Bigger partners, bigger risks: The cyber security challenges of scaling a startup

Expanding to work with larger partners or clients is exciting for any small business. But it also brings with it some significant new risks in terms of cyber security.
And that's in addition to the cyber security risks small businesses face even before they start to expand. Jon Oberheide, co-founder and CTO of Ann Arbor security company Duo Security, says cyber security is a "real challenge," the scope of which many small businesses don't fully comprehend. Small businesses lack the financial resources and personnel their larger counterparts have to protect themselves from cyber attacks, and hackers are taking notice.
"Attackers have realized that smaller organizations are a soft target," Oberheide says. "While they might result in a smaller payout individually than a larger organization, it's easy for cyber criminals to scale their attacks, and there're millions of such businesses globally to go after."
While larger companies might have the financial wherewithal to weather the storm of a hack, Oberheide says a cyber attack can "effectively wipe out" a small business. And developing new relationships with larger partners only paints a bigger target on a small business's back. Oberheide points to the much-publicized 2013 cyber attack on Target, in which hackers accessed as many as 40 million Target customer accounts and made off with credit and debit card numbers and other personal information.
But the attack, whose victims Target settled with for a whopping $10 million, started from a much humbler place. The hackers accessed Target's systems with credentials stolen from Fazio Mechanical, a Pennsylvania-based refrigeration company that had worked with Target as a subcontractor.
"This is a common occurrence in the real world," says Oberheide.
With risk comes opportunity
Although moving up in the world can draw fresh and unwanted hacker attention to a small business, new partnerships with larger organizations can also open up new ways to keep a small business safe in the digital world. Oberheide notes that larger businesses may exercise due cyber-diligence with a new, smaller partner by imposing new security standards on them. That could include demonstrating their security is up to snuff with a service organization controls (SOC) report or an ISO 27001 certification.
"If the small business is a service provider to the larger organization, the additional security controls and certifications may be a challenge, but will also level up the maturity of the business when it comes to security," Oberheide says.
Duo's iPhone appThe transition for an expanding small business could also bring access to other useful new resources. While some small businesses start out building their own digital infrastructure, there can be significant benefits to outsourcing email, data centers and other infrastructure to the cloud-based services that a larger partner may offer. Oberheide says this can cut costs and improve productivity, as well as offering a more secure environment for a small business' infrastructure.
"While moving services and data to cloud services may make some businesses nervous, it really is a boon for security," Oberheide says.
According to Lorne Groe, small businesses should be looking towards outsourcing those systems even before they start forming bigger partnerships. Groe is the COO and CFO of Deepfield, an Ann Arbor security company. He also previously worked on scaling smaller businesses including (since acquired by Valassis) and Triplex (since acquired by infoUSA).
"Businesses wait too long to outsource their data center," Groe says. "They try to build it in their own closet. And really [Amazon Web Services] is a great option for folks. Google has the same products. Microsoft has similar products and so do traditional data center guys as well."
Staying proactive
So what's a small business to do to keep its cyber security up to snuff for the possibility of moving forward with larger partners? Groe says it's important for small businesses to be open-minded and proactive about developing and protecting their infrastructure.
"There are a lot of folks, and we deal with them even at Deepfield, where they say, 'I'll never use a hosted service. It has to be in my data center, in my infrastructure,'" he says. "It's just a legacy way to think. But some people kind of grew up on that and that's how they do business. So when they go to a startup, they bring that mentality."
Oberheide lists his top three tips for strengthening cyber security in a growing small business: keep your software up to date, use encryption, and use two-factor authentication. The first two steps seem rather basic, but Oberheide says they can be challenging for small businesses who don't have the IT capability larger businesses do. Where a larger company might provide corporate computers and mobile devices with regularly updated software, "BYOD"–bring your own device–is often standard procedure for their smaller counterparts.
"Beyond mobile devices, employees may be using personal or shared computers…to access corporate resources, and there's very little an organization can do to prevent that potentially risky behavior," Oberheide says.
Oberheide is partial towards his third tip–using two-factor authentication–because it's his company's specialty. (Cyber experts back up his assertion that the technology–which one-ups the traditional password by requiring a second, independent point of user identification–is becoming increasingly accessible, prevalent, and important.)
In any case, Oberheide says it's important for any small business to "focus on the fundamentals" of cyber security–whether it's just getting started, or building its first relationships with larger companies.
"Getting the most bang for your buck is critical," Oberheide says. "Ensuring that any security controls are easy to use and manage is key."
This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at to help small businesses measure their cyber security preparedness.

This story is the fourth in a statewide series about cyber security and small businesses, supported by the Michigan 
Small Business Development Center. Read the rest of the series here.

Patrick Dunn is an Ann Arbor-based freelance writer and Senior Writer at Concentrate. Follow him on Twitter @patrickdunnhere.

Photos by Doug Coombe.
Enjoy this story? Sign up for free solutions-based reporting in your inbox each week.