Two cyber warriors take on the black-hats targetting our startup-nation

Enterprises are waking up to the security risks involved in connecting their IT-systems to the consumer world. They have reason to fear the new-age hacker because cyber-attacks are becoming more frequent and increasingly dangerous. These hackers are extremely well paid, by State and non-State agencies, to steal information, some of which is sensitive to national interest.

Today, enterprises offer services over the cloud to cars, homes and factories, which are connected to smart-phones of the consumer, or the factory manager in the case of the latter. These smartphones and devices have changed the architecture of enterprise IT, and in this era of metamorphosis, many companies are yet to secure their IT, which connects them to the consumer world. A hacker can break into a smartphone and enter a car’s engine control module, which they can then use as a gateway to enter the cloud of the corporate when it is remotely fixing a software patch in the car.

These new-age hackers are called black-hats, and there is no stopping them. Recently, Chrysler, in the US, recalled 1.4 million vehicles to fix software, which was hacked by black-hats. In this context, India too is vulnerable and needs security startups that can protect its Corporate and Government institutions’ sensitive information.

Imagine if the SCADA machines controlling India’s Power Grid were shut down remotely by a hacker from China or Russia. This would result in economic and social chaos across India. In such an event, money would be pulled out of India’s stock market. But somebody would have netted a profit globally. It sounds like a conspiracy theory. Unfortunately, that is the truth that we are waking up to in the cyber-world.

The birth of Innefu Labs

Of late, India has had its share of innovative software security companies trying to make a living out of fighting these black-hats. Abhishek Sharma and Tarun Wig, friends and self-confessed white-hats – hackers with ethical intentions to protect information - dabbled with protecting their personal computers before they embarked on a startup journey. A few years of corporate experience taught them that the security market in India was dominated by MNC companies. Abhishek had to quit his lucrative job in TCS after Tarun Wig, who worked as a security consultant, convinced him that they could build a decent security company with their expertise in the subject. Their premise was to engineer a security platform that could be cheaper, yet powerful, for Indian Corporates and Governments to use. Their aim is to become a substitute for off-the-shelf products sold by MNCs such as RSA and Symantec.

However, there was also another reason they chose to build their own company. Data from McAfee, the security company, suggests that India has witnessed attacks on more than 300,000 of its websites. The report adds that cybercrime is a growth industry where the returns are great, for black-hats, and the risks low. The report estimates that the likely annual cost to the global economy from cyber-crime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion.

Their firm Innefu provides two-factor authentication, open source intelligence, link analysis with pattern matching and fuzzy logic, social media monitoring and email encryption products. Their biggest client to date is the DRDO, the defence research wing of the Central Government, and other government departments. Tarun did not want to divulge details of the implementation because of strict non-disclosure agreements with their clients.

“Folks in the industry said that we would not last more than three years. They expected us to change our business model. But we are glad we stuck with security services and, in the process, we have several clients using our products,” says Tarun Wig, co-founder of Innefu Labs.

Their first client was a public-sector bank, which gave them a chance to encrypt emails in 2013. The client has stuck with them since and these relationships have helped increase Innefu’s revenues to close to $1 million, and they have acquired 51 clients in two years. The business has been self-funded and the duo invested less than Rs 1 crore.

“I wish the Indian government would create a fund for security software firms. The US and China have government funds supporting startups in our field,” says Tarun. He adds that since government services will be delivered on smart-phones, at least in the next five years, the Android operating system, or any other operating system, needs to be secured from hackers.

“Most of this data will be of national interest and must be protected locally,” says Tarun.

The market opportunity

• Cyber Security is a big business and several firms have raised large rounds of money. ThousandEyes, based in the US, has raised $60 million over the last three years
• Consulting firm Gartner says that $76.1 billion was the total amount spent on cyber-security in 2015. Cyber-security companies like Sourcefire and Veracode, from the US, became large businesses in the last decade because they were able to raise venture capital money and were also supported by large corporates.
• Aujas Networks is the only security company to have scaled up from India. It focused on the US market and offered IT-Risk compliance as a service.
• However, over the last three years, Indian startups like Appknox, Instasafe, Shieldsquare and Paladion are going after the Indian enterprise security market. But that being said, there have been no funding deals in the Indian security space. Even Impermium, which was rumoured to have been acquired by Google for an undisclosed amount, was based in the US. The founding team members are Indians and they had raised $9 million for the company there.

The business model

The business model for security startups, like Innefu Labs, is clearly based on securing long-term contracts with banks and government departments. It is in securing many such deals that these businesses can survive and scale up. These businesses stand the risk of being commoditised. Unless they focus on research-based engineering and creating intellectual property, they will not survive. “Startups can focus on winning businesses from small industries and medium-sized banks to scale up. But they can also work with IT services companies to penetrate into banks,” says R Natarajan, CFO of Helion Ventures. He adds that the differentiation comes from being vertical experts rather than focusing on horizontal business lines.

Hopefully, in time to come, the government creates an eco-system purely for security startups. But the Indian government is yet to look at verticals, which they need to secure in the name of national interest. Perhaps security startups, like Innefu, deserve that push, and protection, to build their technology and scale up their business.