Small businesses recently received a huge security wake-up call with the recent attack on local web hosting company Distribute IT.
The exploits of groups like Anonymous and Lulzsec attacking big corporations and intelligence agencies have demonstrated the importance of high-level security, but the Distribute IT scandal highlighted the fact that start-ups are also at risk.
A malicious attack by hackers forced the company offline and eventually the data of a large number of customers was lost because Distribute IT had poor backup facilities.
It raised a number of worrying questions for start-ups. Could it happen again? Are start-ups more at risk than larger firms? And what are the main ways that start-ups are vulnerable to losing data?
Distribute IT not a one-off
While thousands of businesses were brought to a standstill because of the Distribute IT backup failure, local start-up RecruitLoop suffered a similar fate with another host provider.
RecruitLoop is a web-based recruiting system and founder Michael Overell says the application was offline for two days because its hosting provider experienced a server crash.
He admits it was lucky the product was only in beta at the time so there was a limited impact on customers, but the outage meant that some parts of the code had to be completely re-written.
“We fortunately didn’t lose any data, but were offline for an unacceptable period. It’s lucky we were still in beta,” Overell says.
The business has fully recovered from the ordeal – the full version was recently launched – but the experience forced the fledgling company to completely revisit its backup solutions and processes, including daily off-site backups.
“We’re investing much more time and dollars into a robust solution,” says Overell. “We have also fully simulated a crash and backup situation. The lesson is that it’s an ongoing process, not just a one-off activity.”
“We invested more money than originally planned on network and data security. We implemented daily offsite backups, so that our data is securely stored independent of our hosting provider.”
Yes, this could happen to you
This incident is a pretty typical example of the start-up mentality that “it won’t happen to me”.
Despite being bombarded with stories about hacking attacks and outages, the problem is actually under-reported, according to Drazen Drazic, CEO of specialist security consultancy firm Securus Global.
“They’re happening all the time to various degrees of impact to organisations,” Drazic says.
“What you read in the press is the tip of the iceberg to what we see out there. The scary thing is that many organisations don’t even know they’ve been attacked or compromised.”
While he said that start-ups aren’t on the radar of hackers, he said that it does happen, and a start-up has more to lose because the impact of a “random” attack could pretty much ruin the reputation of a new venture.
“Ostrich Risk Management”
The reason that most start-ups are vulnerable is because they have their head-in-the-sand when it comes to security, according to Donal O’Duibhir director of Nodecity, a network and security consultancy that helps socially minded businesses and start-ups.
“Many entities both large and small employ a placebo form of ‘Ostrich Risk Management’ when dealing with uncertainty,” according to O’Duibhir, who has spent the past 10 years in security, network and technology risk management teams for global multinationals.
“The nature of networked devices and humans is that there will always be an attack of some sort and as such, a high impact event tied with a low probability is always possible.”
This high-impact, low-probability event was what happened in the case of the Distribute IT attack, according to Patrick Gray, founder of security media publication Risky Business.
This type of attack will probably happen again, he says, and it won’t just affect internet-based businesses but also SMEs and start-ups that rely heavily on technology.
“The only reason the hack made the news in such a spectacular way was the company’s apparent lack of a decent disaster recovery plan,” Gray says.
“There were gaps in its offline backup regime that meant some customer data was simply wiped off the face of the internet.”