Tech startups are not taking cybersecurity as seriously as traction and valuation
On a Sunday morning in September last year, a Bengaluru techie woke up to a rude shock. Four text messages in quick succession said INR 50,000 was debited from his account each time. The 28-year-old, who works for a mid-tier IT consulting firm, lodged an FIR and a formal complaint with his bank. But he still wonders how this could have happened in the first place.
Cybersecurity breaches are nothing new in India, but there has been a significant rise in data leaks reported over the past year. More importantly, the likes of Dunzo, Juspay, BigBasket, Unacademy, WhiteHatJr and others, leading Indian tech startups with millions of users, were at the centre of those incidents, affecting more than 148 Mn users.
These companies benefited a lot when people stayed at home during Covid-19 lockdowns and shifted to online services for every need. For instance, BigBasket hit the $1 Bn gross merchandise value mark in May last year and reported an 84% increase in new customers in September compared to pre-pandemic times. Meanwhile, Dunzo saw the average ticket size of its orders double while the weekly number of transactions per user rose by nearly 30%.
But the question is: Are they as concerned about safeguarding user data as they are about traction, valuation and scaling up?
“Distressing to see so many financial data leaks amongst Indian startups. Every few weeks, we see some fintech (or ecommerce) data get hacked or on-sale. Guess most startups are over-indexed on sales, logistics, servicing, but inadequate on security/privacy,” tweeted Amit Ranjan, cofounder of Slideshare (acquired by LinkedIn) and architect of the Indian government’s DigiLocker project.
According to the government, India saw as many as 375 cyberattacks per day in 2020, 37% more than the previous year. And this is expected to continue in 2021 as digital transactions rise through UPI and hundreds of thousands of users from remotest corners of India are brought into the fold of high-speed internet, says a note by the cybersecurity company Kaspersky.
But the threat of a data breach is not just limited to online users losing their money. Think of the massive breaches involving children who are registered with edtech companies. The data leaked in recent times included personal information, photos, videos and even private conversations.
At a time when data is considered the new oil, hackers are putting up ‘data dumps’ with personal details of millions of users for sale on the dark web. Holding a company’s data for ransom is no longer the only monetisation channel for cyberpunks in hoodies.
Are Startups Putting Up A Fight?
Currently, Indian startups look at cybersecurity as an added cost, say experts. Companies often debate whether they need stringent measures right at the inception or after raising several rounds of funding. Cybercriminals are aware of what is happening on the ground and what makes Indian startups susceptible to the most basic cyberattacks.
“Startups typically test less than 5% of their systems, and that too, only once or twice a year. But hackers are at it all the time; they are always trying to attack all the systems. They just need a small window of vulnerability to break into it. Moreover, less than 1% of tech startups have a dedicated security leader to focus on these things,” says Bikash Barai, cofounder of Firecompass, a cybersecurity company.
Lack of investments and dedicated hires for cybersecurity means critical holes in software architectures may go unnoticed more often than not. For instance, most of the recent attacks happened as the internal APIs were not as secure as they should have been.
This is not entirely unexpected as tech startups rush through their engineering processes, and software developers are only paid for specific tasks, which may not include a robust security system. Besides, most developers are neither skilled in building security architectures nor are inclined to put in extra efforts to plug the security gaps.
Only a handful of Indian tech startups such as Flipkart, Zomato, Ola, Paytm and Razorpay have woken up to the challenges and costs of cybersecurity lapses. Consequently, they have adopted practices such as ‘bug bounty’ programmes — they will pay anyone who spots an issue and reports it to the company.
An effective bug-bounty strategy may help startups with cost management. But is crowdsourcing security the right alternative to developing dedicated cybersecurity solutions?
Anirvan Chowdhury, who covers investments in deeptech, healthcare and SaaS at Blume Ventures, says, “It all boils down to how important cybersecurity is for their businesses, how crippling a threat could be and what kind of data they are dealing with. It also boils down to what kind of capital they have. Some B2B SaaS players cannot even operate without a robust cybersecurity system because they will not get enterprise customers if they cannot protect customer data.”
Chowdhury thinks that cybersecurity is one of the top priorities when VCs look at B2B startups for funding. It has also become a boardroom topic as consumer tech companies realise that their users will flock to a different platform if their data is not safe.
Early-stage startups also find it difficult to figure out which area of cybersecurity should have utmost importance so that they can invest wisely, say cyber experts. The choices are many. Besides MNCs like Kaspersky, Symantec and IBM, around 250 Indian startups offer cybersecurity products in network security, data leakage prevention, malware detection and more. But for a small company, pressed for time and resources, not much guidance or handholding is available regarding the most appropriate and cost-effective products to keep its business cybersafe.
But that cannot be an excuse for unicorns or other startups flush with VC money. “Startups which have raised Series A funding or above typically spend around INR 20-80 Lakh in cybersecurity, but it is less than 1% of their IT spending. Ideally, it should be 5-10% of their total IT spend, and the gap is quite a big one. Startups need to spend 10-20x of what they are spending right now to be on a par with their mature enterprise peers,” says Barai of Firecompass.
However, low investment in cybersecurity is not the only problem. What worries most is the lack of transparency as companies rarely reveal incidents of data breaches. These are mostly exposed by blogs and cybersecurity watchers who trawl the dark web for data dumps.
Indian Laws Fail To Keep Pace
The regulations governing the internet in India include the Information Technology Act and the Intermediary Liability Guidelines, but neither details how data breaches should be handled by companies nor how they should compensate users in such cases. Again, the lack of proper implementation is another cause of concern.
“There are provisions under the Information Technology Act for dealing with unauthorised access to data or destroying personal data, but they have not been enforced traditionally due to a weak enforcement structure. It is as if no legal procedure exists because there is no well-defined process in place for people to obtain a legal resolution,” says Apar Gupta, a lawyer and executive director of Internet Freedom Foundation.
That is not the case with banks as they need to inform the Reserve Bank of India within six hours of a breach. The central bank made an example of YES Bank for delayed reporting by slapping a $1 Mn penalty in 2016. As for payments companies, there are guidelines for informing the Payments Council of India (PCI) and merchant partners, but these do not specify any time frame or penalty.
In Europe, companies must disclose any data breach to the regulator within 72 hours of becoming aware of the incident. Businesses in the US need to report within different time frames but under 90 days, depending on the jurisdiction.
There is no such law in India, though. Although two years and a half have elapsed after the Justice Srikrishna Committee submitted a draft Personal Data Protection Bill with a provision that requires data fiduciaries (companies and government bodies holding user data) to inform respective regulators of data breaches, it is yet to become a law. Moreover, the draft Bill does not specify any time frame within which a data fiduciary should inform a regulator about a breach.
Besides, it is not mandatory for a company to inform its users about a breach unless a regulator deems it necessary. Interestingly, regulators will also make their decisions on a case-by-case basis. Given this scenario, cybersecurity has definitely taken a backseat in terms of priority as far as tech startups are concerned.
It is high time that the government gets its act together in stitching regulations which will streamline the country’s burgeoning startup ecosystem. Until now, it has been lax in formulating clear policies for internet businesses across the spectrum, be it ecommerce, cryptocurrency or electric vehicles.
The cost of the delay in bringing out a personal data law is huge as cybercrimes cost the country INR 1.25 Lakh Crore in 2019 alone, by the government’s own admission. But the stake could be higher for tech companies as they stand to lose the trust of India’s 330 Mn digital consumers.
Barai of Firecompass, a founder often lauded in the software circle for making one of the earliest exits in this space, thinks a word of caution is necessary. “Traditionally, tech startups did not focus on cybersecurity as their biggest pain points were more existential like growth or product-market fit. But the exponential rise in the number of breaches means boards, investors and the management will have to change their outlook. Today, cybersecurity can pose an existential threat to the entire startup ecosystem,” he said.
Will Regulators Take Action?
Cybersecurity should be one of the most important talking points for the entire tech community. But it has deeper implications for sectors like healthtech and fintech as regulators may be forced to come up with harsh actions after a breach.
Bengaluru-based payments processor Juspay’s recent data breach is a case in point. As the details of 10 Cr digital transactions went up for sale on the dark web, the RBI reached out to key stakeholders, including the PCI, to ask about the status of bringing non-bank payment aggregators under the regulatory purview of the central bank. In March last year, RBI came out with a notification requiring all payment aggregators to seek its authorisation before June 30, 2021.
The central bank may also launch a full-fledged probe into the breach to determine the vulnerabilities faced by digital payments companies. According to reports, the PCI will soon brief the RBI on the possible measures to address these security gaps.
Meanwhile, sources privy to the development have told Inc42 that the RBI sent letters to all banks and prepaid payment instruments (PPI), instructing them to notify the central bank immediately if they notice a data breach on their servers.
This is still a slap on the wrist, given the economic and geopolitical factors at stake when it comes to data breaches. Nevertheless, it is a wake-up call.
There is enough scope for improvement in data breach prevention and recovery. As the country’s startups mature to take their rightful place among the most innovative tech landscapes globally, they should come to grips with rising cybersecurity threats before it is too late.
Until next time,