Sunil Gupta, the president and chief operating officer for Paladion explains that management of cybersecurity is a complex issue that demands immediate attention from startups
Over 3 billion people in the world use the Internet almost every day, sharing information such as financial details, account numbers, password, credit card information, and any personal data over the digital medium. This means that personal data of these 3 billion people is under constant threat from cybercriminals, gravely endangering their privacy and financial security. If it sounds scary, it does so only because it is. In today’s world, where the Internet and mobile technology are becoming increasingly entrenched in our lives, the need for cybersecurity has never been as urgent as it is now.
Our ever-growing dependence on mobile technology and the Internet has led to mobile applications governing our daily needs of transport, food, utilities, etc. Most of these service providers are startups, and the enormous amount of data they collect must be protected from hackers and fraudsters who are constantly on the lookout for weaknesses on their platforms. However, most startups neglect this extremely crucial need for security, compromising the safety of their users’ online data.
Many startups often assume that it is the large companies that are targeted by cyber criminals. However, this is not true. Startups are not immune from cyberattacks and potential security breaches, but rather easier targets because of their weak security measures. Startups usually own a large amount of intellectual property and sensitive information, which makes the need for data protection services all the more crucial. Cyber security is in fact a strategy issue and not an isolated aspect of the business functions, despite what many new entrepreneurs and startups choose to believe. For startups that have compliance with other industries as a priority, such as the financial sector, retail sector or the healthcare sector, industry-specific security standards like PCI, HIPAA, DPA, etc. are the way to go.
Hacking incidents have become so common for some of the major startups that the mindset among them is more inclined towards ‘when we are hacked’, instead of ‘if we are hacked’. Typically, startups do not have a large budget for security, which leads to lax measures. However, even with a small budget, they can take necessary steps to prevent and control risks. Startups need to shift the focus of their cybersecurity strategies from outright prevention to employing systems for a quick and early detection of breaches, thereby limiting the scale of damage once a breach has been confirmed. It is imperative that companies have a robust cybersecurity management program in place to increase the customer’s trust in the services and products, fulfilling compliance requirements to ensure data security and privacy and protecting sensitive data or intellectual property, etc. Some important components of a good cybersecurity management system are:
1. Data Classification: A data classification process can help an organization determine the cost and effort to protect critical information assets. Data classification involves:
• Identifying data that needs to be protected
• Assigning a value to the data
• Cataloguing areas that hold critical data
• Finding out who has access to data and who should have access
2. Implementing security control: Cyber criminals don’t knock on your door before stealing your data, which is why it is mandatory to implement a robust cybersecurity control framework for your company to deal with unexpected and unknown threats. Although, there are numerous safety frameworks globally, three of the top ones are ISO 27001 and 27002 for security, and ISO 22301 for business continuity planning.
3. Verifying security control performance: Startups must regularly evaluate their security controls with a combination of control testing and penetration testing to determine whether they are operating as intended. Companies must also conduct regular internal audits focusing extensively on controls over financial reporting.
4. Planning and testing for breach preparedness: Organizations must have the necessary breach response procedures in place in the event of a hacking or cyber-attack. A response plan involves critical steps such as:
• Identifying who should be notified
• Set up a response team
• Implement protocols to monitor intruder activity
• Prevent back-door escapes for intruders
• Notifying legal authorities
• Determining the extent of compromise
• Proper legal counsel and insurance procedures
• Analyze the root-cause and resolve security issues
Cybersecurity management is a complex issue that demands immediate attention from startups. It is not the sole responsibility of the IT department, but a collective effort of everyone within the organisation. The world today is extremely fragile and vulnerable to the rising threat of cybercrime. The recent hacking of 3.2 million ATM cards in India in October 2016 was one such instance that showed us how easy a target we are to cybercriminals. Employing appropriate cybersecurity measures can not only help reduce such vulnerabilities and enhance threat preparedness, but also aid in controlling the scale of impact and exposure of a breach whilst minimizing the potential risk to both startups and consumers.
