Auf dieser IT-security Q&A Plattform gibt secUnity Anwender*innen die Möglichkeit konkrete Bedarfsfragen zu stellen, die dann von akademischer Seite beantwortet werden. Zusätzlich wird das secUnity-Team hier Fragen aus Veranstaltungen zur IT-Sicherheit präsentieren und beantworten. SecUnity unterstützt damit die Diskussion zwischen akademischer und industrieller Forschung zu aktuellen Forschungsthemen und bietet diese Plattform für den interdisziplinären Austausch.
Beteiligen Sie sich!
Interview: Do IT-security or privacy startups face different or additional challenges compared to other (IT )startups? And what motivates entrepreneurs to start a company in this field?
The call for new and more innovative solutions regarding IT security measures is ever increasing. Experts in research, practice and government largely agree that startups can be an excellent driver of innovation in the field of IT security. In order to identify particular constraints and also the motivation behind founding an IT security or privacy startup, the secUnity team set out to interview several startups across Europe. These interviews will be featured continuously in our IT security startup series.
Our first interview was held with Dr. Andy Yen, Co-founder & CEO of the Switzerland-based company ProtonMail.
Could you first describe your business model quickly and where you see your market resp. who your customers are?
ProtonMail is a secure email service that differentiates itself by combining an extremely high level of privacy with unparalleled ease of use. We offer free and paid end-to-end encrypted email solutions for both individuals and corporations worldwide.
Anyone can open a free ProtonMail account to send and receive emails. We charge individual and enterprise users for plans with enhanced features and storage compared to the free plan. Our free accounts are subsidiz
sed from the premium ones and cater to our mission of providing email security to every internet user, without discrimination.
The core group of early adopters were security and privacy enthusiasts. However, as the general public inevitably becomes more attuned to internet security and privacy issues, our clients have diversified significantly in the past 4 years. These include journalists, dissidents, enterprises, governments, and individual users coming from a wide range of sectors like healthcare, finance, entertainment, or the legal sectors.
How and when did you develop your idea and what urged you to actually start a business? Which important milestones have you achieved thus far? And what are your plans for the next years?
The company began as a side project that was built in our spare time while we were working at CERN. In particular, we wanted to see if it would be possible to add end-to-end encryption to email in a way that would be easy enough for anybody to use. Online privacy and security are increasingly important in the digital age, and building the technologies to protect data in the future is very important. This motivated us to start the product and see if we could commercialize the technology and fund further development.
One of the first important milestones was to develop a viable consumer product to publicly validate the technology and capture a dominating market share before moving into the enterprise segment. Initial funding came from a successful crowdfunding campaign which exceeded its goal five times, making it the most successful software crowdfunding on Indiegogo in 2014. This enabled us to develop our mobile apps and fostered a powerful core-audience of over 10,000 people that contributed greatly to ProtonMail’s initial success. Fast-forward 4 years, ProtonMail is now securing the emails of more than 5 million users from 150 countries.
A second important milestone was the entry point on the enterprise market with the launch of the ProtonMail Professional Plan in 2017. This represents an increase in the company’s revenue, hence more financial means to invest in the development of our current and future products.
Our vision is to build an entire suite of security and privacy products around our email services. We’ve made the first step towards this direction by building ProtonVPN, a security-enhanced VPN built by the same trusted team and on the same freemium/paid business model as ProtonMail.
Looking back, what were [or still are] the biggest obstacles and challenges for you as a startup?
The architecture behind ProtonMail is a highly complex system involving public and private encryption keys, digital signatures, and mixed cryptography. Through the course of 8 months of research commencing in August 2013, our core team has systematically abstracted away the complexity so the encryption is completely invisible to the user. It was a complicated and expensive challenge to build ProtonMail into the easy-to-use product that it is today. We were lucky to have had initial self-funding and well-balanced top-notch talent among our core team.
Would you say that some of these challenges are specific or more pronounced for an IT security startup –opposed to “regular” IT startup?
IT startups, in general, need to secure funds in order to attract the best talent on the market and keep up with the rapid advancement of technology. This, of course, applies equally or even more to security startups as the tech talent tends to be scarcer. However, with the rise of security threats in an ever-connected world, IT security startups might get a head start when it comes to mentoring and financial aid.
IT-Security is heavily dominated by the big players such as Kaspersky, Symantec, or Atos. How do you cope with that competition and what do you do differently in order to distinguish yourself from these heavy weights?
This is part of the story and journey of any startup. Like the other startups that have come with us, we compete with the giants by moving faster, being more innovative, and having a stronger focus on ensuring the best possible experience for our users.
What is your assessment of the current market for IT security solutions in general? Do you expect more startups to enter the field?
Looking back at the past couple of years we’ve seen an extreme spike in cybersecurity threats. This will inevitably stimulate the IT security ecosystem to develop further, welcoming new technologies and solutions to the market.
A concluding tip from the expert: What can end users or entrepreneurs do to achieve a basic or better level of IT security on their device of choice?
IT security is above all a mindset. It is highly important that users understand the risks they face and adopt a preventive attitude to security threats. This means embracing technologies like encryption. Products like ProtonMail or ProtonVPN use strong encryption protocols and demonstrate that security does not have to be complicated. It can be simple to use and can help prevent what could be an extremely unfortunate event. For example, everyone knows public WiFis are insecure and they can be very easily snooped by malicious individuals, but still, there is an outstanding number of internet users that do not use a VPN while connected to these networks. ProtonVPN offers a free tier account that is perfect for the situations when it’s certain you are in jeopardy.
Moreover, it is important to use two-factor authentication (2FA) whenever possible. We recommend using 2FA authentication apps rather than SMS-based 2FA. The latter can be more easily compromised, for this reason, ProtonMail disallows 2FA via SMS.
How would you describe the current state of our society and the industry in terms of awareness for IT security risks? Do you already see a change of perspective for the better or do you still think there’s a lot of room for improvement? Will, for example, the new EU-GDPR help make change for the better?
There is room for improvement, but we do see a positive change in terms of awareness. GDPR provides a long overdue update to the regulatory framework surrounding data protection. We believe it will drive the adoption of better security practices, such as using end-to-end encryption for storing sensitive user data, shifting to private email solutions, hiring data security specialists, etc. The increased adoption of technologies that provide privacy and security by design will represent a key aspect of GDPR compliance and will help both consumers and businesses in the long run.
Interview March 25 2018