Cybersecurity startups in focus as the new normal leaves businesses vulnerable to attacks
In March end, barely a week after the coronavirus-induced lockdown in India forced enterprises to work remotely, the national cybersecurity agency warned of a surge in security attacks on unprotected home computer networks and routers as employees began working from home.
In an advisory to internet users at the time, the Computer Emergency Response Team of India (CERT-In) highlighted that cyber criminals were taking advantage of the ‘new normal’ brought about by the COVID-19 pandemic to lure internet users and steal sensitive data and information.
Indeed, the sudden and large-scale shift to remote working and digital adoption has made enterprises, big and small, vulnerable to a host of security attacks, including ‘zero-day’ exploits, for which targeted antivirus software signatures and patches to fix a security flaw are not yet available.
Admittedly, this makes the role of cybersecurity even more critical in the ‘new normal’ where businesses are faced with either a remote or a distributed working model – a new norm that dictates the need for new, sophisticated technologies and strategies to ensure enterprises’ security and survival.
“From a business-to-business (B2B) perspective, I think cybersecurity will be the No. 1 hottest trend during and right after the pandemic. Not artificial intelligence (AI), not machine learning (ML), not blockchain, not cryptocurrency…none of that,” says Saket Modi, Co-founder and CEO of digital security startup Lucideus.
“I believe this for the simple reason that cybersecurity has become a ‘must have’. It’s a minimum hygienic must-have. If you don’t have that, your survival is in question,” Saket adds.
Poised for growth
In late April, B2B market research firm MarketsandMarkets said the increasing focus on cybersecurity as a critical business imperative, and not just as a support function, will drive the growth of the global cybersecurity market in the wake of the COVID-19 pandemic.
MarketsandMarkets estimates that the global cybersecurity market will grow to $230 billion by 2021 from $183.2 billion in 2019, with a compound annual growth rate of 12 percent during the forecast period.
For Indian cybersecurity startups – that have so far operated without the fanfare and flamboyance enjoyed by consumer-focused startups – the COVID-19 crisis offers a rare opportunity to cement their standing among larger rivals and global peers, as they address the growing demand for high-quality threat detection, preparation, and prevention solutions.
Already, cybersecurity startups – armed with the agility and expertise to quickly develop and offer security solutions at more reasonable price points – are seeing a spike in demand, as businesses increasingly seek cost-effective security solutions in a period of heightened risks amidst the COVID-19 crisis.
“COVID-19 will do for cybersecurity what demonetisation did for fintech," says Vivek Ramachandran, Founder and CEO of cybersecurity training platform Pentester Academy, referring to businesses’ growing need to secure their data and information in a hyper-connected, digital world.
"During demonetisation, everyone who was primarily dealing with cash had to quickly figure out how to get a mobile wallet so that they could pay. And this is exactly what COVID-19 is doing for cybersecurity right now as it is challenging traditional models of how enterprise security is delivered and managed,” Vivek explains.
Party time for hackers
In the past three months, cyber criminals have been preying on people’s fears about the coronavirus and taking advantage of the unprecedented scale and speed with which businesses have had to switch to a mass remote working model – a situation that no business continuity plan (BCP) or fire drill had ever accounted for.
“It is like a party time for hackers as now they don’t have to work too hard to penetrate these systems that are inadequately configured and where security elements are missing. In addition, if these devices are compromised, the hackers can very well go after corporate networks through them,” says Pankit Desai, Co-founder and CEO of Mumbai-based cybersecurity startup Sequretek.
Nearly 50 percent of all security attacks are targeted at small and medium businesses, many of which go out of business after being subjected to one incident, notes Bengaluru-based cybersecurity startup Seconize.
“This awareness is definitely growing, leading to an increase in cybersecurity adoption,” says Chethan Anand, Co-founder and CEO, Seconize.
In addition, hackers have launched a spate of targeted social engineering attacks that prey on people’s fears and situations, including job losses, which have been the result of the COVID-19 crisis, say experts.
“Previously attackers were using a ‘spray-and-pray’ approach, where they send billions of users an email, with the hope that some of those recipients would probably click on it and it could result in payday. But now it’s become very easy to target people as they are giving away so much information online, including about their jobs,” says Vivek, who has worked in cybersecurity for over 15 years.
For example, an employee who posts a message on social media saying s/he is about to be laid off could potentially be at risk of a targeted attacks like pretexting and phishing as hackers impersonate recruiters to steal personal data and information, adds Vivek, who is famed for his discovery of the Caffe Latte attack in 2007 and the world’s first Wi-Fi client-only Wired Equivalent Privacy (WEP) cracking technique.
In late May, cybersecurity firm Cyble said its researchers had identified a sensitive data breach on the darkweb where a hacker had leaked personal details of around 29 million Indian job seekers from various states across the country. "The original leak appears to be from a resume aggregator service collecting data from various known job portals," Cyble added.
What’s more worrying, says Vivek, is a scenario where IT security team members themselves become victims of social engineering attacks, with cyber criminals posing as recruiters to trick companies’ security personnel into giving away valuable information about the security infrastructure set-up.
All this increases the danger of a devastating cybersecurity threat that puts the company, its employees, and its customers’ identity and data at risk.
In the new normal for businesses, this risk has been further heightened by the fact that companies’ information technology (IT) security teams – entrusted with protecting employer/employee data and systems – are themselves operating away from the elaborate on-premise, physical IT security set-ups they had earlier relied on to protect company data and devices.
Cybersecurity solutions in demand
With many enterprises’ compliance and process frameworks, which dictate companies’ cybersecurity procedures and standards, still accounting for an enterprise on-premise security model, there is a significant need for these frameworks to be upgraded to include a more distributed workforce, experts say.
The ISO/IEC 27001, for example, is a compliance framework that dictates the parameters for setting up an information security management system (ISMS) to enable companies to protect information assets, such as employee details, customer identities, financial information, and intellectual property.
“Now enterprises cannot rely on an enterprise on-premise security model. You have to integrate completely for a distributed model,” veteran security researcher and trainer Vivek, who founded the Sequoia-backed Pentester Academy, tells YourStory over the phone from Singapore.
From a technology standpoint, cybersecurity firms need to launch new technologies that can address the need for remote work security tools, anti-phishing systems that can detect zero-day campaigns, and enterprise cybersecurity solutions which can be managed and monitored by a completely distributed security team, adds Vivek.
With remote and distributed workforces set to become the norm, enterprises will have to seek out advanced endpoint security tools that can be deployed on remote endpoint devices, including employees’ personal computers.
In fact, the shift to remote working has left companies vulnerable to attempted endpoint attacks, as hackers target entire endpoint devices connected to that network.
“Outbreak of COVID-19 and cyber-crimes both represent a similar pattern where infected entities can remain dormant carriers and not show any symptoms at all. While infected systems may not be causing any significant damage, they can infect other systems…This calls for the need to have artificial intelligence (AI) and machine-learning-enabled security systems with the best hygiene practices in the cyber world for all time,” says TAC Security’s Trishneet Arora, a proponent of ethical hacking and author of The Hacking Era.
Amidst the coronavirus pandemic, cyber criminals have created many fictitious Virtual Private Network (VPN) clients such as PandaVPN, RemoteArCon, and FreeRemoteConnect_CN to trick employees into disclosing their credentials to gain access to corporate networks, notes Goldman Sachs-backed startup Cyfirma, which provides predictive cyber-threat visibility and intelligence analytics.
“From a technology perspective, with everyone in remote locations and digitally connected, companies are concerned about the new vectors where they are vulnerable and do not understand the risk posed. With employees connecting from home, the endpoint (laptops) is a cause for concern, as are their VPN and cloud infrastructure. So, products and services addressing these areas will be in focus,” says Seconize’s Chethan.
Already, cybersecurity startups providing these solutions are seeing an uptick in demand. Mumbai-based TAC Security launched a new automatic security tool under its AI-based product named Enterprise Security in One Framework (ESOF) to help corporates assess the security gaps in their VPN by using an AI algorithm to scale the cyber-risk score.
TAC Security, which claims that it protects Rs 1 trillion in transactions annually through its AI-based ESOF product, has added 10 customers for the new tool, including one of the largest banks in the country, says CEO Trishneet.
TAC Security boasts the Indian Navy, PhonePe, BSNL, Airtel, and Canara Bank, among others, as its clients.
Cybersecurity: onus is on everyone
While VPNs provide a secure way for employees’ personal computers to access the company network, it still does not eradicate the risk enterprises face from a range of security threats, including social engineering tactics, ransomware, zero-day attacks, malware, and phishing.
This means that in the new normal – where an advanced cyberattack could potentially ground organisations of any age and size – the onus of protecting an enterprise’s data and systems no longer lies with just its IT security teams. It lies with each and every employee, say experts.
“Digital security is no longer the concern of the company’s Chief Security Officer (CSO) level alone; it’s even at the board level. Because companies, colleges, and governments are now all working digitally, it is impossible that you can be working digitally and not be worried about digital security,” Lucideus’s Saket tells YourStory.
“In fact, digital security is as important now as your physical safety,” adds Saket, whose startup offers a solution called Security Assessment Framework for Enterprises (SAFE), which allows enterprises to measure the risk and rank the trustworthiness of employees (people), processes, and technology.
Lucideus, which is a global player in the enterprise cybersecurity risk quantification platforms space, has seen a surge in demand for its solution during the COVID-19 crisis that has prompted businesses across sectors to seek out IT security solutions.
Saket says order bookings, amidst the COVID-19 crisis, are at an all-time high, although collections remain muted as customers opt to defer payments to preserve cash flow.
In the past four months, COVID-19 has roiled global markets, with the United Nations forecasting the pandemic will wipe out $8.5 trillion in global output and cause 130 million people to face extreme poverty.
Closer home, the Indian startup ecosystem has also faced the wrath of the coronavirus pandemic, with many companies adopting a slew of tough measures to tide over the crisis.
Only a few sectors have been relatively less affected by the crisis, with COVID-19 even acting as a much-needed catalyst for a rise in demand for some industries, including cybersecurity.
“We have noticed a positive trend in cybersecurity business, especially businesses dealing with data, providing insights and analytics, and cloud-based product and solutions,” affirms Kumar Ritesh, Chairman and CEO, Cyfirma.
Financial services, insurance, retail, critical infrastructure, manufacturing, aviation and defence, healthcare, cosmetics, and technology companies are the sectors that typically invest heavily in cybersecurity, notes Kumar, a cybersecurity veteran.
However, in the past three months, there has also been a surge in demand from healthcare and B2C/B2B segments, where companies hold customer and financial information, as well as large amounts of intellectual property, adds Cyfirma’s Kumar.
Experts believe this demand for cybersecurity solutions is only likely to grow as cyber criminals continue to capitalise on the COVID-19 pandemic for financial gain, geopolitical supremacy, and reputational motives.
They add that their analysis of conversations in hackers’ forums and other sources show that the number of cybersecurity attacks show no signs of abating any time soon.
And yet, the greatest dilemma facing CSOs and CEOs now is how much costs to cut on cybersecurity, reveal experts. But this is easier said than done, particularly in a hyper-connected digital world where cybersecurity has become imperative for the very survival of businesses.
“If companies cut costs fully, they run the risk of a security breach; if they don’t, they can’t survive,” Saket says.
“That’s where Lucideus comes in because we enable organisations to understand what the likely scale of the impact would be in the event of a security breach,” he adds.
That’s also where most Indian cybersecurity startups come in – to offer lasting solutions for enterprises, who are under the dual pressures of having to cut costs, while sustaining operations in a safe and secure manner amidst the new COVID-19-induced norm.
Unmistakably, for those Indian startups that can do this, the potential to disrupt every dimension of the cybersecurity market is a rare opportunity that is theirs for the seizing.
Sequretek’s Pankit rightly sums up, “In the new normal, Indian cybersecurity startups who understand their customers’ requirements very well – from creating the right solutions to being aware of preferable price points – will stand out and shine.”
Edited by Teja Lele Desai