There are two kinds of companies in the world; those that know they have been hacked and those that don’t. The quote best exemplifies the truth in cybersecurity. No industry, sector or country is quarantined against a cyber attack. Every company, be it a technology giant or a small business, has vulnerabilities that could be exploited by the hackers. It is a well acknowledged fact that the hackers have equal if not better resources that are at par with security professionals. So, the threat is real. But, the main reason behind a firm getting hacked is not the existence of the hazard, the hackers, but the vulnerability which is the indifference shown to cybersecurity by the company management. The same false consciousness is found in the entrepreneurs running small businesses and start-ups. Ask them and they shoot, “Why me? We are not a financial services company or we are too small for a hacker to target”.
Had it been the case, start-ups like Ola, and Zomato would not have been hacked in the first place. The hacker who gained unauthorized access into Ola network was puzzled to see so many vulnerabilities. He could easily watch, trace and connect all API calls. To prove, he exploited this flaw and recharged his Ola account for free.
The apathy against cybersecurity does not end here. There is a natural tendency of complacency shown towards cyber security. Small business and start-ups do not consider security as a priority which is a dangerous trend. With India emerging as an economic hotspot on global map and the government’s move towards demonetization, the online flow of cash is slated to increase. A cash based economy is transforming into a cashless economy. As more transactions occur through net banking, e-wallets, debit and credit cards, the hackers are bound to get attracted towards India. The ATM card fiasco in October 2016 is just a recent example. As per the Internet Security Threat Report 2016, published by Symantec, 43% of the spearphishing attacks were targeted against small businesses. There are prudent and pragmatic reasons why small businesses and start-ups in India face an imminent cyber threat.
Threat Landscape for Small Businesses and Start-ups
Firstly, the start-ups have a treasure trove of information that hackers would love to exploit. Some companies have cache of customer information including the credit and debit card details in their early stage. Such information is a goldmine for the hackers who would want to conduct the financial fraud. Additionally, hackers are also interested in stealing innovative ideas and intellectual property that start-ups have. Bad actors also use start-up’s technology infrastructure to get in large corporations’ network. This is because many start-ups and small businesses act as third party vendors to large firms and provide ancillary services. The 2013 U.S credit card breach that occurred at Target happened due to the vulnerabilities in the network of a third-party vendor. The hackers accessed the internal networks of the Target by stealing the network credentials from the third-party vendor Fazio Mechanical that was given the contract for HVAC services. Once the hackers entered Target’s network, they uploaded malware to cash registers within Target stores. The malware gradually spread to most of the Target’s point of sale devices that ultimately led to the theft of as many as 40 million credit card details.
Secondly, threat actors are continuously at work. This inadvertently means that a start-ups website, network, server etc. can be hacked any moment. According to a research conducted by Trend Micro, every second 3.5 new cyber threats occur. This poses an increased risk to the start-ups. That is so because, bigger companies have improved their security systems while small businesses with poor to zero security are sitting ducks for the hackers.
Thirdly, the growth in the use of mobile apps, web apps and big data have increased attack surfaces. Most of the small businesses and start-ups in service sector, deliver their products and services through mobile apps and web platforms. Thus, protecting them should be higher priority but no attention is paid by busy entrepreneurs, who don’t see information security as one of the business priorities.
Fourthly, small businesses and start-ups are now moving to the cloud because the cloud services are less expensive. However, the hackers know this and that’s why threats targeting cloud are now increasing daily. A report by Intel Security titled “McAfee Labs 2017 Threats Predictions Report” highlights that in the upcoming year 2017, cloud threats would increase significantly thereby increasing the risk for the start-ups and small businesses.
Last but not the least, not only these companies are at a major risk of data breach but their employees especially from the top management are at the radar of hackers. An interesting case that best explains this is the hack of the Twitter account of Hootsuite’s CEO by the hacker group OurMine. The hackers gained access to his Twitter account using a side-door. The victim had enabled Foursquare app to access his Twitter account, a process known as “App Authing”. The Foursquare network was hacked and some accounts were compromised including the credentials of the victim. The hackers used these credentials to enter his Twitter account and started Tweeting from it. Hacking the personal account of CEOs serves a lot of purposes for the hackers. Not only it gives them access to sensitive information that only senior management would know but it also gives them limelight which they relentlessly seek.
It is now well recognized that employees are the biggest cyber threats. They are the extended endpoints and most of the attacks nowadays are not targeted against the vulnerabilities in the system but against the lack of awareness in the employees. Therefore, small businesses and start-ups need to enforce strict internal security policies and guidelines to ensure their information is protected.
Develop a proper cyber security culture: The employees should be trained in security principles. They should be able to differentiate phishing emails from authentic ones. Every firm should build a security culture based on best practices and policies such as strong passwords, and internet usage guidelines. The employees should not use unprotected networks to log in to company server. Neither they should install any unsigned third-party apps on their smartphones if they use that for official work.
Define the rules for handling Customer data: The rules for handling sensitive customer data should be drafted and put into strict practice. Appropriate penalties should be given for any violation of the rules.
Implement an Incident reporting mechanism: A proper incident reporting mechanism needs to be adopted and integrated by the small enterprises. This would ensure that all attacks and incidents are reported to the operations security team and requisite security measures are proactively undertaken to prevent any breach.
Make security a habit: Security measures like 2-factor authentication, regular software upgrades, firewall protection should be made a habit and not a task.
Restrict employee access to data: Employee access to data and information should be limited. Their authority to install and uninstall software without permission should also be restricted.
Create mobile device action plan: The use of smartphones has penetrated every aspect of our life. Most of the employees use their smartphones for official work and these devices can create significant security challenges as they contain sensitive corporate information. A mobile device action plan mandating the employees to encrypt their data, use strong passwords in their devices, install security apps, limit activity over public Wi-Fi should be implemented.
Keep a backup of sensitive data: This security measure is a “sine qua non” for any enterprise that is serious about protecting its data from threat actors. A data backup will also help if ransomware affects the company server and system.
Create a Threat Intelligence Platform: A threat intelligence platform is one of the best security measure that small businesses can undertake. This is essential not only from the security perspective but also costs. A centralised threat intelligence platform for number of firms would mean economies of scale and therefore reduced costs.
Lead by example: The cyber security issue needs to reach founders’ mailbox and not left behind with the technology teams. Unless, the founders don’t show the way, it is difficult for employees to follow.
It is beyond any doubts that small businesses and start-ups need to improve their cyber security system in India. In fact, the start-ups have a mutually reinforcing virtuous cycle with cyber security. A good cyber security means low chances of breaches, and that means sustained customer faith, improved credibility, and brand value. However, if the same is ignored, the relationship can also turn into a mutually reinforcing vicious cycle in which a cyber attack leading to disclosure of sensitive customer information can cause brand deterioration, credibility erosion and emaciated customer faith.