Share
FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email
Are we ready to enter p@s$word-free future?

Magazine

Are we ready to enter a [email protected]$word-free future?

Published 3 November 2022 in Magazine • 15 min read

Weak passwords can cost a company millions of dollars, but more sophisticated alternatives that can greatly reduce the risk of a cyberattack are rapidly gaining traction, data security expert Sandra Tobler tells Öykü Işık 

Growth at all costs and ‘go big or go home’ were often heard in Silicon Valley over the past two decades where the deep pockets of venture capital firms encouraged fast growth above all else. As a result, ‘up and to the right’ is the way scale-ups like to portray themselves on charts. From my work taking early and mid-career professionals to the startup hotbed, it appears that this is still how entrepreneurship is seen from inside the Bay Area bubble.  

According to consultancy MindTheBridge, Silicon Valley hosts 7,894 scale-ups. These are startups that have started to gain market traction and notched up significant growth over the past three years. Though many outside are now questioning this mantra, when I see companies improving the world, or at least improving how we do business, I’m thankful they are scaling so fast. A case in point is Moderna, which developed a COVID-19 vaccine in under a year; thank goodness they were able to do what they did! And let’s hope that fellow biotechs Biogen and Eisai can do the same for Alzheimer’s Disease.  

Less sexy, and certainly less known to the public, are two scale-ups that I had the privilege of meeting with recently: Odoo, a software provider, and Flexport, a global logistics technology platform. One needed 13 years to discover the right business model but has grown 55% year-on-year now for the past ten years. The other has grown to $3.3 billion in revenue over 10 years. Just as there is not a single way for a startup to survive, there are different playbooks for scale-ups. The underlying characteristics of the founders are probably fairly similar, as I wrote about in a previous article, but how they go about it can be drastically different. 

We could look at dozens of different scale-up stories, but I chose these because they’re less in the public eye, and also because they’re so different from each other. B2C scale-ups like Airbnb and Uber get the headlines, but the behind-the-scenes-soon-to-be-very-large stories may have a bigger impact on our lives and the economy. 

Slowing global economic growth, rising interest rates, an energy crisis in Europe, and fears about tensions between the US and China are prompting tech companies – many of whom rapidly expanded their headcounts during the pandemic – to retrench. As of mid-October 2022, more than 44,000 US tech workers have been laid off, according to a Crunchbase News tally. Tesla is cutting roughly 10% of its salaried staff, while tech giants Apple, Meta, and Amazon have announced plans to slow hiring. As investors grow more cautious and rein in their largesse, many startup founders are finding that funding is drying up, impacting their scaling plans.  

Odoo and Flexport, however, appear unscathed by the global economic turbulence for the time being. At the time of writing, Odoo has 536 job openings all over the world and Flexport is advertising 286 new positions. Retrenching they are not. So how did they get to this position? 

Playbook #1: Go after the small fish 

Odoo, founded by Belgian entrepreneur Fabien Pinckaers, is an open-source suite of business management software apps including CRM, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management. Founded in 2005, they’ve grown to 2,400 employees, seven million users and 36,000 apps (third-party apps, built by the community, even individuals), making them the world’s largest business app store.  

They have a major presence in Silicon Valley, but unlike the vast majority of their neighbors they have grown organically, having raised the piddling sum of $14 million in their early days, then suddenly another €180 million in 2021. As of June 2022 they were valued at €3.2 billion. Compare that to payments processing startup Stripe, which raised $2.2 billion from 39 investors, and is valued at $95 billion, or the $400 million raked in by visual collaboration platform Miro at a $17 billion valuation in January this year. That’s compared to just $14 million raised in the first years by Odoo, a choice that many venture capitalists would like to have challenged. The founder purposely chose to take this route, in effect growing his company with sales revenue, while keeping as much equity as possible for himself and his team (who still control 65% of the shares).  

Odoo certainly benefitted from the fact they were born after the birth of the internet, an advantage that competitors like SAP (founded in 1972) and Oracle (1977) did not have. Starting as a digital native is, in effect, like working with a blank sheet of paper. Since they didn’t carry the technology debt that their competitors had, Odoo was able to design the product that their customers needed and wanted. Odoo also deliberately chose to develop its software in-house rather than acquire, avoiding the need to patch together different systems and technologies.  

 

Another advantage is that they have always targeted small-to-medium sized businesses. The advantage isn’t just that the big players typically ignore these companies. The real advantage comes from the necessity for Odoo to be nimble and understand the needs of these smaller players. Targeting large customers might have caused them to acquire the ponderous habits of these players. As Fabrice Henrion, Odoo’s director for the Americas and employee #19, told me, “If you start by selling to big companies, you take on the characteristics of big companies. Slow, cumbersome, bureaucratic, stratified… and then it becomes very hard for you to sell to smaller companies that require speed from their vendors and products. Having started off selling to SMEs, we remain nimble and humble. Our employees have the autonomy necessary to fulfill client needs.” 

Many of the startups and scale-ups that approach me for advice make two automatic assumptions: first, chase after name-brand customers immediately, and second, get venture capital as quickly as possible, and as much of it as possible. Yes, certainly well-known names will create confidence for future customers, but at what cost to the startup? The long tail of small and medium-sized clients ignored by SAP or unable to afford Oracle may be a better path. And, picking up on classic disruptive innovation theory from American academic Clay Christensen, coming from the bottom with minimum features (Odoo founder Pinckaers first called his company TinyERP), and creating a product for customers whose businesses seriously depend on you, may create a more committed client base.  

Playbook #2: Raise a ton of money, early 

Flexport, founded in 2013 by Ryan Petersen to automate paper customs forms, focuses on freight forwarding and customs brokerage. Peterson initially followed the more traditional, aggressive growth strategy. In 2015 he reported that Flexport had increased revenue by 25% every month in the 30 months since its founding. The company also raked in funds from big name investors, raising $2.3 billion in total – including $1 billion from Japan’s SoftBank in 2019. 

We sometimes say that timing is everything, and certainly Flexport has had its share of luck, as logistics has become a competitive advantage for companies who have flocked to its one-stop software that gives customers greater visibility over their shipments. Also, like Odoo, they are internet natives and didn’t have any technology debt to repay. This, and a few other things (like container prices exploding!), have helped them increase revenues from $2 million in their first year to $3.3 billion in 2021 (with a profit!), with a forecast of $5 billion in 2022. 

Going beyond luck, and the ability to raise a lot of money, Petersen’s careful choice of Flexport’s earliest employees fueled their scaling. I still remember meeting Ben Braverman several years ago and knowing immediately that this was one of the most brilliant salesmen I’d ever met; at the same time realizing that the freight-forwarding business required oversight, Petersen hired a head of compliance. Both hires took place ahead of building the tech team, highlighting how the company prioritized doing things right over rough and ready growth that needed to be retroactively fixed. 

The company fixed a specific need in the market, finding product-market fit almost immediately. Competitors such as UPS Supply Chain Solutions are working hard to catch up, but it has the baggage of more than 100 years of success. Another competitor, XPO Logistics, with 2021 revenues of almost $13 billion, has grown principally through acquisitions. 

Flexport, meanwhile, has continued to learn. Perhaps realizing that the capital markets had changed, and therefore Flexport’s growth game had to change, in June 2022 Petersen announced that the new CEO of Flexport would be Dave Clark. Clark spent 23 years at Amazon, experiencing its growth from internet bookseller to retail behemoth, and was responsible for building Amazon’s logistics business. In parallel, Darcie Henry joined from Amazon, where she’d worked closely with Clark to massively expand the workforce. What we may be seeing is the classic, and necessary, transition from the Wild West fast-growth of the founder to the more careful growth of experienced professionals.  

Playing the scale-up game in different ways 

With market conditions shifting and easy money drying up, investors are now more focused on profitability. Many startups could take a leaf out of the playbooks of Odoo and Flexport, which decided to play the scale-up game in different ways.  

Odoo gained its advantage by nimbly helping small businesses compete more effectively against their giant competitors, taking the necessary time to find product-market fit, and avoiding huge infusions of capital until they’d created a valuable company (and could thus retain control).  

Flexport reduced friction in the global supply chain, making them indispensable for many customers, and brought the freight-forwarding industry into modern times, giving their customers more data than they’d ever had about their shipments. This required raising a lot of money early, and so far they have 124 investors 

These two companies played the scale-up game in different ways. The Silicon Valley model has worked well, but don’t assume that you and your venture must follow the same path.  

The computer password was first presented at the Massachusetts Institute of Technology in 1960 by Fernando Corbató, a computer scientist. Today, this basic security measure is ubiquitous, with the average digitally connected person having to remember or record multiple passwords.  

Yet there are two problems with passwords that may not have been evident to Corbató at the time. One is that they are easily forgotten, costing businesses when it comes to resetting them when tens of thousands of employees are involved. Indeed, the cost of resetting passwords for staff is up to $75 each time, according to the research firm Forrester, meaning that large corporations can spend more than $1 million annually on support costs for passwords. 

Another, more worrying, issue is that they are easier to hack than many people realize. More than 80% of cyberattacks involve compromised passwords, according to the World Economic Forum.  

Most obviously, this is because many people continue to use simple phrases that are easy to remember but vulnerable to being replicated by hackers. Despite the emergence of software that can generate and remember more complicated strings of random characters, some of the most common are still “password”, “12345” and “iloveyou”, according to password management company NordPass. Some people also use superhero characters from the Marvel and DC franchises as passwords, such as Loki, Thor and Robin. Moreover, people also typically use the same password on multiple different online accounts, weakening security.  

Many people underestimate the risk of password-related hacks, mistakenly believing they are not targets for criminals, said Sandra Tobler, co-founder and chief executive at Futurae Technologies, a Zürich-based authentication and transaction confirmation provider.  

“Emotions are still underestimated when we talk about hacking. In most cases, we really are inclined to trust people,” said Tobler in an interview. As an example, she said a hacker might call pretending to be your bank, claiming you have been the victim of a breach, to steal your credentials. “As soon as you are put under stress or put in a corner, we all react irrationally, and that’s when bad decisions happen.” 

People may also not realize that, on top of phishing, hackers use automated bots that can rapidly try to guess passwords. “No password is unbreakable, but it’s a matter of time,” she said.  

Cybercriminals will often steal entire password databases, with big technology companies including Yahoo and LinkedIn, having suffered breaches in recent years. Stolen passwords are then sold on the dark web, with hackers using them to access multiple online accounts or holding users to ransom, locking access to accounts until money is paid.  

Emotions are still underestimated when we talk about hacking. In most cases, we really are inclined to trust people
Sandra Tobler

For corporations, vulnerable employees are often the weakest link when it comes to cybersecurity. Hackers can tap into their computers, tablets and smartphones to gain access to the company network and steal valuable data. There is a substantial sum of money on the line: the average breach costs a company $3.86 million, according to IBM. While many attackers seek financial gain, others hunt for research and intellectual property. 

Worse still, the move from office to remote-based work during the coronavirus pandemic has created new risks for businesses. These include the shift from secure corporate networks to home Wi-Fi that may have weak passwords or outdated hardware; the use of personal as well as work devices on home networks, increasing the “attack surface” for hackers; and the increase in virtual working tools and data stored in the cloud. 

As a result, the password may be on its way out. We are moving ever closer to a “passwordless” future — specifically one in which passwordless authentication, involving biometrics-based security such as fingerprint-reading and facial-recognition technology, is the default behavior. 

Last year, the World Economic Forum called for a “passwordless future” which it said, “vastly improves a company’s security by reducing the overall attack surface and eliminating compromised credential risk”. A growing number of startups with ambitions to kill the password have attracted large investments.  

Puzzling choices of password 

This completed wordsearch shows the top 30 passwords in 2021, according to software provider Nord Security. Many are lines of characters on the keyboard such as 1234567890 and qwertyuiop as well as ‘password’. It also includes 10 other common passwords of specific kinds, including the most popular animal, first name, and sports team, all from the top 200. 

Common passwords are very easy to compromise. A better model is to make the password long, use upper-case and lower-case letters, numbers and symbols, and avoid obvious words. One way to remember it is to think of a memorable sentence and take initials, numbers, or symbols from each word. For example, the password in green at the bottom-right of the grid comes from ‘Lausanne-Sport beat Liverpool 5-3 and were stars’.

Many corporations are looking for alternatives because of the risk to business and the frustration felt by customers. As many as 92% of users would rather leave a site than recover their login credentials, with the obvious loss of potential customers and revenues, according to Transmit Security, a digital identity protection company. 

In any case, password fatigue is already endemic. As many as 55% of consumers have stopped using a website because of its login process, and more than 87% have been locked out of an online account.  

The passwordless movement has been given an added push with the shift to remote working and the surge in password-related hacks, including sophisticated state-sponsored campaigns such as the SolarWinds hack that targeted some of the US government’s most sensitive data in late 2020.

Tobler said individual employees must make their personal network as robust as possible to avoid exposing corporate information. She recommended using password management software, which can encrypt your credentials, remind you to change passwords regularly, and scan the dark web to check if your logins are up for sale. 

These apps also eliminate the burden of remembering infinite passwords. Instead, you need only remember one master-password to gain access to all the rest. But with all of your eggs in one basket, it’s important to ensure this is a strong one. 

On top of secure passwords, Tobler said many workplaces had introduced security measures such as two-factor authentication — when employees are granted access to company devices and systems only when presented with two pieces of evidence. This may include hardware tokens, which are physical devices that you plug into your computer that authenticate your account. 

Meanwhile, antivirus software is often loaded onto devices and many companies use a secure corporate VPN (virtual private network) that allows staff to safely connect to the company network from any device anywhere.   

Despite these measures, Tobler said smart employees would always find ways to bypass systems that make their lives harder. So companies need to be “empowering people to use the right security tools that do not impact them on a daily basis”. This can mean going passwordless — a move increasingly made by companies to improve security, for ease of use, and to lower costs.  

Are we ready to enter p@s$word-free future?

In addition, Tobler believes that different forms of authentication can help companies to build a more inclusive culture for staff and user experience for customers. For people with disabilities, vision loss or hearing difficulties, having to manually enter a password is inconvenient and may include mistakes, making some websites inaccessible. Likewise, children and the elderly may not have the skills or knowledge to use passwords. 

In response, companies are using a variety of tools as an alternative to passwords and traditional authentication systems, with biometrics being the most popular, given the ubiquity of smartphones and computers that have facial-recognition and fingerprint-scanning capabilities. 

Yet even biometrics has some downsides and is not a bulletproof option.  “If biometric data is leaked on a large scale, it’s game over,” said Tobler. “There’s no such thing as resetting [a password].” She believes biometrics should be used in conjunction with other authentication systems such as password management software.  

This is because hackers can trick cameras or sensors with photos, masks or molds of their victims, a tactic called spoofing. She said she was even more pessimistic about voice-recognition systems because “you can already today recreate artificially every single voice”. 

Tobler cautioned against companies developing new authentication systems in-house, even though they might be cheaper to develop. “Unless you are a security company, don’t build security. It’s not your core,” she said. 

“You need to be even more vigilant [about] what security tools you’re using [so as] to not frustrate customers [and] have them jumping off your service, but [without] implying or giving them the feeling that there is insecurity. And that’s a very challenging task for every organization.”  

Another barrier is that consumers and staff may not want to get to grips with new systems. “I don’t think in the next few years we’re going to not have passwords anymore, because it’s still a very powerful privacy preserving way [to] allow only you to grant access to something,” said Tobler. 

She highlighted some positive developments, among them the Fast Identity Online Alliance (Fido), a coalition of more than 250 companies, including Google, Apple and Microsoft, that has developed a standard system of passwordless authentication which is simpler for consumers to use, and easier for businesses to deploy and manage. 

“With more and more big browsers supporting the [Fido] standard and more and more large corporations being part of this, this could be very interesting for the consumer market [and drive] mass adoption.”

Authors

Oyku Isik IMD

Öykü Işık

Professor of Digital Strategy and Cybersecurity at IMD

Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity Risk and Strategy program. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.

Expert

Sandra Tobler

Sandra Tobler

Co-founder and CEO of Futurae Technologies

Sandra Tobler is an entrepreneur who has worked in the IT space for over 16 years. She is co-founder and CEO of Zurich-based Cybersecurity company Futurae Technologies, which provides seamless authentication and secure transactions to millions of users across the financial, health and online retail industries.

Related

CEO Dialogue with Danone

Nurturing sustainable growth at Danone

21 March 2023 in Magazine

Antoine de Saint-Affrique, in a frank and open discussion with IMD President Jean-François Manzoni, explains his no-nonsense approach to problem-solving, the importance of speaking the truth, however uncomfortable, and knowing when it’s...

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

You have 4 of 5 articles left to read.