Why startups should focus on cybersecurity

Image: Shutterstock

The recent data breach at online groceries leader BigBasket spotlighted the Indian startup ecosystem’s need for more robust cybersecurity. Various media reports show that other well-known startups have also been recent targets of cyberattacks, some of which have been successful. Industry experts and analysts say that Indian startups need to invest in security right from the beginning, and build security into the very DNA of their organisations and partner-managed security service providers, where budgets might be a constraint.

In the first quarter of 2020, there was a 131 percent increase in malware compared to the same period in 2019, according to Fortinet, an enterprise security provider. The significant rise in viruses is mainly attributed to malicious phishing attachments that come with emails. “As users were connected to their home networks, adversaries had multiple avenues of attack,” says Rajesh Maurya, regional vice president, India and SAARC, Fortinet. Malware target devices including routers, tablets, gaming and entertainment systems, and Internet of Things (IoT) devices such as digital cameras and smart appliances, with the ultimate goal of finding a way back into a corporate network and its valuable digital resources, he says.

The most Covid-19-related lures took place in April and May, and email-based threats were by far the most dominant; the numbers have since dropped. These threats were in the garb of layoff notices sent to employees, false purchasing orders, messages from HR departments—anything that could exploit the huge shift in the work environment that employees were experiencing.

Of the enterprises Fortinet surveyed for the Fortinet 2020 Remote Workforce Cybersecurity Report, 60 percent revealed an increase in cybersecurity breach attempts following the transition to remote working, while 34 percent reported actual breaches in their networks.

The sudden move to remote working has put the agenda of cybersecurity on the front burner for almost all organisations in India, says Prateek Bhajanka, senior principal analyst at Gartner, a consultancy. According to Gartner, the information security market in India is expected to grow at a rate of 8.5 percent and 12.1 percent in 2020 and 2021 respectively, compared to the global growth of 6.6 percent and 9.2 percent.

Cyberattacks are certainly on the rise in India, and one of the prime reasons is the volume of data that startups have in the region, followed by the lack of cyber maturity, which makes Indian organisations an attractive target. Attacks like ransomware, phishing, and social engineering have become a common occurrence amid the pandemic, Bhajanka says.

According to researcher IDC’s Worldwide Future of Trust predictions, budgets for modern software-defined secure access solutions will quadruple by 2022 as flaws in legacy virtual private network-based remote access solutions are exposed by the massive work-from-home migration, says Shweta Baidya, senior research manager, software and ICT practices for IDC India.

Factors helping hackers

To keep pace with emerging threats and new risk exposures, the average enterprise now deploys 47 different security solutions and technologies. All of these separate tools—especially when they have individual management consoles and operate largely in isolation—make it difficult to correlate events and execute a consistent, coordinated response to threats, says Fortinet’s Maurya. And at the same time, security teams have been increasingly stretched, with 65 percent of organisations saying they lack the skilled staff, especially as tool-specific proficiencies become harder to maintain.

In today’s environment there is a lot more data and far more alerts that security operations centre analysts must review, in part due to the sudden increase of traffic from outside corporate networks due to employees working remotely. The increase in traffic, and resulting log files, increases the chances of an alert falling through the cracks. Because of the proliferation of advanced attacks, today’s compromises can occur in a matter of seconds, which means that “relying on manual human intervention to perform incident response is no longer a viable security strategy,” says Maurya.

Cybersecurity not only needs to protect information services but also operational technology. The threats are well beyond what is on a traditional computer screen and are now present in cars, manufacturing equipment, and critical infrastructure. Our likes and dislikes on social media platforms, bank accounts, preferences, and authentication access questions have been digitised and are targets for attackers to steal, use and profit from. “The volume and velocity of attacks are on a scale that sits between ridiculous and insane,” says Maurya. Additionally, attackers increasingly understand technology better, and in some instances have more resources and support than various organisations, he adds.

Companies in India were caught unaware and unprepared for the lockdown during the Covid-19 outbreak, just like in other parts of the world, and the threat arena widened manifold, says Gartner’s Bhajanka.

He says that some of the major factors behind the huge success rate of phishing and ransomware campaigns are: Lack of adoption of cloud-delivered security capabilities and reliance on on-premises security solutions, which prevented enterprises from delivering the same capabilities when employees were no longer connecting to the enterprise network directly; inability to keep the security definitions and systems patched—systems are only as secure as the latest update; as Indian organisations traditionally didn’t have a hybrid culture of work-from-home and office alongside, organisations had to make their enterprise resources available online in a jiffy, which increased the exposure to attacks; previously, security weaknesses weren’t exposed directly to the outside world as they were under a roof—and behind a firewall—but now those weaknesses stand exposed.

IDC’s Baidya adds that Indian enterprises still struggle with limited security budgets, thereby compelling them to use ad-hoc solutions when there is an urgent need. In certain cases, the systems have not been updated with the latest security patches, leaving a gaping hole for cybercriminals to exploit. Also, securing the perimeter is no longer enough, and enterprises are still in the early stage of developing a robust security architecture to secure data across various IoT devices, edge, networks, applications, and the cloud, she says.

Networks and data

Startups have fewer human and capital resources to spend on security, let alone address other regulation requirements. More specifically, security concerns especially surround applications and the cloud, which are the most important business development points for these companies. Applications are an increasingly common attack vector, and vulnerable software code can be exploited as an entryway into networks.

Startups need to have a robust application security infrastructure in place, designed to protect user data. This should include technology like a web application firewall enabled with current threat intelligence to identify and mitigate known and unknown threats, as well as detect and patch vulnerabilities, says Maurya.

Effective digital innovation also makes startups use a lot of cloud computing and storage. Cloud services provide consistent, scalable performance with lower upfront costs. However, the cloud must be secured differently from a traditional network or data centre. Disparate point solutions often amplify data movement while reducing visibility across these distributed environments. As a result, if data is going to be stored in the cloud, firms must ensure that the same security standards they apply to their own networks are applied in the cloud. In addition to detection and prevention, security must also be dynamically adaptable and scalable to ensure that it can grow seamlessly alongside cloud use, Maurya adds.

Fintech startups stand out as an example. These companies have been able to innovate at a rapid pace, as they are not bound by legacy IT or, especially, extreme governance. This has allowed them to churn out new products and updates at an increased rate. However, as fintech becomes more ingrained in consumers’ everyday lives, accessing and storing sensitive personal data that cybercriminals covet is an increasing challenge, and regulatory crackdowns are inevitable.

To remain competitive, even as consumers increasingly demand personalised and on-demand capabilities, fintech companies need to find a way forward that allows for technical innovation and performance without compromising security, he says.

“Indian startups aren’t adequately secured because of the lack of commitment towards security, and it being an after-thought,” says Bhajanka. The compliances and regulatory fines related to security lapse or privacy breaches aren’t very stringent and severe, which makes it easier for startups to overlook the security requirements. Also, startups often take a technology-based approach towards security without having effective governance in place, which reduces the effectiveness of the security technology, he adds.

Indian startups are also evolving when it comes to securing their network and data, says Baidya. They are investing in cloud security solutions, evaluating security analytics, and security-orchestration-automation-and-response solutions to detect and analyse threats before the threats infiltrate their systems, and take preventive measures at the earliest.

India vs Silicon Valley startups

Startups are faced with the same challenges of limited budgets and resources to manage security, irrespective of their geographic locations. They rapidly develop and deploy customer digital engagements with new tools and technologies that also continue to add complexity to their networks. When compared with larger organisations, though many do not realise it, startups are at equal risk of cyberattacks, says Maurya. Cybercriminals are looking for high-value customer data and are aware that startups are typically less equipped to defend themselves against attacks. 

Regulations and compliance can be a differentiator with far more laws and compliance requirements in place in the US than in India, he adds.

Bhajanka says that Silicon Valley startups are inherently more secured because of the cybersecurity ecosystem existing there. Startups get access to innovative as well as established security technologies. Security is not perceived as the luxury of large enterprises, and thus startups do have providers who are targeting their niche, making it much more accessible. Alongside, the compliance and regulatory frameworks such as HIPAA, FedRAMP and other rules make it mandatory for the startups to think about security proactively than reactively.

‘Zero Trust'

“Startups are in a unique and fortunate position since they are at the beginning of their IT journey. They don't have any accumulated tech debt, bad institutional habits, or outdated processes,” says John Shier, senior security advisor at Sophos, a cybersecurity company. “They have an opportunity to build security processes, technologies, and culture into the DNA of the company.”

Define the core security priorities, deploy the latest prevention and protection strategies, and ensure every employee knows that security underpins everything they do as a company, regardless of what their business is. By creating a strong security culture and implementing a ‘zero trust’ architecture from the beginning, startups can leap-frog many more established companies and set themselves apart in a very competitive marketplace.

“We often say, one can only protect what one can see, and in the past a lot of these attacks were not seen and also there was a lot of persistence and stealth in these attacks,” says Maurya. Companies didn’t have the proper inspections or management in place for all of their traffic flow. Visibility is the key, especially these days when most traffic is encrypted. Firewalls or other devices that are not capable of filtration at high speed may not show up critical threats entering a network. Companies need fast decryption and encryption, and the proper policies and inspections in place to sort the information that comes through.

Timely information is important because one needs to know the moment the attack takes place and be prepared to address it, rather than finding out months after the attack actually happened.

The key to defending against cybercriminals is getting the right model for securing, segmenting and monitoring business-critical applications. With remote working, it’s really the time to set up a strong foundation built on 'actionable threat intelligence’ and ‘zero-trust network access’. This is the new normal enterprises are heading into and it’s important to have a structured security plan. Finally, when faced with limited budgets and resources, instead of not paying enough attention to security, startups should look at managed security service providers as an option, he says.

Startups must start by “doing the simple things well,” says Bhajanka. The basic things in security such as patching, vulnerability and configuration management, privilege management and so on can help organisations reduce the ‘attack surface’ and thwart cyberattacks to a large extent. These simple things will make the hard things in cybersecurity easier. On top of effective governance, organisations should empower their workforce and turn them into ‘security citizens’ by inculcating a culture of ‘you see something, say something,’ he says.

Indian organisations have traditionally been sceptical of conducting risk-assessment tests, due to the fear of finding security loopholes and also making their security vulnerabilities public, says Baidya. However, this trend is starting to change, with an evident rise in the number of threats and some large enterprises also reported to be vulnerable to cyberattacks.

The first step towards making businesses more resilient is to identify the security gaps through a thorough risk assessment and then partner with experts in the field, such as solution providers or managed security service providers, to create a clear roadmap for phase-wise security implementation. Further, startups can build their modern networks with security ingrained and embedded from the beginning, instead of considering it as an afterthought as they do not have legacy infrastructure to hold them back.