Zomato and Ola were hacked this week putting data of above 50 million users at risk. A couple of weeks ago, Gaana.com was hacked leaving another 12 million users at risk. Hacks like these make me wonder if these newly-emerging startups are even taking security seriously. When it comes to signing-up a customer, it is boldly written "100% secure" website/app, but hacks like these reveal the true state of security. It would have been great if some money from that million dollar funding would have been invested in security. "Some money" is all I say, even 1/10th of it would have done.
A security breach is followed by loss of existing customers, potential customers and reputation. Here's how it works:
Existing customers: Startups these days are in a hurry to acquire as many customers as possible. In this competition intense market customer acquisition cost is at an all time high. Once the customer is acquired he or she uses the product for a few months and then one fine day news about the product getting hacked comes. Now who would use a product that cannot keep its user's information safe? However good the product might be, a user stops using the product. For a business, there is loss of existing customer and eventually customer acquisition costs too.
Potential customers: Its human tendency to choose the best and pocket friendly products especially when the product has a lot of competition. To compare and learn more about the product, first thing a potential customer does is to Google about it. No potential customer will will choose a product about which news is out that its database has been hacked and leaked.
Reputation: As Warren Buffett famously said, "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." A security breach is like those five minutes when everything a startup founder and his team have worked for shatters into pieces.
Security is one thing about which a startup founder and sometimes even the CTO are clueless. Over the years, I've seen them giving all sorts of excuses for delaying security. Here are a few common excuses given to delay security:
"It’s too early for us to worry about security": Whenever a startup CEO gives me this argument I simply ask them "If you are building a house, will you compromise on the quality of cement used?" The code you write is like the bricks, and the cement is like security implementations. Code written without security in mind is as good as code not written. It’s important to bake-in security while initial development rather than worrying about it later.
"My developer has told me that he writes secure code, what's the need of a code-auditor": It’s important to understand here that writing code and analyzing code for security issues are two different things. Some areas of both overlap each other but still they should be done by two different people. A developer will never claim that he writes vulnerable code; its only when a third-party code auditor analyzes the code true picture becomes clear.
"First we will acquire customers, then re-visit security while scaling": One security breach is all it takes to never let you reach a stage where you'll require scaling up. A breach during initial days can stagger your growth where even getting early adopters can become a problem.
All those sleepless nights and hard-work that goes into building a company does not deserve to be destroyed like a house of cards by a hacker. To make sure that doesn't happen ever, it’s important to bake security into your code and that can be done if security has been taken care of from day one. For the entrepreneurs who have already begun their roller-coaster ride, make sure you start taking security seriously and audit the already developed code.
Being in the news for having a weak security infrastructure is the last thing any company wants.
About the Author:
Shikhil Sharma is the Founder of Czar Securities, a startup that aims to give peace of mind to business owners by securing their web presence. With a vision to devise world class products that impact lives of masses, he's often spotted having intense discussions about future tech, wearables, IOT and how they will impact the lives of the masses.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)