RWW reports that online storage company DivShare, has had a security breach. Apparently a malicious user accessed their database which included user e-mail addresses and other profile information. They also say that no financial information has been accessed by any unauthorized parties. It’s not the first of these sort of problems, and there have been many tails of start-ups disappearing without trace and leaving user data floating around the web somewhere.

The specific cause of this breach aren’t important, what is important however is that users of web services feel secure using them. Can they feel secure when the start-up is living off the smell of an oily rag and not knowing where the next chunk of cloud storage (let alone salary paycheck) will come from.

It’s one of the reasons that Xero CEO Rod Drury gives for the fact that they IPOd very early on. Theirs is an application utilising the most sensitive of data, business financial’s, and Rod is adamant that publicly listing was imperative to build trust.

But what about other types of service? I use SugarSync, an online sync/backup solution. I’ve personally spoken with the CEO and I’m comfortable that they’re well funded and stable, but that is a perception based on faith rather than actual knowledge – who’s to say they also won’t go down tomorrow, next week or some other time.

Now I’m not suggesting that it’d be preferable to have every web app on earth rolled into either Google or Microsoft, but I would suggest a two pronged approach from users;

  1. Think about the end results of security breaches for the web apps you use – use multiple backups (even in the clouds), segregate data and don’t keep super sensitive stuff there
  2. Do good due diligence on providers. Enterprise customers have long known the necessity of this but individual users need to consider it as well

I know a number of bootstrapped start-ups (or started-ups) read this blog – I’d be interested to hear their thoughts on this subject.

Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

9 Comments
  • I think there are positives and negatives for both, In my opinion I would be more comfortable with a “bootstrapped” startup that is profitable from day one rather than a large company that may have a lot of money, but are in negative from day one.

    With a bootstrap if nothing progressed (they didn’t get any new customers) then they still stay profitable (because they are making a profit from the start) whereas a lot of IPO companies take an enormous amount of funding, then it’s a mad dash to become profitable before they run out of money (which is a bit of a gamble).

    The world isn’t this black & white though, you just have to talk to the companies you deal with and ensure you are secure in their ability to manage you. I encourage people to ring up their providers and ask them about data security, backups etc.

    Any good SaaS provider will let you download a copy of your data in a non-proprietary format, so just download your own copy every 3 months or so just so you have peace of mind you have a local copy.

    Take a stake in your providers though, read their press releases to see what they are up to, check out their financial statements (if they are public), just ensure you have a good working relationship with them.

  • I have a heap of comments on this… The’ll come in in bits today as I’m busy on EOY cashflow reports for our ‘Bootstrapped’ company ProWorkflow.com.

    Firstly though, I’ll dispell a myth. “Bootstrapped” does not mean the company is ‘strapped’ and has no money – therefore is poor quality. It simply means we build the business using only revenue and true cash in bank. Or put differently, we live within our means and don’t spend what we don’t have. This allows us to keep tighter control of the cashflow and expenditure as well as tighter control of the business itself – ie: we don’t get bogged down in reporting to hundreds of shaeholders.
    ProWorkflow does have good revenue, has been profitable for some time and we can afford top quality servers, software, and infrastructure. We use top hosting infrastructure in the US and have maintence agreements in place with all hardware providers.

    Re: XERO/IPO. An IPO has a lot to do with trust, but nothing to do with security as it’s still a business made of people, and it only takes one person either maliciously or accidentally to cause a security issue.
    I agree that general public could see it as a more trustworthy up front, but the reality is that in this day and age it takes only one person to sink the ship from within. From one man bands to large corporates, we ALL continually work on the trust/credability issue – it’s never a ‘done deal’ rather a ‘day by day’ process to keep the level high.

    SO you can’t hide behind IPO’s, Funding, Investment or Bootstrapping as the key element to building trust.

    You HAVE to make sure all back end processes are as tight as they can be and that sufficient backups are not just talked about, but actually in place and happening. The customer can’t know this for sure, so it rests upon the CEO’s shoulders to be accountable. I agree that an IPO has a higher level of accountability, but bootstrappers have internal accountability also. I don’t want the company to fail, or customers to get burnt – no CEO does. It’s in our interest to make sure the underlying infrastructure is sound – If it fails, it all comes back to the CEO, so we’re always improving infrastructure and keeping customers tightly in the loop.

    As a bit of a wakeup though…

    I know of a LARGE website hosting company in Australia last year that had a server crash and they could have lost 2 years of customer websites and data for 100+ accounts. I know one of their customers who call me all stressed. They fixed the server after a day of downtime and no data was lost, but I personally called the provider on behalf of my colleague to ask about backup policy. They said it was in place and showed me the policy on the website.
    So I said “Email me the latest data backup”… Guess what… They had NO backups at all! And this was a major website hosting company with thousands of customers globally. Apparently their automated backups stopped working on a few servers 2 years ago and nobody there had checked.

    There’s a lesson in that! We at http://www.ProWorkflow.com ensure our backups (both on and off server remotely) are done 4 times a day with 14 day retention. And all customers can download the database at any time through the web browser.

    Another point to consider is matching the customer expectation of trust and level of SaaS provider access to the type of software offered by the SaaS company…

    Whereas XERO are in a position where they shouldn’t see your bank data – they say in their FAQ’s “All of your bank account information and accounting data is secure and cannot be viewed by any employee of Xero” – and I totally agree with this, we’re in a different position at ProWorkflow. Our tool is project management software and our customers WANT and NEED us to access their accounts occasionally to troubleshoot, train them and help them streamline their workflow.
    So our terms up front say: “ProActive Software has no obligation to monitor and access customer accounts, but may do so if for any reason it believes there is just cause. (Reasons could include illegal activity, uploading of virus infected files, questionable material or for general customer support)”

    So, can you trust bootstrappers?

    Yes and no …
    – Some you can trust and others you can’t (and I know of a few you shouldn’t)

    And can you trust IPO’s?

    Also Yes and no …
    – Some IPO’s are not trustworthy and others are… (FYI – XERO, I trust)

    It comes down to the people and infrastructure behind the organizations and wether bootstrap, IPO, private funded or otherwise, you can only do your homework the best you can. Some advice though…

    1. Test them on their backups, and get a REAL backup emailed to you.
    2. Talk to customers, and not just the ones they recomment
    3. Look at their history, and how long they’ve been around

    Regards,

    Julian Stone
    ProActive Software CEO
    Web: http://www.proworkflow.com
    Blog: http://www.julian101.com

  • While there is always exceptions, from experience I believe that traditional enterprise software is easier to bootstrap than SaaS as you have the possibility of lumpy upfront revenue.

    There will be some SaaS products that grow organically, or have the time to grow organically but in general you need to fund the following

    1. Being ahead of the curve in some categories
    2. Funding the revenue ramp as you don’t get big up front licenses
    3. Having production quality infrastructure and redundancy early on
    4. As SaaS is a service, you need more than just dev. I.e customer care etc.

    As SaaS is a sexy space, purchasers will be concerned about M&A activity. Will these guys go under or sell out next year to people we didn’t want to buy from.

    Great to see some self funded startups there, but in SaaS I think your funding strategy is inseparable from your business strategy so you need to think about it more than an enterprise style software company.

  • We all love a healthy debate! Rod and I are from either ends of the spectrum here so will have differing views of course (nothing wrong with

    that), however my view on it is, both IPO and Bootstrapping are the right approach (if used in the right circumstance).

    It’s arrogant and naieve to say that there is only ONE way to build a software company. Just look around and you can see multi million and

    billion dollar companies created using both methods. Macafee and Apple built out of garages? etc 😉

    On a personal note – Rod, as CEO of one of the most public software companies in New Zealand, you need to be a little more sensitive to

    the 98% of non-funded (and never will be funded) software and SaaS companies in New Zealand. The fact is that most software companies

    in this country are 1-5 man bands who just want to ‘Make it happen’ and IPO or major funding will never be an option to them due to lack of

    experience, resources, contacts, previous wins or ‘a name’.

    So, you can either support the bootstrappers with good advice and contacts or you can continually try to push people into a ‘funding

    strategy’ that, the reality is – many won’t be able to pull off.

    You said “experience I believe that traditional enterprise software is easier to bootstrap than SaaS as you have the possibility of lumpy

    upfront revenue.”
    – Most bootstrappers keep their day jobs (or use savings) till the revenue covers them and their infrastructure so this isn’t always an issue.

    With SaaS, the first customers are usually early adopters anyway so they are pretty understanding if the business is run by a few people in

    a garage. You just have to make sure you’re solid when you start to leave the early adopter market to go mainstream. This is when you

    really need money. By then though you should be in revenue, enough to cover expenses – if not, then yes, funding the infrastructure should

    be a part of the plan.

    You also said “in general you need to fund the following”

    1. Being ahead of the curve in some categories
    – Agreed ‘In SOME’ categories. ie: XERO should try to keep ahead as the major player as it has a current advantage, but in a competitive

    area like Project Management, it’s not so important to keep ahead of the curve. Customer referrals will take you further in revenue with a

    better conversion rate than fighting to be ‘the leader’. To become the ‘leader’ in this space, you’d never recoup the marketing spend to stay

    ahead through revenue.
    In the project management space, it’s not ‘being the leader’ or ‘ahead of the curve’ that counts, rather it’s ‘having a sustainable model’.
    Remember there is plenty enough business to create hundreds if not thousands of multi-multi million dollar companies in the project

    management space. Focus on sustainability – not being the first.
    Make friends, not war…

    2. Funding the revenue ramp as you don’t get big up front licenses
    Where do you spend? Ads? SEO? Roadshows? Whats the return on the spend?
    This is an issue for ALL business, but you don’t HAVE to fund the revenue ramp (although it is preferable). We made most of our early

    sales just networking for free on developer forums.

    3. Having production quality infrastructure and redundancy early on
    With SaaS, you can do that quite easily as you only need a good server with good backups/services at a good provider. As you scale, you

    add more servers and improve infrastructure. But you can start small – but still have quality. To gain trust early on, we paid a little more and

    choose one of the top US data facilities to work with, rather than a cheapo hosting company.

    4. As SaaS is a service, you need more than just dev. I.e customer care etc.
    Agreed. But remember that the support level per customer drops as they get to know the software. We find that one support person can quite easily answer the support emails and calls of 1500-2000 users in a few hours a day. We only get a few support emails a day – the software works – people just use it! We are though about to add more staff in prep for some expansion, but as long as you have enough support resource that things don’t back up greater than 12-24hr response you’re doing better than most US software co’s!

    You said “As SaaS is a sexy space, purchasers will be concerned about M&A activity. Will these guys go under or sell out next year to people we didn’t want to buy from.”
    – Who knows or can predict? and this applies to any business, XERO included. I say “Good on the guys that take a business from an Idea to M&A”. After all Rod, it was you that has said many times that it’s good for kiwi software co’s to sell out so they can build a warchest!
    What about Trademe? Are we all happy it went to Fairfax? I bet you’re happy with your return? All the TM investors did well – it’s a great model.

    You said “in SaaS I think your funding strategy is inseparable from your business”.
    Agreed, that it’s inseparable, but the issue is more about when and if you need funding and where from etc. So yes, you should consider it, but not all businesses require it to grow. And some introduce funding a little later on.

    So it should be considered, but it’s not a compulsory action and it is possible to grow healthily without it.
    Different strokes for different folks and business models – nothing wrong with that 😉

    All the best Rod – XERO’s looking good!

    Regards,

    Julian Stone
    ProActive Software CEO
    Web: http://www.proworkflow.com
    Blog: http://www.julian101.com

  • I think the point of data safety for any company is when it’s IP and customer base is of a sufficient size for a competitor to value it. If it falls over at that point you will have some heart-wrenching delays but there will be a way to carry on. The major risk is that if a SaaS provider doesn’t react quickly then the value of those customers (and potentially, those customers own businesses) goes down to zero.

    Bluntly, if you have customers locked in then they are worth something. If they are worth something then a competitor will pick them up and migrate them. Perhaps something to ask for in those dreaded T&Cs? I (still) think there is a market for data/code escrow for SaaS providers for this very reason.

    For business apps I consider that the lockin between a purchased product and a SaaS product are substantially the same, the training/setup investment shames everything else. I just spent a few hours customising the estimate and quote formats for Cashboard, then training my user. Works well. They’ll let me extract my data in XML format, but that’s less than half of a solution to the problem you’re describing. It’s maybe only 15%-25% of a solution — I need somewhere to load that backup (and understand it) and then customise the new application and retrain the users.

    Being an early adopter for any product is risky. Chicken/Egg for any company, something that gets addressed one customer relationship at a time. Backups (your own, and the provider) should be a given. If they’re not done then…the provider is not running a business they’re running a liability. Perhaps Verisign can invent another business stamp of approval to charge oodles of money for, “process audited SaaS provider”.

  • While it doesn’t address the data security issue, SaaS based on open source software reduces some risks for customers.

    We’ve bootstrapped our startup by doing custom development and implementation. For our clients, the risk to of sourcing custom software from a single provider is mitigated by the fact that we release the source of the software. They can, if necessary, find someone else to host and administer their sites.

    Even customers who commit to our SaaS have the option of getting the software hosted by someone else, which protects at least some of their training and setup investment.

  • Alan Barlow |

    I have to disagree with Dan’s comments in reagrds to offering customers your source code (IP).

    By open-sourcing your application code (dropping your trousers!) you are undermining the saleable value of your business and also opening the way for others to potential put you out of business all together!

    The security of your IP will be a major focus of any due-diligence exercise during a potential acquisition! The acquirer will want to be certain that what they are buying is not going to start coming out of a third world country for 1/100th the price 2 days after they sign the deal!

    On top of that you risk another company starting the same business as you using your IP! (scratching head wondering if I’m missing something here!)

    Of course there are many software companies who do not consider acqusition in the broader strategy of their business or do not recognise the piracy risks that lurk in many un-controlled nations, but for any that do I suggest you keep your trousers securely up!

  • … publicly listing was imperative to build trust. … huh? What audience is that aimed at?

  • I like the article, but to me it’s not whether or not you can trust a “bootstrapped” start-up – it’s whether or not you can trust a start-up at all!!

    Check out this excerpt from an email I received from a very well funded high profile startup (who shall remain nameless…)

    “Yesterday morning we had a major server outage affecting our 1.0 customers. We completely lost one of our database servers. The day was spent rebuilding and restoring everything we possibly could.

    There were a handful of accounts that the restore completely failed on. Yours was one of those accounts. We have exhausted all available avenues for restoring the account data with no positive results.”

    This proves that even well-funded startups can make the most basic and fatal of mistakes.

Leave a Reply