In this blog post I am publishing the survey results of an online survey I’ve conducted for writing my master thesis. Because my thesis targeted “Information Security in Software Startups” the survey is all about “How Austrian Internet and software startups deal with information security”. The results of the survey showed me where I need to have a special focus during specification of the Lean Startup Security Guide.
Figuring out the number of candidates needed
With an estimated population size of 325 Software and Internet startups in Austria (according to http://www.austrianstartups.com/map/), a confidence level of 90% and a margin of error of 10%, the calculated minimum sample size needs to be 56 samples. This means that 56 people, who work in different startups, need to take part in the survey. In other words: 17.23% of all Internet startups in Austria needed to take the survey.
The survey results
Altogether 60 of about 325 (18.5%) Austrian software and Internet startups participated in the online survey.
Getting to know the audience
The first questions had the goal of getting to know the survey audience. The following questions were asked:
1) What roles do you take in your startup? (multiple answers possible)
- More than 90% of all participants are in a managing role as CEO or CTO (only very few interviewees stated to be CEO and CTO in one person).
- Only 16% of the interviewees own the IT security or privacy responsible role. All participants which stated to be IT security or privacy responsible also owned the CTO role.
2) In what kind of startup do you work at? (single choice)
This question ensured that only Internet and software startups were considered in the result interpretation.
- Fintech are Software Startups in the financial sector.
- The 7% other consist of startups in the Biotech and Electronics sector. They have conducted the survey because they either have an online shop or also produce software products (but not as their main product).
3) Where is your startup located? (country; single choice)
This question was asked to ensure that only Austrian Startups are participating the survey.
4) Number of employees in your startup? (single choice)
The answers to this and the next question shows a problem I faced. It was particularly hard to find very early stage startups with just a few employees. This might be due to the fact that very early stage startups do not invest much time in being visible to investors and the public yet.
Nearly 63% of all interviewed startups had more than 4 employees. Nearly 28% even had more than 9 employees.
5) How old is your company in years? (single choice)
Like already described in the previous question most interviewed startups are already out of the early stage phase in terms of employees. This can also be seen in the answers to this question, since only around 37% are 2 years or less of age.
6) Cloud Services
More than 83% of the interviewed startups use Software as a Service (SaaS) and 51% use Infrastructure as a Service (IaaS) for their business. Only 11% stated that they do not use cloud services at all.
7) Processing of personal data – 49% stated to process personal data only within the European Economic Area and 44% even do this only on their own servers. More than 28% stated that they either don’t know where their data is processed or that they process data outside of the European Economic Area.
Questions about information security
Question 1: Are startups willingly taking risks in terms of cybersecurity by lacking information security processes and mechanisms?
This question is tricky to answer, because it is hard to distinguish between lack of knowledge and willingly taking risk. In many cases even the interviewees in a personal interview couldn’t answer this question, because many times they were somewhere in between those two situations.
Because of this difficulty I used the following approach for the online survey:
Ask the startups…
- if security is important for their startup
- why security is not important for them
- if they are afraid of being hacked
- if they performed a risk assessment
- if they have an information security responsible
- what kind of measure they have implemented
While the first 3 questions target the personal feeling of the survey participant, the other 3 target the actual situation within their company. I combined and interpreted the answers of those 6 questions to give an answer to this first question.
- 33% stated that information security is very important for their company
- 58% stated that information security is important for their company
- 9% stated that information security is not really important for their company
- Of these 9%…
- 29% never thought about it
- 71% don’t have enough resources for it
- Of these 9%…
- 19% stated that they are definitely afraid of being hacked, while the other 81% think that it might be possible. None of them think that they aren’t a potential target or that they have spent too much money on IT security to be hacked.
- 12% stated that they have performed an information security risk assessment
- 19% stated that they have the role “IT security responsible”
- The answers to question 6) will be answered separately below
Conclusion for Questions 1
Although more than 91% of the participants stated that IT security is an important topic for their company, only very few companies (19%) have an employee who is responsible for IT security. Furthermore only around 30% of the young companies seem to implement something like a well-though cyber security concept. Together with the fact that 100% of all participants thought that they could be hacked, this indicates that most of the young companies are aware of the security risks and also know that they are not perfectly prepared for an attack. Although most of them did not perform a risk analysis and therefore do not know all of the potential threats which they are facing, it seems like they are willingly accepting the remaining information security risks. But without a risk assessment, employee training on security and an information security responsible, this topic can certainly not be described as “managed”. In my opinion the risks are (partially) known but simply neglected in many cases.
Question 2: Do accelerators, investors and venture capitals care if their startups have an eye on Information security?
This question has been targeted with the survey question: “Who cares about information security in your startup?” The results:
- 49% of the CEOs
- 74% of the CTOs
- 59% of the Developers
- 5% of the Investors
- 5% of the Accelerators and Incubators
This shows that nearly none of the accelerators or investors actively trigger their startups to invest resources into information security.
Question 3: How many startups did already experience security breaches?
From all questioned startups around 14% stated that they had been victims to successful hacker attacks (5% of them even more than once).
While this certainly seems like a small number in percentage, in absolute terms more than 45 companies in Austria have already been victims. And most of them have not even been existing for more than 4 years (74%). Furthermore some of the startups might not even know that they have been victims to successful hacker attacks (dark figure).
Question 4: Would your startup implement a very lean Security process and lean Security measures if it would only cost between 2 and 4 working days (depending on company size)?
The previous questions already showed that there is much space for improvement. The answers to this question confirm this, because more than 76% of all participants are willing to implement a “Lean Startup Security Guide” or are willing to discuss such a guide with their colleagues. This also highlights the relevance of the Lean Startup Security Guide.
Question 5: What kind of risk evaluation techniques, information security measures and processes do Austrian startups implement to deal with cyber security threats?
- 88% of the participants perform regular data backups
- 54% encrypt personal or sensitive data
- 40% perform code reviews with focus on information security
- 35% execute penetration tests
- 30% have security trainings for employees and founders
- 33% centrally manage their employees’ devices (laptops, phones, tablets)
- 30% have security policies
- 19% have an IT security responsible
- 12% have performed an information security risk assessment
- 2% implement information security standards
The results show that only the first two safeguards are implemented by more than 50% of the software and Internet startups. The fact that 40% perform code reviews with focus on IT security, but only 30% train their employees on information security topics, indicates that there is a higher focus on product security than on corporate security.
- 83% of the survey participants did not know the “Österreichisches Informationssicherheitshandbuch” or the “IT Sicherheitshandbuch for KMU”
- 30% have a privacy responsible in their company
- 35% have at least someone in their company who knows something about the EU privacy laws
- 9% of the startups handle privacy by consulting their lawyer
The survey showed that many startups lack on their information security handling. Many of them do this on purpose. In parallel they are willing to implement lean security safeguards if the effort only takes between 2 and 4 working days. This is why I created the Lean Startup Security Guide to improve the information security level of Internet and software startups.