By the end of 2012, Sanjiv Singhal and his two co-founders had everything in place to launch their mutual funds startup Scripbox, but decided to hold off for a month until they were sure they were safe from every kind of cyber attack. Getting a penetration test — hiring an external agency to hack into the system to identify vulnerabilities — took a month longer but they preferred to wait rather than run the risk of exposing future customers’
“Being a financial services company, we had to make sure that we had a comprehensive policy on cybersecurity. Security is not something you can do post-facto. It has to be included when you are starting a business,” says Singhal.
Not all startups, however, pay as much attention to security. A recent survey by cybersecurity startup FireCompass found that cybersecurity preparedness is abysmal among most Indian startups. Small companies scored eight out of a total of 100 for security maturity, and fintech startups are among the worst prepared. The survey also found that banks and telecom companies are better placed to handle cyber attacks, with a score of 61 each. Another study found that two thirds of small UK businesses were attacked by hackers in the past two years. India has no such data on the number or extent of attacks.
In their race towards funding and growth, startups tend to push security way down the list of priorities, but they’re not the only ones. Data breaches have made headlines quite a few times this year. It came to light that data of 57 million Uber customers and drivers was stolen in 2016, and the company paid hackers $1 million to keep it under wraps. A few months ago, 17 million user records were stolen from Zomato, making it the sixth largest data breach this year. Yahoo revealed that every account in its database had been compromised in 2013 in one of the largest cyber attacks in history.
A week before Zomato’s database was hacked, Chennai-based InfySEC, an IT network security management company, managed to crack the restaurant discovery service’s database. “We got user names, email ids, addresses, history of transactions, everything. We informed Zomato but did not hear back from them,” says Karthick Vigneshwar, director, InfySEC.
Startups tend to think they’re too small to be targeted by hackers, but it’s precisely their size, lack of protection, and storing of information on the cloud that makes them attractive to hackers.
Betterplace Safety Solutions, a background verification platform for workers, stores profiles of around four million people. But the startup took a while to get its defences up. “We needed to have significant funding and a sizeable database before cybersecurity became our top priority,” says Pravin Agarwala, founder and CEO of BetterPlace. “When you are just beginning and haven’t raised money, security is rarely a priority because the amount of money you can invest is quite limited. We didn’t do a lot of cyber tests until we grew,” he says.
Betterplace now has a three-step approach: First, an encrypted website with clean servers is tracked by an in-house team. The second step is to use standard tests available in the market to check for unsecure data. The last step is to hire ethical hackers to find loopholes.
Startups usually work with a few individual ethical hackers rather than large security firms for reasons of flexibility, but even that is expensive. Agarwala spends about Rs 5 lakh a month on ethical hackers, no small amount for a three-year-old company.
Apart from funding constraints, trust remains a challenge. “You can never be sure if the faults that have been found by the hackers really exist or not, and whether they’ve found all the gaps,” he says.
Fintech companies have to focus on security from Day 1. “There is exchange of important information every time a customer interacts with us, and we have always ensured 100% data safety. It does cost some money, but it is a mandatory part of business,” says Archit Gupta, founder, Clear Tax.Since it is a cloud-based service, the company needs the right security to prevent man-in-the-middle attacks, where an attacker alters the communication between two parties.
Chennai-based BankBazaar uses a multi-layered approach to deal with cybersecurity issues. Both ClearTax and BankBazaar say that the biggest challenge for fintech companies is rapidly changing technology and threat profiles, and the consequent requirement to continuously upgrade security systems.
While India has spawned several cybersecurity startups in the last few years, startups form just about 10% of their client portfolio. “For small and medium enterprises, the priority generally ends up being the core business, and security takes a back seat. The perception is, ‘I am too small to be a target’. Financial wherewithal is also a factor,” says Pankit Desai, CEO, Sequretek, a Mumbai-based security startup.
IBM, through its Global Entrepreneur Program, has worked with over 1,000 startups over the last three years, helping them secure their businesses. “While they may not talk about security at first, when we work deeply with them, we definitely include it in the blueprint. A company needs to build a security culture from Day 1, says Seema Kumar, country leader, developer ecosystem and startups, IBM India/South Asia.
Tarun Kaura, director, product management, APJ, Symantec,says the lack of rules is another reason startups skip security protocols. “Till the government comes out with a policy on this, many of the smaller businesses will not act on it,” he says.
Desai of Sequretek says that while regulations could be seen as an additional burden for small companies, including a section on data security and privacy as part of the Companies Act could make a difference. “One of the recommendations of the Sebi panel on corporate governance reforms, led by Uday Kotak, was to have a board-level committee that would look at cybersecurity just like an audit committee,” he says.
Employees can also be weak link when it comes to security. So training them to spot suspicious emails, malware and dubious links, think critically about security, and be on guard at all times is important. SaaS firm Freshworks has a security programme called Samurai. “It is a security framework of people, process, and technology that evolves to protect against the changing and challenging cyber security threat environment. Our employees are the centre and safe perimeter of the framework,” says Vijayendran Sridharan, chief information security officer at Freshworks. Sridharan leads the security induction for all new staff so that the message and objectives are clear.
“Many companies are working on innovative solutions to tackle this raging issue, but it’s never going to be enough,” says Rohas Nagpal, chief blockchain architect, Primechain Technologies, who has worked in the security space for over two decades. “Technology is growing too fast and the bad guys always seem to be a step ahead.”