Despite the raging pandemic and the associated impact on the economy, 11 Indian startups achieved the status of a unicorn in 2020. In 2021, in just five months, India added 14 startups to the unicorn club. A recent press release by the Ministry of Commerce & Industry, has stated that 50,000 startups have been recognized as startups by the Department for Promotion of Industry and Internal Trade (DPIIT).
While startups are growing at an exponential percentage, they are attracting attention – from genuine investors and also from threat actors. With many startups holding a treasure trove of consumer data, hackers are increasingly focusing on Indian startups. In April, this year, Inc42 reported that a B2B packaging marketplace suffered a data leak that exposed close to 2.5 Mn files. In the same month, a popular online discount broking firm, was reported to have asignificant data breach pertaining to 2.5 million users. Last year as well multiple startups were impacted by ransom wares and data breaches that compromised email addresses, phone numbers and personal information of multiple users. As one can see this is a reflection of the continued adversary focus on Indian startups.
Most emerging startups have a small team and security is not considered an important priority for most of them. Unless demanded by the client or investor, the focus on security is normally an afterthought. The speed to market is the most critical factor for success for many startups, and in the rush to release a product quickly, security considerations are overlooked. In some cases, startups choose convenience over security. Many startups do not have a professional dedicated to handle security. This exposes the startup to several risks, as their systems may
have critical vulnerabilities.
What Can Be Done To Improve The Security Posture?
In many data breaches, information related to customer passwords, usernames or credit cards can be accessed via a simple search on the Internet.
Most startups today use cloud infrastructure and platforms, despite the cloud provider’s advisory on secure configuration, many startups leave their data vulnerable.
Lot of Data breaches have happened because of misconfigured cloud storage settings. Even today, there are many instances of misconfigured cloud based storages, which leaves the data exposed. If this is kept private, it restricts entry. A further layer of security can be added with two-factor or multi-factor authentication.
This is also applicable for backups, which a lot of startups fail to secure. Encryption on databases should be a default option, and all access must be given multiple layers of authentication. This simple step alone will prevent many data breaches. This also requires organizations to understand how their sensitive data is stored and accessed. Any deviations in behavior in accessing data must be observed, and alerts issued to the key stakeholders for investigation and monitoring.
It is also equally important to have restricted access to production servers, and ensure systems are updated with latest patches not only for operating systems but even for applications running the systems. Any unpatched system or open ports can leave the company’s network and infrastructure vulnerable to attacks. Similarly, firewalls, intrusion prevention systems, identity and access management solutions and zero trust solutions can be used for preventing unauthorized access.
In this age of remote working, endpoint protection solutions like EDR can help enterprises in monitoring user systems in real-time and prevent installation of malware or exfiltration of data. Phishing attacks, which are another extremely popular and effective technique used by threat actors today, can be prevented by using email services that have built-in malware scanning and URL filtering.
It is extremely critical to monitor and assess third party vendors, who may not meet the required security standards set by your firm. Every third-party vendor or supplier must ideally adhere to the same security protocols or policies. This must include a standard SLA for handling and storing data, which third party vendors or contractors acknowledge and adhere to. Software must also be regularly scanned and assessed for detecting any vulnerabilities and addressed.
It is also equally important to ensure that employees are made aware about the latest threats, as any door opened by them inadvertently (such as clicking on a malicious phishing email), may put the entire network at risk.
As a startup cannot possibly monitor every possible threat, it makes sense for startups to go in for the services of a managed services security provider, who can proactively handle all the latest threats using the latest technologies.
In conclusion, security is always a continuous journey, and not a milestone. Startups can follow some of the best practices and processes mentioned above to significantly improve their security posture.