Phishing is smarter now—AI-generated, multi-channel, phishing and social engineering schemes are targeting your most trusted staff.
If you don’t own your cloud security, someone else will—probably a criminal.
Breach costs in biotech, medtech, and high-tech are among the fastest-growing, averaging $4.9M.
“We Thought We Were Too Small to Be Targeted”
If I had a dollar for every science or tech founder who told me their company was “too small to be on anyone’s radar,” I’d have my own R&D fund.
Let me be clear: attackers don’t care about your size—they care about your value. IYou’re holding proprietary data, research, or trade secrets, so you’re a target. Most science and technology businesses rely on cloud services and don’t have a full-time security team, making you vulnerable.
The methods used to breach billion-dollar multinationals are now faster, cheaper, and powered by AI. This article outlines the threat and provide tips on how to stop your business from being compromised with one fake Slack message, QR code, or deepfake video call.
The Phishing Shift: Multi-Channel, Deepfake, and Voice Fraud Are the New Norm
Phishing has evolved. It’s no longer about shady emails from fake banks. Today’s attacks are:
AI-enhanced: Customised lures generated instantly using your public data.
Multi-channel: 41% of phishing attacks now include SMS, WhatsApp, Teams, Slack, or LinkedIn, not just email. [[Verizon DBIR 2025]]
Visual and audio deepfakes: CEO voice clones. Fake investor video calls. Deepfake “compliance officers” asking for document uploads.
QR code phishing (quishing): Seen a QR code on a conference booth or flyer? It could trigger malware or credential theft. These attacks have jumped 2,000% since 2023. [Proofpoint]
This means your smartest, most senior, and most trusted employees—research leads, engineers, finance managers—are now your most likely targets.
And when they click? The attackers don’t just steal credentials—they steal access to your intellectual property, your commercialisation roadmap, your partner data.
What’s Really at Risk? IP, Trust, and your Entire Business Model
According to the IBM Cost of a Data Breach Report (2024), the average breach in the biotech and medical devices sectors now costs $4.9M, driven by:
Lost IP and R&D delays
Regulatory investigation
Supply chain fallout
Loss of investor confidence
And let’s be blunt: in your world, IP is the value. If that gets leaked, copied, or ransomed, your growth narrative evaporates. Here’s how the damage cascades across your business:
Function
Impact
Strategy
Stolen trade secrets = lost first-mover advantage
Investment
Investors now screen for cloud security and IP protection readiness
Finance
Costs spike with downtime, legal, incident response, and insurance gaps
Operations
Phishing often leads to ransomware disrupting production or trials
Marketing
A leak of your roadmap = blown launch, brand damage, loss of trust
Real Example: The Deepfake COO That Killed a Fundraise
A medtech startup was gearing up for their Series B. One of their engineers received a message on Slack from “their COO” requesting trial data to be uploaded to a new shared folder for investor review. It was convincing—same profile picture, same tone, same urgency.
Except it wasn’t their COO.
The link was spoofed. The data was stolen. Within weeks, unpublished clinical research appeared online. The raise was postponed. A competitor filed a patent within six months.
This was not a technical failure—it was a business failure rooted in poor security awareness and access control.
The Cloud Trap: “We Use Microsoft/AWS, So We’re Covered” (No, You’re Not)
There’s a dangerous myth in science and tech startups:
“We’re on Azure or AWS, so we’re secure.”
Wrong.
Cloud providers like Microsoft and Amazon only protect the infrastructure. Everything else—your apps, identities, access controls, data classification, and monitoring—is your responsibility.
Who Secures What in the Cloud?
You Secure
Provider Secures
IP, data, applications
Physical data centres
User identities, MFA
Infrastructure uptime
SaaS app permissions
Network hardware
Monitoring & alerts
Hypervisor patching
Segmentation, backups
Base platform security
Cloud platforms call this the Shared Responsibility Model, and it’s not optional. If you’re not configuring and monitoring your cloud assets regularly, you’re driving blind.
So What Do You Actually Do? Here’s a Business-Ready Plan
You don’t need a CISO or a 10-person security team. But you do need a plan that works for a cloud-first, IP-heavy business. Here’s mine.
1. Use the Cloud Security Tools You Already Own
You’re probably already paying for enterprise-grade security features. Turn them on.
On Microsoft Azure:
Defender for Cloud: Detect misconfigurations, malware, and risky settings.
Sentinel: Security analytics and threat detection.
DLP & Microsoft Purview: Prevent IP and research leaks across Teams, SharePoint, and email.
Defender for Cloud Apps: Track SaaS sprawl and OAuth risks.
On AWS:
GuardDuty: Real-time threat detection and alerts.
Security Hub: Centralised risk view across AWS services.
IAM + KMS: Fine-grained access control and encryption key management.
Connected App Reviews: Audit OAuth and API app integrations.
Set alerts. Monitor changes. Review configurations monthly.
2. Lock Down Identity, Access, and Data
MFA Everywhere: No exceptions, no delays.
Least Privilege: Don’t give admin rights unless absolutely necessary.
Credential Hygiene: Rotate secrets; store them in Key Vault (Azure) or Secrets Manager (AWS).
Segment R&D Environments: Separate IP-heavy workloads from finance, HR, and business ops.
Encrypt Everything: In transit and at rest. Use customer-managed keys for sensitive data.
3. Train for the Threats of 2025
Phishing isn’t just email anymore. Your staff need to be trained for:
Quishing: Fake QR codes that install malware or lead to credential harvesters.
Vishing: Calls from deepfaked executives or suppliers.
Fake video calls: Deepfakes of board members or partners requesting documents.
Business email compromise: Fake invoices, altered payment instructions.
Simulate these scenarios monthly. Keep it realistic. And build a no-blame reporting culture—you want incidents surfaced fast.
4. Prepare for the Breach—Because It Will Happen
Automate Cross-Region Backups: Especially for research data and regulatory submissions.
Test Disaster Recovery Quarterly: Restoring is not plug-and-play. Practice like it’s game day.
Keep R&D Snapshots Offline: Isolated storage can prevent ransomware spread and data loss.
Your IP is irreplaceable. Treat it like crown jewels, not just another folder.
5. Audit Your SaaS and Supply Chain Access
Third-party apps and vendors are often your weakest link.
Review OAuth and app permissions quarterly
On Azure, use Defender for Cloud Apps to flag unused or risky apps.
On AWS, use the Connected App list to track what’s talking to your data.
Add security clauses into vendor contracts: include breach notifications, minimum controls, and audit rights.
And always ask: Do they need access to that data? If not, revoke it.
6. Give the C-Suite Metrics That Matter
Executives focus on risk, cost, and reputation. Produce a monthly cloud security dashboard to track business-relevant metrics and identify where you need to improve:
% of staff with MFA enabled
DLP events involving research/IP
Number of connected third-party apps
Training completion rates
Number of critical misconfigurations or policy violations
Tie these to business outcomes: funding readiness, compliance status, and operational continuity.
If you’re in science and tech, your ability to protect your research and data is part of your business model.
This isn’t paranoia, it’s about staying competitive. You are competitive when you secure your IP, prove control over your cloud environment, and train your team to spot social engineering, you don’t just reduce risk—you build credibility with investors, partners, and customers.
So let’s recap. Here are 6 actions you can take now to avoid becoming a victim of the next phishing or social engineering scheme:
Enable MFA on every account—human and machine.
Audit your Azure or AWS environment with Security Hub or Defender.
Run a phishing simulation that includes voice, SMS, and video threats.
Review all third-party apps and OAuth permissions.
Test your disaster recovery plan.
Start tracking metrics for the boardroom.
If you need help setting this up—or just want a quick review—I’ve worked with enough S&T startups and growth-stage firms to know what’s worth your time.
You don’t need to be unbreakable. You just need to be prepared.
And in a world of AI-enhanced fraud, that’s your real competitive edge.
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
