Data breaches: How startups can win back customer trust
Recent data breaches reported by Cleartrip and PB Fintech once again brought forth the need for Indian startups to put cybersecurity on their priority list.
On July 19, two prominent names in the startup ecosystem—Cleartrip and PB Fintech (parent entity of Policybazaar)—suffered major data breaches in their respective IT systems.
The platforms clarified that detailed reviews are being undertaken and no sensitive information or customer data was exposed, and appropriate legal action and recourse as per the law were also being taken up.
This is in addition to the data leakage of 3.4 million Paytm Mall users that took place two years back, resurfacing once again. The matter came to light after Troy Hunt—creator of Have I Been Pwned, a website that allows users to check if any data breaches have compromised their personal data—tweeted an old report on the breach.
It has been revealed that the exposed data included details like email addresses, names, phone numbers, genders, dates of birth, income levels, and past purchases.
Paytm has denied these claims then and now.
While no platform can achieve 100% security, a tighter cybersecurity strategy becomes crucial, particularly for new-age startups that are not concealed from a hacker’s eye anymore.
“Breaches will continue to happen. All platforms are vulnerable. Hackers are consistently probing the weakest links. The only way to counter this is by staying ahead in the game,” says Venkatesh Sundar, Co-founder and CMO at SaaS cybersecurity company, Indusface.
One of the major reasons why a data breach would “pinch” a startup more than a traditional business is its sensitive relationship with customers. For a new business, trust building is a continuous exercise and such incidents could weaken this connect.
Security is a heightened concern for business-to-business (B2B) companies, especially Software-as-a-Service (SaaS), as clients would not want to integrate with platforms that lack security.
The same may not be as big a concern among direct-to-consumer (D2C) or business-to-customer (B2C) companies.
“It’s only when we (consumers) hear about a breach, we realise how serious the problem is”, says Venkatesh.
He adds, “Some companies do all the right things and still get attacked. Because of the way they handle the breach, some win the consumer trust back. But what about the others?”
Not a priority
The issue becomes even more serious, given the lack of investment made by startups in securing their systems or putting cybersecurity higher on their priority list.
Experts told YourStory that a lot of startups do not invest in cybersecurity due to varied reasons, particularly lack of resources, and most of them continue to operate their systems at high risks.
“They (startups) have the intent and are well aware but cannot do enough on their own. They lack the skill set and need a partner expert. Nobody is putting this issue under the carpet,” says one of the experts, requesting anonymity.
At present, businesses are ‘expected’ to report all cybersecurity vulnerabilities and data breaches to the Computer Emergency Response Team (CERT-In), an arm of the IT ministry but such notices are not mandatory.
“No one takes them seriously,” says another expert requesting anonymity. A policy will be like a force multiplier for businesses to make cybersecurity a priority. Experts believe this needs to be more self-driven.
“It is not a priority for startups. They think they are too small to be under a hacker’s radar. But if there is a possibility, it will happen,” he says.
Seriousness of attacks
Post a breach, the first step for any business is to initiate a thorough audit of its systems and fix the vulnerabilities.
However, just fixing vulnerabilities for Cleartrip and PB Fintech would not be good enough.
“These breaches are quite serious. It means they have to revisit the vulnerability assessment to ensure these things don’t happen. Only when companies are affected, do they realise they have to do something about cybersecurity,” says Biju George, Co-founder and CTO at InstaSafe, a Bangalore-based cybersecurity firm.
Adding to this, another expert, on the condition of anonymity, says, “Any breach where consumer data is involved and is taken by parties not intended for, is damn serious. We cannot even pretend to downplay the seriousness of this issue.”
To lower their customer data exposure, these platforms (particularly fintechs) will have to reassess their systems to separate customer data and external facing systems and probably have them in two different gateways in a way that even if exposed, it doesn’t compromise customer data, adds Biju.
What startups must do
The next course of action must be the re-evaluation of the applications security of affected businesses. After all, a startup has several applications running simultaneously.
“Applications are the epicentre of any business. They are the touchpoints via which the majority of interactions among players happen. The security of these apps is not the responsibility of the hosting/cloud computing providers; they are mere enablers. A tiny loophole is enough to create a backdoor entry for data theft,” says Venkatesh.
There are various measures that startups can choose to ensure the safety of their platforms and data. Experts recommend:
1. One of the more prominent ones is 'red team security testing', in which an independent security team of “ethical hackers” poses as an attacker in order to gauge vulnerabilities and risk within a controlled environment.
2. Second is the ‘vulnerability assessment’ which should be carried out every time there is a major change or update in tech infrastructure. Experts advise startups to take Manual Pen testing (detailed hands-on examination by a real person that tries to detect and exploit weaknesses in your system). Automated assessment is highly advisable to be done daily to ensure the hygiene of common security checks are done covering all the moving parts in the app stack (not necessarily code changes but components it integrates with)
3. Experts also recommend having a managed Web application firewall with vendors who also provide managed virtual patching service and Zero False positive monitoring.
4. A responsible disclosure policy or vulnerability disclosure policy—which encourages individuals, who become aware of vulnerabilities in an agency’s website or ICT system, to report them to the agency—must be in place.
4. Insist on your product vendors/ execution partners to also offer managed services with their product.
5. Store the data in an encrypted format with strong encryption. Strong encryption algorithms take heavy computation power. This would make the selling of data difficult for hackers as decrypting would take a lot of time.
Edited by Saheli Sen Gupta