On July 19, two prominent names in the startup ecosystem–Cleartrip and PB Fintech (parent entity of Policybazaar)–suffered major data breaches in their respective IT systems.
The platforms have clarified that thorough review is being carried out and that no sensitive information or customer data was revealed and that appropriate legal action and recourse according to the law were pursued.
This comes on top of the data leakage that affected 3.4 millions of Paytm Mall users that took place two years ago and is now surfacing again. The issue was brought to light after Troy Hunt–the creator of the website Have I Been Pwned, a website that lets users verify if any data breaches have affected their personal information–tweeted an old report on the breach.
Read more Pepperfry Rejigs Business Structure Ahead of $300 Million an IPO
It was discovered that the disclosed data contained details such as names, emails and phone numbers genders and dates of birth. It also included earnings levels, and previous purchases.
Paytm has denied the claims at the time and is now.
While no system can guarantee 100 security, a stronger security plan is crucial, particularly for startups in the new age that can’t be hidden from the eyes of hackers.
Breaches continue to occur. All platforms are at risk. Hackers are constantly looking for the weakest link. One way to stop this is to stay on top of the game. claims Venkatesh Sundar, co-founder and CMO of SaaS cybersecurity firm, Indusface.
One of the main reasons that a data breach could pinch an entrepreneur more than a conventional business is its delicate relationship with its customers. In a startup the process of building trust is an ongoing process, and any breach could weaken this connection.
Security is a heightened concern for business-to-business (B2B) companies, especially Software-as-a-Service (SaaS), as clients would not want to integrate with platforms that lack security.
It’s possible that this isn’t so much of a problem for companies that are direct-to consumer (D2C) as well as business-to-customer (B2C) businesses.
It’s only that when we (consumers) are informed of an incident that we realize the severity of the issue said Venkatesh.
He continues, “Some companies do all the right things but are hit with a lawsuit. Due to the way they respond to the breach, certain companies win consumer trust back. But what happens to the rest?”
Not a top priority
The issue is even more critical, considering the absence of investment by startups to secure their systems, or placing cybersecurity at the top of their list of priorities.
Read more Bengaluru startup Jiraaf lets retail investors make high-yielding returns
Experts have informed Business Headers that many companies do not invest in cybersecurity because of different reasons, most notably the absence of resources. The majority of them are operating their systems in high-risk environments.
They (startups) are aware of the intention and are aware, but aren’t able to accomplish enough by themselves. They aren’t equipped and require a partner expert. No one is putting this issue under the rug, says one of the experts, asking for anonymity.
In the present, companies are required to report any cybersecurity vulnerability and breaches of data for the Computer Emergency Response Team (CERT-In) which is a division from the IT ministry, but these notifications aren’t required.
No person takes these as seriously is another expert who is seeking anonymity. The policy can be an incentive for companies to consider cybersecurity as a top priority. Experts suggest that this must be more autonomous.
It isn’t a top prioritization for startups. They believe they’re too small to be on the radar of hackers. If there’s the possibility that it happens, it will occur, he says.
The seriousness of attacks
After a security incident, the first next step for any company is to conduct an audit of all its systems and to fix the flaws.
However, simply fixing any weaknesses to Cleartrip as well as PB Fintech would not be sufficient.
These security breaches are very grave. This means that they must revise their vulnerability assessment to ensure that this doesn’t occur. When companies are impacted are they aware that they must do something regarding the security of their systems, says Biju George co-founder and CTO of InstaSafe which is a company that is based in Bangalore.
To add to this to this, another expert, on the subject of anonymity, states Any breach in which consumer information is at risk and is accessed by those who are not the intended recipients the purpose, is a serious matter. It’s impossible to dismiss the seriousness of this problem.
To reduce the risk of information about their customers, these platforms (particularly fintechs) must review their systems to distinguish the data of customers and the external systems and likely use two distinct gateways so that, even if they are exposed to external data, it won’t affect customer data, says Biju.
What must startups do?
The next step is to reevaluate the security of the applications of the businesses that are affected. In the end, an enterprise has multiple applications running at the same time.
Applications are at the core of every business. They are the points of contact through which the vast majority of interactions between users occur. Security of such applications is not the sole responsibility of cloud or hosting computing companies; they serve as enablers. A small loophole can be enough to allow an entry point for theft of data Venkatesh says. Venkatesh.
There are a variety of measures startups may choose to take to ensure the security of their platforms and their data. Experts advise:
Read more Shortening a long story The distribution startup
1. One of the most prominent examples is’red group security tests’ where an uninvolved security team made up of “ethical hackers” disguises as an attacker to determine the vulnerability and risks within an environment that is controlled.
2. The second comes the vulnerability assessment Second is the ‘vulnerability assessment’which must be conducted each time there is any major update or change in technology infrastructure. Experts recommend startups take Manual Pen testing (detailed hands-on test conducted by a real person who tries to find weaknesses and exploit them within your application). Automated assessments are highly recommended to be conducted regularly to ensure that all of the security checks completed for all the moving components of the application stack (not necessarily code changes , but components that it connects to)
3. Experts recommend the use of a well-managed Web application firewall in conjunction with companies that offer managed patching services for virtual patches and zero False Positive Monitoring.
4. Responsible disclosure policies, also known as a vulnerability disclosure policy, which will encourage anyone who becomes aware of weaknesses in the website of an agency or ICT system to notify the agency.
4. Make sure that your vendorand execution partners to provide managed services in conjunction in conjunction with their products.
5. The data is stored in a secure format using secure encryption. Strong encryption algorithms require a lot of computational power. This could make selling of information to hackers difficult because decrypting takes long.