Breaches and hacks have become almost an everyday affair. Cybersecurity teams of large companies are working with an army of Cybersecurity tools and specialists to test and defend, but medium-size companies and startups are getting hit hard. It is imperative for the startup community to come to terms that any breach is a significant brand/image and confidence issue with customers, partners, and investors. Without the luxury of a large cybersecurity budget, what is the bare minimum that needs to be done to have a proper Cybersecurity Program in place?
As part of our Cybersecurity series, CISO Platform, The Indus Entrepreneurs(TiE), Bharat Innovation Fund and CIIE.co collaborated to bring together a discussion specific to Building such a security program for startups.
Our panel was moderated by Madhurima Agarwal, Director, NetApp and the speakers were Vijayendran Sridharan, CISO, Capillary, Ravikiran Annaswamy, CEO, Numocity, Sunando Bhattacharya, CEO, IndiQus, and Ananth Ms, CISO, FireCompass.
Challenges Faced By Startups In The Security Space
- The problem of invisibility in the system where the management or the IT team doesn’t know which assets are put up in the cloud. This in turn makes the cloud server vulnerable to attacks from threat actors.
- The problem of physical security is persistent. Where a lot of people who join startups but happen to leave early but take the source code of the company along.
- Security is not the number one problem that start-ups look at when they are starting the business, and incorporating the security programs later into the system becomes a challenge.
- There are data that is sitting in the customer end that the startups need to protect too. So the security program needs to be designed in a way that both your and the customer data stays protected.
- Developers do not let go of access keys to their codes and put it up on git hub. This is a potential threat to any business as there are bots to find these access keys and manipulate them.
- There is no understanding of the asset inventory. And most startups do not test their assets.
Suggestions To The Start-Ups
- Ananth mentions most startups look at fitting security for the product in the end and that makes things complicated. While start-ups are about giving people freedom, whether they want to work remotely etc, there need to be restrictions on access. Cloud offers restrictions, so one needs to use them If the start-up does not have the budget to invest in an enterprise solution to manage asset inventory or do continuous testing, about 40% of the risk can be mitigated just by deciding who has access to what.
- Sunando talks about role-based access control where people with certain roles have access to only certain things. This should be a policy and it’s the most inexpensive way to mitigate risk.
- There has to be clear communication with customers as well because many times even the customers have access to company data. So audit sessions can be conducted to know who is changing what in the cloud.
- Encrypt all your data
- Vijayendra suggests that very early-stage startups can use freelance security professionals to write security codes for you that will help you with testing.
- Sunando and Ravi stress the point of adding security as a part of the appointment letters so that people who are hired are careful about managing the data they are working on from the start.
Is There A Right Time To Start Thinking About Security?
Sunando mentions that as a start-up when one is building the product, they are not under the radar for the hackers. But the moment the product goes into the market, security should be taken seriously because this is when your business will come under the radar.
Ananth adds that security should be there by design, it is difficult to think about security once the product is out in the market. Many a time it becomes like chalk and cheese and it doesn’t fit. So one needs to think about security right from the start.
Vijayendran mentions there is no right time to think about security, it depends on the nature of one’s business, whether it’s b2b or b2c. The geography one is operating in is also important, different countries have different rules related to data security that one needs to comply with. There is basically no binary response to this question.
The session closed on a common note that startups need to think about security right from the start of designing the product and not as a last resort.