external expert and rely on them. There is no doubt about that. ethical hacking is not a topic you can learn in a course of six months, it requires a lot of experience and it calls for a particular state of mind. If you are gifted and can to do it on your own, you can get an immediate view of your security situation. You then know where it is lacking; so you can have aplan to remedy the most pressing issues.
What cybersecurity trends do you see emerging in the coming years?
With the increasing development of cloud transformation and digitization, the protection of applications and infrastructure will not be a relevant topic anymore. However, data and user protection will become the most important issues we are faced with. Cybercriminals will target individual endpoints such as servers, laptops, tablets, or phones: devices on which data and security rely on.
Since March 2019, Koen Maris has led the cybersecurity practice at PwC Luxembourg and is in charge of answering to growing client needs. He also leads the firm in creating new services in partnership with startups and larger companies. He looks out the latest trends in the market. His team, which consists of 17 people, is specialized, among other things, in penetration and intrusion testing, incident response, and security organization.