One of the major challenges an entrepreneur faces apart from funding and timely delivery of their product or service, is to ensure their ideas are not leaked. They would want no surprises in the form of rival products coming up in market before their own release. History shows there have been such instances.Having worked in a startup, I can understand and relate to the data security issues that startups generally face. Amidst activities like funding, meeting deadlines, marketing, hiring etc, data security gets pushed down the order and is back in focus when something nasty happens.
Being a data security company, we often get interesting responses from startups on implementing information security like:
- “Security is expensive”
- “It’s time consuming”
- “It’s difficult to implement”
- “Our employees will not fall for phishing, spam’s etc., they are skilled and tech savvy”
- “We don’t have the required manpower or skills”
- “We trust our employees”
And the most popular comment:
“Why will someone hack us? We are never the target, the other company is”
You would be surprised to know that many Indian startups have faced trials in the court because of alleged data theft! Some instances are mentioned below:
- Few years back, Justdial had got an injunction in court against Askme.in for data theft and had its portal and offices shutdown.
- Not in the distant past, two leading travel portals of our country Travelocity and Cleartrip were at courts over alleged data theft by the top management of Cleartrip.
- Very recently Zomato and Burrp were embroiled in a bitter case of data theft. Zomato had accused Burrp of illegally scraping its web contents and using them for its own listings. Interestingly Zomato were using unique identifiers in their content that were visible on Burrp’s site to prove the theft.
According to a recent study by Symantec and Ponemon Institute, the average cost of data breach among Indian companies stood at a whopping INR 5.35 crores, that’s the funding startups crave for. The report also suggests that customers often abandon the organizations after a breach and rebuilding the confidence and reputation can be very costly affair. The same reports also point that apart from hackers and malwares, the other major reason for data breaches are due to carelessness of the employees.
So this brings the question, do startups really need to worry about information security? Undoubtedly, the answer is an emphatic Yes. Here are the pitfalls of not securing your data:
- You may lose your killer dream idea to hackers or competitors!
- Investors or VC’s may not fund if they find you use unethical means, like using unlicensed software, not being able to safeguarding your own as well as your customer’s data
- Intellectual Property may leak
- Hackers may use your IT infrastructure as bots or to initiate attacks like denial of service, phishing, spamming against other companies or governments.
- You could be sued for using pirated software or allowing hackers use your IT infrastructure for hacking others.
Some Tips in Securing Your Data:
Remember information security is not just about firewall and antivirus. Of course, technology plays a key role in safeguarding data, but it involves people and processes too. Here are some tips that could help you safeguard data:
- When we talk about security, it generally involves confidentiality, integrity and availability of your data. Like other business expenditures, it has its costs too. Identifying your critical assets and assessing the risks will help you decide to spend money wisely.
- Social networking sites like Facebook, Twitter, LinkedIn, etc., provide startups with unrivaled exposure and marketing opportunities. However, these are also hacker’s popular platforms for spreading malwares and phishing attacks. A combination of right tools, informed use and user awareness is the only way to get secure against such threats.
- Social Engineering attacks have overcome most sophisticated security defense mechanisms in place. Employee awareness on data protection, policies and procedures plays a critical role in complementing your investment on IT & security and ensures protection of your assets.
- Have an informal meeting with your employees over latest trends with regards to hacking, malwares, data protection instead of do’s and don’ts on emails.
- Most startups tend to overlook the availability aspect of their businesses; it could be your servers, internet connection, laptop etc. Devices do fail and mishaps, whether man made or natural can bring your infrastructure down too. Consider having alternate arrangements or backup plans for your critical assets.
- If you cannot anticipate the security challenges yourself, ask the startup community or hire a consultant.
- Develop and maintain a formal information security policy as this would clearly set the expectations for the employees.
- Have a Non-Disclosure Agreement (NDA) with the third party firm or individual, when you are ideating on your newest concepts. Be it new-hires, vendors, partners, potential clients, or VCs.
- An All-in-one solutions like a Unified Threat Management (UTM) systems are great enablers for startups to get the secure IT Infrastructure up & running. UTMs come with almost all of these things in a single box: Intrusion prevention system (IPS), Firewall, Proxy, Bandwidth Management and centralized reporting console. Some also have Antivirus gateways, Anti-spam and content filtering capabilities. These work out cheaper when compared to individual appliances. You can even utilize variants of Linux or applications like Untangle, Pfsense etc., which can be installed on your own hardware and configure all the above capabilities. A word of caution: do note that UTM can be a single point-of-failure; hence consider backup or alternate options well in advance.
- Consider outsourcing your company’s data security activities. You can hire consultants who will setup the infrastructure and monitor them on a regular basis instead of hiring full time employees.
- Cloud computing and hosted solutions provide a very valuable proposition for startups in terms of infrastructure like desktops, intranet portal, emails etc at a lower cost. However, I strongly recommend encrypting any of your sensitive data before moving them to cloud. Infact, most cloud vendors recommend the same too.
Remember there is no silver bullet to fight hackers & malwares. Security is achieved in layers. There is only reasonable security, no fool-proof security!
About the author
Prasanna V is passionate about Information Security. He is the co-founder at Packet Verify Technologies (www.packetverify.com), a pure play information security services and consulting company. He holds a Bachelors degree in Engineering from BMS College of Engineering, Bangalore and is a Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and also holds Diploma in Cyber Law. Prior to co-founding Packet Verify he worked at Unisys, Sling Media and e4e. When he is not busy fighting hackers, viruses, and worms for his clients, Prasanna spends time in reviewing emerging technologies, blogging and tweeting!