While cyber-attacks continue to grow and evolve some companies are claiming to be “non-hackable” – and they’re often startups. The problem with this logic is that it is simply incorrect; all companies are potentially vulnerable to being hacked.
“Every organization can be hacked by a clever person with patience. I personally avoid all companies who say they are non-hackable.”
We had the opportunity to speak with Barbera about angel investing, how serious startup companies are taking cybersecurity, and what he is looking for a startup company to have in place in terms of cybersecurity before he invests.
Our edited conversation follows.
As an angel investor, when a startup company tells you that they are “non-hackable,” what is your initial reaction?
So, a cloud storage company comes up and says you can store your files with them. Those files are encrypted, and once it is on their server if it were to ever get hacked, the hacker would receive an encrypted file and it looks like a bunch of junk. That means nothing to me. If the US Army can get hacked, if the CIA can get hacked, so can your little company. Nothing is foolproof, so why are you going around and saying it is? I don’t think they can practice what they preach.
Do you think these startup companies are simply saying what you would want to hear, or are they ignorant and truly believe they are “non-hackable?”
I think there is a lot of ignorance, and I think these companies really believe that they have a product or service that is foolproof. I also think some say it as a marketing technique for non-tech savvy people. If you had a baby boomer generation target market, they don’t know much about IT, or the Internet and how it works. They can barely operate a Facebook account. So when they hear a service is “non-hackable,” they are more likely to use that service. So it might be a marketing technique for some companies.
Years ago, LifeLock had an actor or spokesman put their social security number on a commercial. He got hacked.
[Laughs] Well of course he did.
What is your overall view on how cybersecurity is evolving when you learn about these new companies?
It really changes based on each company’s business model and strategy. So when you have a startup dependent on their budget and their goals, IT and security may or may not be a big part of it. It all depends on what they are doing.
Say you have a small mom-and-pop shop that is selling goods from their brick-and-mortar store that is also selling on their website, their minimal requirement is to be PCI compliant. Their biggest concern is being hacked. In the larger scheme of things, hackers will probably won’t look at a smaller target like a mom-and-pop store. It might not be beneficial to them.
Other companies who do more stuff on the Internet have more of a liability to protect that information, so they need to take it more seriously.
Focusing on cybersecurity, when you are looking to invest in a company, what are you hoping to hear from them when making a decision to invest or not?
If it was anything more than being PCI compliant, I would want them to have an in-house IT specialist that could provide the services needed. If it is a smaller company needing to be PCI compliant, we can outsource that. It really goes toward the organizational services that they are working with. If they are working with people’s finances, then we are going to have to implement advanced security systems. If they are working with names, addresses, and they are PCI compliant, that is a different story. There are different levels, and it really goes back to business models.
What you have to understand is a lot of people – like small business owners – their everyday life is making a sale. On top of that, while they are sweeping they are supposed to do their books, their IT, and their taxes. A lot of people don’t think about [cybersecurity] until it is too late, and that is unfortunate.