Why Indian startups fail at information security
I have led Black Ops teams err.. information security teams as a specialist at large-scale Internet firms like Adobe and unicorns like Flipkart and Ola. I would like to think I am an engineer by heart with out-of-the-box thinking. Currently, I head all things security at Ola.
In this article, I will be penning my thoughts on perceptions and misconceptions about information security, and why it has not been given its due importance in the Indian startup ecosystem.
Information security at startups?
In the last few months, I met a few founders from the Indian startup ecosystem and here are some snippets of my conversations with them. The point is to understand if information security is getting its due importance.
Before starting, let me walk you through some statistics:
In 2015 alone, on an average, 22 records were stolen per second.
Why do we need an information security team? How can a security engineer possibly add value to my startup? Can they help drive business growth and help acquire more customers, or can they build product features to achieve business deliverables?
Me: For sure security engineers can add value to your startup. Let’s take a step back and look at the big picture.
Breaches happen across all sectors, not just in e-commerce or retail.
And then we have malware getting intelligent.
The common strands across successful online startups, irrespective of domains are:
- Millions of customers who trust them and use their product/service on a daily or weekly basis
- Customer’s transacted real money
- Personal data of customers, including passwords
- Customer’s addresses (and their girlfriend's or boyfriend's, as well)
- Customer’s travel history
- Customer’s data of buying needs
- Customer’s data of food preference
- Customer’s saved credit card (not directly though)
- Employee’s/delivery personnel data , registration number , vehicle number, payment info, location and plenty of other things.
Most importantly, they have an app running on the customer’s mobile device, which is their (virtual) life, and if a smart loony outsider manages to get access to the device and its data via their app (by exploiting some bug), the customer's online identity is at risk. Sounds scary?
Hope that gives you a glimpse of why your startup, no matter what it does, definitely needs security engineering. One thing that I didn’t mention is supporting the legacy system that is definitely vulnerable, and you need to protect it till there is a new secure system in its place, which means there will be things falling through cracks, a tricky thing to handle indeed.
Can we do without information security? We can think of it when we grow big.
ME: Yes, you can start without information security until you go unnoticed and do not get traction from security cults who are watching out for things to break. This is the thing that gives them an adrenaline rush. In layman's language: until you get hacked or someone writes a blog about you publicly shaming you. Never assume that you won’t be the target of an attack.
Few things we need to understand: a breach can happen to any company (Facebook / Google / Microsoft / Yahoo / RSA / Twitter /Citibank / Uber etc.), and all have suffered a breach at some point in time or the other.
Why do we choose to neglect the many instances we have heard about or personally faced in our company?
Notably, the later you think about implementing information security, the harder it is to properly implement it. So, the earlier you understand the need for it, the better you can tread the road ahead.
The image does give an answer to the question: NO
My development/tech team has taken care of basic security using resources available online. I guess that should do?
Me: Well the good thing is that you at least cared about the security of your product. Unfortunately, what you did is a good start but not the right one. A good graphic designer can architect your application just by surfing for articles on how to do it, but that does not mean he can do it the right way. You can not rely on that design when you scale, can you? Would you be sure that there wouldn’t be too many cracks through which things can fall off?
Obviously no, so similarly it is okay that everyone should have an understanding of security but does not have an overlapping role.
Is application security worth investing in? Can't I outsource it?
Me: There may come a day when you will become a multi-million/billion dollar startup and have a good number of customers and getting applause from all around the world for the problem you solved. Then there would be a few security folks trying to steal the limelight, or security enthusiasts using your service would find a vulnerability that has gone to millions of users and can be exploited. This is compromising not just your name, fame, and customers, but may also stand a hurdle in the next round of funding.
Then you have to build a security team and get all your products secured, pen testing and secure code review done, application architecture and cloud architecture review done, and phew… the list never ends. But the worst part would be that you have to push users to update their app. This would have given you chills. Yes, there would be loss for customers, business loss, and hundreds of endpoints changes, among other things.
You need to invest in application security, and the sooner the better. Later, it comes with an additional cost of reputation, customers, shaming and money.
These images display some numbers from surveys done by IBM and a few other companies.
Application Security @Mobile Ecosystem? [Good/Bad/Evil]
But a bug on a mobile app can lead to an exploit of one users, right?
Me: The mobile ecosystem is a double-edged sword — one of which is if we push a bug intentionally/unintentionally then it lives forever.
How? You don’t agree?
Well, no matter how long it has been, there would be some percentage of users using those vulnerable apps. You think a force update is an option? If you are a founder or product manager you know unless it’s an app that people NEED (like a bank, social media app that they can’t live without), they always have alternatives and no company would force that unless it’s really needed. Hence, you lose customers, and that’s way too high a price to pay because the numbers you need to show in the next investor meeting can be a problem.
What are the takeaways from your security journey so far:
Me: I have worked with a few unicorn startups in India and I have friends in other startups marching towards the (multi) billion-dollar mark. Additionally, I also know the vision of a couple of Fortune 500 companies in terms of application security.
None of them have any alerting and monitoring systems in place, in terms of application security, and real time is too much wishful thinking. They do not have anything to keep a track of things that would be handy if a breach happens, or anything to preempt one. Companies like Google, Facebook, and Etsy are the bar-raisers in what can be done, for the very reason that made them grow big: being open to new ideas and willing to try and fail.
a)Take control of your things
- b) Protect your company and customer, set up a security team NOW.
- c)If you are reactive by design, take on a proactive approach
- d) Do not rely on only (internal/external) pen-test reports from vendors.
How to evangelise information security in startups?
Me: I would like to share my mantra on how I did things with one of my recent employers that should explain it all:
-There was a meeting going on, and as I passed by, what I heard made me smile. The product manager was opposing a design citing security vulnerability IDOR.
Though they did not even understand the abbreviation, they happened to know the issue so well, as it was flagged multiple times.
That tells me that my efforts at evangelisation was not just limited to developers and quality assurance folks, but product managers also understood application security.
The reason I am boasting about this is because application security has always been a fight with user experience (security guy vs. product guy). The trend being, if you have a decently secure application, it would certainly have a real bad user experience. Product managers are there to get better user experience and coming to a common ground is what matters (a mix of good user experience with a decent security feature in place).
Things I do on regular basis:
- a) Talk about critical issues you found in application with everyone, with what impact it could have
- b) Do as many sessions as possible for all teams
- c) Talk about the recent hacks we have heard of and discussing how we could have handled it if it was us
- d) Think as if you are already breached and what you can do now to identify what has gone wrong with the network -> infra -> malware -> APTs -> insider threat -> application bug -> any of those 150+ things possible.
- e) Introduce all employees to fun security games , this does help a lot.
- f) Have a mandatory session for new employees as part of their induction, where they get a walk-through of all the bugs found in the organisation, in general.
This is a never-ending list, but this much is good to begin with.
To everyone wondering why I am writing this:
The goal here is to make startups and developers realise that taking care of application security does not add an additional overhead. On the contrary, it gives a lot of ROI (I bet you can’t even calculate). It’s just that other metrics usually tend to overshadow security metrics.
There have been many cases of startups across the globe failing or having a rainy day just because they lacked a vision for application security. Hopefully, this post will help you avoid that familiar bumpy road. Prevention is better than cure! Always. In application security terms, it helps you avoid public shaming. Now, you do not need to get hacked to understand the importance of application security.
Hope this gif would explain how security could look like. At first, it will feel like things will get worse in terms of efficiency, but actually, it will help add to your business metrics and will make sure you not just go fast, but a long way too.
Founder: What should startups do? Any secret sauce?
Any checklist we can have ?
Security is a process , not a destination.
Information security is never a matter of going through the checklist but thinking out of the box. But surely I have a few pointers to share.
I would be writing a follow-up article in which I would walk you all through a) setting up information security in your company from scratch, with minimal resource and investment b) what things should be taken care of and in what order.
Till then, happy hacking and keep secure.
All Rights Reserved. All Wrongs Observed.
Images from : IBM | Data-infosec | Motorola | Sophos | Imugr
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)