Protecting startups from the get-go

It’s 3 a.m. Despite your family’s “no Internet after dinner” rule, your smart, web-connected refrigerator is rebelling, repeatedly attempting to load the same site. The mustard is not trying to catch up on the news, your ice box has become a zombie in a hacker’s army – a botnet, in industry lingo. While the so-called “Internet of Things” allows for the connectivity of an increasing number of previously “dumb” devices and appliances, their link to the global internet presents a vulnerability hackers have already begun exploiting.

With the exponential growth of online risk, of course, comes both an opportunity for consultants and companies specialized in providing cyberdefense, and the need for companies large and small to increase security spending. In the last six years, venture capitalists have grown more keen to cash in on the flourishing cybersecurity market. Startups focused on data protection attracted $3.48 billion in investments in 2016, down slightly from $3.9 billion in 2015, but 76 percent above the $833 million poured into young data defenders in 2010, according to research company CB Insights. The company also reports that in 2015, four cybersecurity startups attained so-called “unicorn” status (meaning their value was  in excess of $1 billion), with one more of the mythical beasts joining the stable in 2016. Tech news websites feature lists with the 20 hottest cybersecurity startups to watch. A quick view of such lists reveals that career moves by specialists in this field from protecting the state to the private sector is a potentially lucrative choice – a number of newer ventures boast former Israeli or US digital warriors at the helm or among the top brass.

While niche specializations are beginning to develop in the Lebanese entrepreneurship ecosystem, such as fintech, cybersecurity is not one of them. 

A short list

Since Lebanon’s entrepreneurship ecosystem first began buzzing around 2001, it has produced a few cybersecurity companies – consultancy seems more popular than solutions-provision, although exact numbers are difficult to come by – but according to Executive’s research, since 2013 there have only been two start-ups with incorporated cybersecurity focus. The first, Myki, has been profiled in the magazine before but was not available for an interview. The password-management company is now listed as a portfolio company on the site of local VC Leap Ventures, and – according to an unsourced announcement on Crunchbase.com – raised $1.2 million in a third funding round at the end of January. Myki founder Priscilla Elora Sharuk told Executive in March 2016 that the company had raised $600,000 up to that point.

Early last year, Universant Technology Corporation became the newest local entrant to the cybersecurity market, founder Joe Hage tells Executive. Hage has a background as both a successful entrepreneur and a security specialist. He explains that his rapidly growing company – which has doubled its workforce in the last 12 months – was born primarily to leverage Hage’s network of contacts. Along with an angel investor providing the company with an initial capital boost, Hage had “seed clients,” i.e., “contracts in hand pending incorporation.” He has bold ambitions hoping to identify and nurture local talent to win big-ticket contracts in the Gulf, and has secured one so far. To this end, Hage says Universant partnered with the American University of Science and Technology (AUST) and has created an informal group of security researchers, which he describes as “almost an R&D staff.” He lists acquisition as an exit strategy but talks with a passion that suggests he may shed a few tears if ever asked to hand his baby off to new parents.

Aware of the risks

While Lebanon’s ecosystem is not pumping out cybersecurity startups, data protection is on everyone’s mind. Jana El Husseini, project coordinator at Smart ESA, says the new incubator and accelerator run by the Ecole Superieure des Affaires – a local business university established in 1996 – will teach the startups it hosts security basics. Ramy Boujawdeh, deputy general manager of Berytech, explains that security is taught as a module in the education program that the Berytech incubator provides to all startups there.

Fares Samara, the chief technology officer at the accelerator Speed@BDD, teaches young companies security basics, but notes that as Speed works with idea-stage companies that have yet to develop minimum-viable products, few students under their tutelage have advanced security needs. He points to the growth of what he called “infrastructure as a service,” an evolution of software as a service made possible by cloud platforms from companies like Microsoft, Amazon and Google, he half-jokes that IT staff in early-stage companies don’t even need to understand how to setup a secure server (as the Microsofts, Amazons and Googles are doing that for them nowadays). As startups grow, managing the increasing amounts of data they collect becomes more complex, requiring either customization of back-end infrastructure offered by third-party providers or the design of an in-house back-end, which is where most vulnerabilities can surface, Samara explains. Once a startup begins to expand, its internal security needs grow, he says.

Security by design

Online advice for startups thinking of their own security frequently note that it is easier and cheaper to build securely from the beginning (even if this includes upfront costs like penetration testing and causes some delay in bringing a new product to market) than trying to patch vulnerabilities after intruders have gotten in. It was with this advice in mind that the local carpooling app, Carpolo, opted to build its own back-end early on instead of relying on a third-party, company co-founder Ralph Kheirallah tells Executive. Kheirallah echoes Samara in noting this infrastructure will add the most value to the company as it grows, but argues it was worthwhile to invest from day one. Carpolo is using a business-to-business model – pitching itself to employers, a shift from the initial B2C model – and currently finding interest among local banks, clients with very strict security requirements.

Locally and globally, banks are high-priority targets for cybercriminals (see overview page 16) and security is a top concern for startups looking to enter the financial sector. Saeb Nahas – a manager at Phoenician Funds, a local VC with a fintech, e-government and health care focus – explains that portfolio fintech companies go through extra screening to ensure their systems are secure. “We have experts who go in and do fake attacks” to “pinpoint problems” early on for portfolio companies, Nahas says. Additionally, security evaluations are part of Phoenician Funds’ due diligence when evaluating an opportunity, he notes. 

Never too small

With the increased sophistication of cybercriminals, and the ease with which they can attack, small companies today have to be far more aware of threats – and better prepared for attempted intrusions – than they did even five years ago. Mario Gaudet, chief technical officer for Economena Analytics, talks of a war being fought by the minute. The company is a platform for economic data for the Middle East and North Africa region. Gaudet says his network analytics reveal attempted attacks almost 24-hours per day, with “at least” 20 attempts per hour. Hacking, he says, “has become a business.” Defending against increasingly savvy criminals, therefore, is a need that will only grow for companies of all sizes.

By all accounts, Lebanon’s entrepreneurship ecosystem understands the security threat, but as safe and secure as a system can be, everyone interviewed for this article reiterated some version of a joke security professionals are rumored to frequently make, “there’s no patch for human stupidity.” Whether it is reusing weak passwords for every account or sending sensitive data over an unsecure WiFi connection, people remain the weakest link in the cybersecurity chain.

Matt Nash
Matt is Executive's Economics & Policy Editor. He has been reporting on Lebanon since 2007 with a focus on oil and gas, policy and legal matters.

© Executive 2017