Millions of personal records leaked (including yours and mine), credit card information stolen, attacks on power grids, cyber attacks on countries!
The above sentence would have made a nice plot for a sci-fi movie a decade or two ago. But in the last couple of years, all the above have been a reality and Covid-19 only accelerated the process. Businesses went completely remote overnight, employees had to be given all access outside the office network, customer information was being accessed from all the areas where employees were present. Businesses worked hard to ensure a soft landing for their teams and quickly their solutions were adapted to the new reality – be it building new solutions or modifying existing ones to make themselves WFH ready – Zomato had to re-think their gold membership, Cult Fit did an excellent job of transitioning into online fitness sessions etc. Sadly, while all of this was happening – security was not the first thought and hackers knew how to exploit that.
Cyber-attacks on some of the biggest Indian startups like BigBasket, Juspay, Unacademy and White Hat Jr. took the industry by storm during the pandemic last year. Upwards of 50 Mn records stolen! Well, that is indeed something.
While many of these incidents made headlines across the country, several small-scale attacks remain unreported too. Many incidents of malwares infecting websites and hacking them daily – went unnoticed just because they are not famous at the scale of Zomato or BigBaskets of the world. While these breaches were huge, the ‘incident response’ is something which was indeed commendable by these Indian startups – they issued relevant public statements, explained what went wrong and what steps they took to remediate things. Professionally and responsibly handled indeed. Though, the idea should be to ensure that such incidents never happen in the first place or even if they do, they should be of a scale much smaller. This is only possible with continuous security audits, real time protection and early threat detection.
Gone are the days when a company’s technology plan was considered to be secondary to other processes. Citing the present scenario, where SMEs and startups are taking their businesses online overnight, a strong technology strategy is required to define the overall business strategy of these enterprises. According to the World Economic Forum, cybersecurity is the number one worry for CEOs around the globe. According to IBM, Indian companies witnessed an average $2 Mn total cost of data breach in 2020, this is an increase of 9.4% from 2019. Another survey by Barracuda Networks disclosed that 66% of Indian organizations have had at least one data breach or cybersecurity incident since the starting of a remote working model during the pandemic.
The Saga of Data Breaches & Data on Sale
A data breach leads to reputation damage and directly impacts an organization’s balance sheet. India’s most popular e-grocery startup, BigBasket was victim of a security breach that compromised the data of at least 20 Mn users. The database of BigBasket was being sold for over $40,000 in the cybercrime market.
Another incident that made headlines during the pandemic was cyber-attack on home delivery app- Dunzo. The company reported a breach in July 2020 wherein its personal data of 3.4 Mn users was exposed.
The hackers did not even spare the edtech startup – Unacademy that suffered a massive data breach in January 2020 in which data of over 22 Mn users went up for sale.
Some of the new age unicorn startups such as Zomato, Uber, Oyo, Airbnb have disrupted the way in which people travel, eat, transact—in short, they have changed our lifestyles. All these startups are using technology at the center of their businesses and have ended up making a significant impact in the global technology landscape.
These startups use cutting edge innovation and gather a broad range of information to offer exclusive services and products to their customers. Such a huge database of information online is often on target of any hacker and repercussion of even a small data breach can be dangerous.
With the startup industry expected to boom soon, it is potent for CEOs and executives to focus their strategies on ensuring a much safer online business model for their employees and customers.
Here are 5 simple ways to protect a startup against a cyberattack in 2021
- Secure those buckets & tokens: One of the biggest sources of data leaks are misconfigured servers (AWS, Azure, Google Cloud etc). As the startups grow, quite obviously their infrastructure expands rapidly. This increases the attack surface of hackers too and such new servers’ setup while expanding to meet demand often have some security loophole that proves fatal.
We’ve been tracking a massive rise in cases where misconfigured servers give hackers access to secret keys, essentially letting them access millions of records. Ensuring these servers are checked both internally and audited by external security companies for best configurations from a security perspective is the key.
- Get regular security audits: This cannot be stressed upon more. The more frequently new features and code is churned out, more frequent the security audits should be. Businesses should get at least monthly vulnerability scans to uncover vulnerabilities before hackers do.
Such vulnerability assessments should become a part of development cycles of organizations.
- Encrypt at rest & transit: Worse comes to worst if there is a data breach – hackers should not find your critical data in plain text. Make sure all the data is stored in encrypted format with strong encryption. This makes selling of data even more difficult for hackers, as strong encryption algorithms take heavy computation power and decades to decrypt.
If you’re continuously making your app or website secure, you should tell the steps you’re taking to customers and how much you value the trust they’ve but in your application by sharing their data. Why wait for a security breach to talk about the security best practices you’ve followed?
- Train team to prevent social engineering: There’s a saying in the cyber security industry that humans are the weakest link in security. With the world going all ‘remote’, this becomes even more real because in an office setup you could have ensured that certain standards of security are met while customers access critical data from the office network. Now, the world has become your office network which means apart from investing in VPNs and secure remote access tools – training employees to prevent targeted phishing attacks and other techniques where attacks trick employees to give sensitive information out is the key. You are as secure as the weakest link!