Startups: Ignore cybercrime warnings at your peril


Rebecca Ledingham, director of security monitoring and response at Mastercard, explains why tech startups need to pay close attention to impending cyber threats.

With so many data breaches falling beneath the glare of the mainstream media, those running startups could be forgiven for thinking this is something that only happens to the corporate giants. The sad reality is that thousands of British small businesses are getting attacked each year.

Despite this, half of all UK SMEs spend less than £1,000 on cyber defences, according to the insurance company, Zurich. Many spend nothing at all. And while tech startups are clearly savvier than to completely ignore the threat, to what extent are they aware of just how much they are a target?

Internationally, many big brands seem to be the target, but the landscape is very different in the UK, where hackers also see the startup community as a soft target in addition to large organisations.

Many small businesses are using free software to set up websites and gear themselves up for accepting digital payments and this often leaves them falling short of even the most basic industry security standards.

The criminals know about these weaknesses and are actively exploiting them. They use Google Dorks and general scanning tools to sift through sequential blocks of IP addresses for operating systems that that have known vulnerabilities.

Once they start drilling down to the types of operating system businesses are using, they can go onto a given website and look for flaws in their code. It’s the digital equivalent of an opportunistic burglar looking for properties with weak locks, open windows or no alarms.

Very often the culprits are sporadic actors from North Africa and the Far East.

The risks

Most SMEs won’t survive a breach. If you’re buying and selling on the internet and you’re hacked, you’re likely to go out of business.

As well as needing to protect your own business, there is a moral responsibility. It is never just credit card data that’s stolen, it’s personally identifiable information, which can ruin people’s lives.

So the advice on cybersecurity is simple: invest and invest well – don’t scrimp on costs.

Let’s take a small retailer who hasn’t patched their security software. A hacker breaches their systems and steals data which is then available on the dark web within 24 hours, and the data sold almost immediately. The spike in fraud levels is directly attributable to that retailer.

The card schemes, the retailer’s bank or of the bank that’s issued the at-risk credit cards will all be able to spot this.

When it comes to accepting card payments, our advice to small businesses is simply work with a third party payment facilitator. Startups also have the chance to “split” contracts with others to reduce costs.

By doing so, you’ll be closer to compliant with the worldwide security standard – PCI DSS. This will created to help businesses process card payments securely and reduce card fraud.


In terms of what you can do as a business, the industry is also creating other solutions.

Tokenisation is one technology that will transform security because any transaction data stored is anonymous. With this in play, when a digital payment is made, a token is created to replace sensitive card data using encryption.

This token takes the form of a new, virtual 16-digit number that represents the physical card number.  This is the technology Mastercard has helped to create for mobile payment schemes like Apple Pay. A separate token is assigned to each of a consumer’s devices. If it’s intercepted by hackers, it’s useless to them. No real card data is transferred to retailers.

As the use of tokens steadily grows, it will reduce the emphasis on storing your card details with businesses. Criminals cannot decrypt these tokens so the data has no black market value, and as a result businesses will be less exposed.

The government will also make it mandatory to report on security lapses, and businesses will be held more accountable.

This kind of oversight is long overdue. This is because every year the number of business cyberattacks exceeds the last and this trend is set to continue.

We are currently working on an aggressive education programme with retailers in particular, alongside Europol, the police and the banks.

Small businesses have never been more targeted. The default position must a case of when, not if, they will be breached.

Ignore cybercrime warnings at your peril.