Recent security breaches reported through Cleartrip as well as PB Fintech once again brought out the need of Indian startups to place cybersecurity at the top of their list.
On July 19, two prominent names in the startup ecosystem–Cleartrip and PB Fintech (parent entity of Policybazaar)–suffered major data breaches in their respective IT systems.
The platforms confirmed that comprehensive review is being carried out and that no sensitive information or customer information was disclosed and the appropriate legal actions and recourse in accordance with the law were pursued.
This is on top of the leak of personal data of 3.4 millions of Paytm Mall users that took place two years ago and is now resurfacing. The incident was discovered after Troy Hunt, who is the founder of the website Have I Been Pwned, a site that lets users determine if security breaches have affected their personal information–tweeted an old report on the breach.
It has been discovered that the leaked data contained information like names, emails and phone numbers genders dates of birth, earnings levels, and previous purchases.
Paytm has denied the claims, both then and today.
While no system can guarantee 100 100% security, a stronger security plan is crucial, particularly for startups in the new age that can’t be hidden from the eyes of hackers.
Read more Google Maps Brings Street View To India
“Breaches are bound to continue” occur. Every platform is at risk. Hackers are always looking for the weakest points. One way to stop this is to stay on top of the game.” claims Venkatesh Sundar, co-founder and CMO of SaaS cybersecurity firm, Indusface.
One of the primary reasons why data breaches could “pinch” an entrepreneur more than a conventional business is its delicate relationship with its clients. For startups it is a constant process and a breach could weaken this connection.
Security is a heightened concern for business-to-business (B2B) companies, especially Software-as-a-Service (SaaS), as clients would not want to integrate with platforms that lack security.
This may not be so much of a problem for Direct-to-Consumer (D2C) and business-to customer (B2C) businesses.
“It’s only that when we (consumers) learn of breaches that we are aware how serious the issue is” said Venkatesh.
He continues, “Some companies do all the right things, but they still are hit with a lawsuit. Because of how they respond to the breach, certain firms win trust from consumers back. But what happens to the rest?”
Not a top priority
The problem is made more critical, considering the absence of investment by startups to secure their systems, or placing cybersecurity on the top of their list of priorities.
Experts have told The Business headers that many companies do not invest in cybersecurity because of different reasons, most notably the absence of resources. The majority of them operate their systems in high-risk environments.
They (startups) are in the right direction and are fully aware, but they cannot be effective by themselves. They don’t have the expertise and require the assistance of a partner. There is no one who has the expertise to sweep this issue in the spotlight,” says one of the experts, asking for anonymity.
Presently, businesses are required to report any cybersecurity vulnerability and breaches of data in the Computer Emergency Response Team (CERT-In) which is a division from the IT ministry, but these notifications aren’t mandatory.
“No one is taking these serious,” is another famous expert who is seeking anonymity. A security policy is an incentive for companies to consider cybersecurity as a top priority. Experts say this should be more autonomous.
“It isn’t a top priority for startups. They feel they’re too small to be on the radar of hackers. However, if there’s the possibility that it happens, it will take place,” he says.
The seriousness of attacks
After a security breach, the initial next step for any company is to begin an extensive audit of its systems and to fix the weaknesses.
But, fixing the weaknesses to Cleartrip as well as PB Fintech would not be adequate enough.
“These incidents are extremely grave. This means that they must review their vulnerability assessments to ensure that this doesn’t occur. When companies are impacted and are impacted, do they realize they must do something regarding the security of their systems,” says Biju George Co-founder and CTO of InstaSafe the security firm based in Bangalore.
To add to this to this, another expert, who is on the subject of anonymity, claims “Any breach in which consumer information is involved , and is used by people who were not meant to the purpose, is a serious matter. It is impossible to minimize the severity of this matter.”
To reduce their customers’ data exposure, these platforms (particularly fintechs) will need to review their systems in order to differentiate customer data from external systems, and possibly use two distinct platforms in a manner that even if they are exposed to external data, it won’t affect the data of customers, says Biju.
What should startups do?
The next step is to reevaluate the security of applications for companies that are affected. Since startups have multiple applications that are running concurrently.
Applications are the heart of every business. They are the points of contact through which the vast majority of interactions between users occur. They are secure because the security of apps isn’t the sole responsibility of hosting or cloud computing companies; they are merely facilitators. A small loophole can be enough to open an entry point for theft of data claims Venkatesh.
There are a variety of measures startups can take to protect their data and platforms. Experts advise:
1. One of the most prominent examples is’red teams security testing’ where an uninvolved security group of “ethical hackers” pretends to be an attacker to determine the vulnerability and risks within the confines of a controlled environment.
2. The second comes the ‘vulnerability assessment’ Second is the ‘vulnerability assessment’which must be conducted each time there is an important change or update in technology infrastructure. Experts suggest startups conduct Manual Pen testing (detailed hands-on test conducted by a real person, who attempts to identify weaknesses and exploit them within your application). Automated testing is highly recommended to be conducted every day to ensure that the hygiene of the security checks completed for all elements of the app stack (not necessarily changes in code, but the components that it interacts with)
3. Experts also suggest using a well-managed Web application firewall in conjunction with vendors that also offer managed virtual patching and zero False negative monitoring.
4. An appropriate disclosure and policy or vulnerability disclosure policy — which allows individuals who become aware of security issues on the agency’s website or ICT system to report them to the agency.
4. Demand that your vendorsor execution partners to offer managed services along with their products.
5. The data is stored in a secure format by using high-quality encryption. Strong encryption algorithms require a lot of computational power. This makes the sale of information to hackers difficult since decrypting could take many hours.