How to start a cybersecurity company and survive

2017 was the year of the ransomware, 2018 was the year of cryptominers – it’s unknown what the biggest cybersecurity threats to businesses will be in 2019, but one thing is for sure – cybersecurity is needed more than ever. You can check a list of some of the best companies in cybersecurity, and don’t see them as competition, but rather try to aspire to them. That’s the good news if you’re interested in starting a cybersecurity company. There’s a lot of room for growth, and for new companies.

There are two ways to get your cybersecurity business off the ground. Starting locally, and growing online. The services you can offer may vary by your physical presence, but in some cases not entirely. As a final note before we begin, evaluate yourself realistically. There are a number of free cybersecurity courses you can take online, even if you think you know it all, you might pick up something new.

Starting a local cybersecurity business

If you live in an area with a lot of small to medium businesses (SMBs), it’s a good idea to start approaching them and explaining your services. Have some statistics ready for presentation, such as;

• 58% of malware attacks target small businesses
• 77% of modern attacks use “fileless” exploits, which circumvent antivirus
• 81% of SMBs report that exploits and malware evade their antivirus

It’s important to stress to potential clients that traditional antivirus software is simply not enough protection. Antivirus mainly protects against infected files – but as we said, 77% of modern attacks are based on fileless exploits. Outline the story of EternalBlue to them – people love a good Tom Clancy thriller.

In any case, the services you should focus on offering local SMBs are consultation, exploit patching, and updating of critical systems. For example, EternalBlue-based attacks like WannaCry and NotPetya were so successful, because all of the infected companies had not updated their systems with the security update released by Microsoft.

As you’re updating their systems, take the time to explain how hackers generally attack businesses. Explain the concepts of social engineering, two-factor authentication, and other security measures. A great way of increasing client loyalty is to make them feel empowered to do some of their own security.

A lot of companies don’t really enjoy working with IT – they see us as “the IT guys”, who just kind of fix computers and nobody knows how (bear with me, because you and I know the difference between IT workers and cybersecurity workers, but “regular” people lump them together). Some even believe IT / infosec is useless in the office, and treat IT almost like insurance, like IT workers are only useful when something actually happens. They don’t stop to think that a large part of the job is preventing something from happening in the first place.

So try to build rapport with your clients and take the time to explain what you do, and what they can do to help themselves.

Taking your cybersecurity business online

This is a bit trickier, because you won’t have physical access to potential clients (and their hardware), but there’s a number of things you can still do. Many SMBs have things like social media pages, online stores with WordPress as a backend, and other vulnerable online presences.

As an example, I used to consult for an online creative writing and translation agency. This particular agency had contracts with a number of high-profile international brands, such as international news websites. This agency translated and published news articles in a variety of languages on behalf of the news companies.

To my horror, one day I discovered they’d been keeping a list of employee passwords, WordPress accounts, project management system passwords, you name it, in a single Google spreadsheet. It’s like, you know, one successful attack, and a hacker suddenly has access to publish whatever they want on a variety of international news websites, because of a small translation agencies’ security flaws.

So obviously, the services you can offer to online SMBs will generally be consultation, security risk assessment, and pentesting. You can also help clients update their firmware remotely, with remote desktop tools.

How to survive

Success doesn’t come overnight, and you’ll spend a while getting your cybersecurity company off the ground, establishing a list of clients, and getting your name recognized. The good thing is that the industry desperately needs good cybersecurity workers, there isn’t a huge amount of competition. It’s a competitive market, no doubt, but it’s not oversaturated. You’ll find success if you’re good at it – being good at it is the key.

So just always keep up with the latest infosec news, the latest types of threats and exploits. Be prepared to explain to your clients these same things. Make them aware of what you do, and how cybersecurity is a preventative measure, not a reactive measure. Though of course, there will be times you’re hired to clean up the mess after a bad attack.

By Katherine Green, who has a degree in computer sciences and solid experience in the gaming industry under her belt, but she is a cybersecurity newbie and loves playing tennis.

If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at Simon@IrishTechNews.ie or on Twitter: @SimonCocking