A Developer’s Guide to Startup Security: 5 Common Threats

By the start of January 2014, renowned bitcoin exchange Mt. Gox was handling over 70% of worldwide bitcoin transactions. But by the end of February, it had declared bankruptcy.

What happened?

Let’s rewind. In June 2011, Mt. Gox suffered its first (yes, first) hack. A compromised computer—likely belonging to an auditor—was hacked. The hacker, who must have gained extraordinary admin privileges, dropped the value of Bitcoin to a penny and sold about 2,000 Bitcoins from customer accounts.

To outsiders, this appeared to be an isolated incident, and the company—despite reports of inner turbulence—marched on. In 2014, however, leaked documents revealed that hackers had stolen 744,408 bitcoins that belonged to Mt. Gox customers and 100,000 bitcoins that belonged to the company. In a matter of weeks, the company went from industry leader to outright insolvency.

Years later, many victims still don’t have their money.

Mt. Gox was riding one of the biggest technological waves in history, and a hack took it down.

With unlimited resources, there’s a lot you can do: Hire a security engineer. Hire a chief security officer. Buy every security tool on the market. In reality, your startup may not yet have a full-time DevOps engineer or IT administrator (much less a security engineer), and you don’t have the budget for a large basket of security tools.

Luckily, there are ways a smart developer tasked with startup security can do a lot with a little. And the earlier you build security into your company's DNA, the better off your security posture will be later. This is an investment that will pay off in both the short term and the long term.

5 Common Security Threats Facing Your Startup

In this section, we’ll outline five of the most common threats likely to hit your startup, and in the next section, we’ll map these threats across 15 ways even the most time-strapped developer can help secure their company.

1. Data Breach

A data breach is the most common threat facing startups. A data breach, quite simply, is when someone accesses information they’re not supposed to be able to access. It most often refers to a hacker breaking through an organization’s defenses and extracting private information.

A RiskBased Security report found that data breaches exposed over 7.9 billion records in the first nine months of 2019 (a 33% increase from 2018). A follow-up report showed that by the first quarter of 2020, that pace had only quickened. You can see some of the biggest breaches in the image below.

For a startup, the consequences of a major data breach can be fatal. Even if you don’t rise to the infamy of a Mt. Gox, a small breach can still cause future customers to distrust you. Getting traction and finding product-market fit is hard enough; a data breach in your history makes it a steep uphill battle.

2. Phishing

Phishing is when a scammer tricks someone into giving up their private information via email or text. There are a few varieties, some of which you’ve probably seen before:

• Dear employee, it’s the CEO of [YOUR COMPANY]. I need you to give me your username and password so that I can ...
• Please log in to your Google account here at g00gle.com to ...
• This is IT, and there’s been a security breach! Send me your username and password so I can reset them for you and ...

You might laugh, but when you’re overwhelmed, distracted, or busy, anyone can click a link without thinking too hard about it. Just look at this example from Imperva.

‍
With enough tries, catching victims when they’re busy, even rudimentary attempts like the one above can yield phishing gold.

In phishing attacks, there is a range of complexity and sophistication. The ones above are fairly obvious, but two other types, spear phishing and whaling, will target particular people with much subtler tricks.

According to a Verizon report, phishing was involved in 32% of data breaches in 2018. If you think your company is above that, know that the same report showed that 30% of targeted users would open the phishing messages. You need only one distracted, overwhelmed, innocent user for accounts to be compromised, have data stolen, and have businesses damaged.

Just to make things worse, the threat of phishing has only gotten worse with the COVID-19 pandemic. Multiple cybersecurity experts have noted a dramatic uptick in phishing schemes since the pandemic hit, as attackers try to prey on people’s curiosity and desperation.  

3. Cryptojacking

Cryptojacking is a particular type of malware that involves an attacker embedding scripts in your system (especially servers) and essentially commandeering your compute resources to mine cryptocurrency. If you think your computer fans are loud when loading Slack, just imagine how loud they’ll be when they’re mining, too! Hackers can then retrieve that crypto and then (depending on price volatility, of course) sell it for a big profit.

ENISA, the European Union Agency for Cybersecurity, lays it out well in this diagram:

‍
Cryptojacking is the newest form of threat on this list, but the speed of its rise is dramatic. Malwarebytes reports that since 2017, cryptojacking has been the top threat the company has detected. Oracle, for instance, patched a flaw in its WebLogic Server that let in cryptominers, but by the time it was fixed, many universities had already been infected.

4. Ransomware

Ransomware is another form of malware that, if possible, is even more malicious than cryptojacking. Rather than commandeer your resources, hackers use ransomware to commandeer your files. Then, they extort you to get them back.

A report from Group-IB found that ransomware extorted users for over $1 billion in losses in 2019 and 2020. One type of ransomware alone, called SamSam, has cost victims millions of dollars.

In the graph below, also from Malwarebytes, you can see that SMBs and startups are likely victims.
‍

More than a third were hit by ransomware, and almost a quarter had to cease business operations because of the attack.

5. DDoS attacks

A distributed denial of service (DDoS) attack is when attackers overwhelm your server or service with so much traffic that it shuts down. They typically accomplish this by funneling requests through a multitude of compromised computers and IoT devices (yes, for all you know, your new smart microwave could be helping take down another company’s server).

Cloudflare compares this to a stream of cars merging onto a busy highway and gumming up the works.

Attackers can then demand a ransom for the return of functionality.

Note: Each of these threats is different, but they also intersect with one another. Phishing can cause a data breach, and a DDoS attack often involves malware. Protecting against one of them typically involves protecting against all of them.

Solutions to Keep Up with the Threats

There’s a fair chance at this point, you might feel like you just watched a documentary like Seaspiracy— you’re overwhelmed, you probably really wished you hadn’t, and now you’re swearing off seafood and sushi for the rest of your life. It’s crucial to be considerate of these common startup threats, but digital minimalism isn’t the solution for security, especially if you’re in the business of improving technology and the workplace.

Keep in mind: For every threat that emerges, new solutions and methods of prevention also come up as well. Everybody learns with each vulnerability. Security is an investment; a dollar saved is not earned.

In the second part of this post, we’ll cover 15 ways you can secure your startup against these common threats—including authentication stacks (involving Yubikeys and Magic Links), user provisioning, edge networks, audit logs, and coding best practices. You can also read some of our other blog posts, including these ones on SOC 2 compliance and security policy document examples.

—‍

Security is our top priority at WorkOS. If you want to learn more about how we approach security, learn more by downloading this white paper.