Are we secured? – Information Security and Indian start-up ecosystem.
In this article, I will be penning my conversation with Co-founder of www.kiraipe.com Mr. Saurabh Singh, on perceptions and misconceptions about Indian StartUps ecosystem and cybersecurity; and why it has not been given its due importance.
Information Security in Indian Startups?
In last few months, I have observed the Indian startup eco-system and here are some snippets of my conversation with Mr. Saurabh, founder of an IET-Lucknow based start-up, www.kiraipe.com . The point was to understand why stàrt-ups need information security, and, if information security getting its due importance among start-ups?
Before starting, let me walk you through some statistics:
In 2015 alone, on an average 22 records were stolen per second.
Mr. Saurabh : Why do we need information security ? How can you, being a security expert, possibly add value to my startup? Can you help to drive Biz growth, can you help to acquire more customers, or can you build product features to achieve business deliverables.
Me: For sure security experts, one like me, can add value to your startup. Let’s take a step back and look at the big picture.
Breaches happen across all sector of our society, not just ecommerce or retail.
And then we have malware getting intelligent.
Common strands across successful online startups irrespective of domains are:
• They have millions of customers who trust them and use it on a daily or weekly basis
• Customer’s transacted real money
• They store personal data of customers including passwords…
• It has customer’s addresses (and their gf’s/bf’s also : P )
• It has customer’s travelling history
• It has customer’s data of buying needs
• It has customer’s data of food preference
• It has customer’s saved credit card (not directly though)
• Apart from customers you also have a lot of employee’s/delivery personnel data , their registration number , their vehicle no , their payment info , their location and a ton of other things.
Most importantly, most of start-ups, and even your’s will have in future, an app, which runs on the customer’s mobile device, which is their (virtual) life, and if a smart loony outsider manages to get access to those devices, its data via their app(exploiting some bug) then customers online identity is at risk. Sounds scary?
(You will get some statistics if you check the links <Latest malware no. of playstore and app store| Sophos Report>)
Hope that gives you a glimpse of why your startup, no matter what it does, definitely needs security engineering. One thing which I didn’t mention is supporting the legacy system that is definitely vulnerable and you need to protect it till there is a new secure system in its place (which means there will be things falling through cracks, tricky thing to handle).
Mr. Saurabh : But mine is still at a very early stage. Few people knows us. Can we do without Information Security? We can think of it when we grow big.
Me : Yes, you can start without Information security until you go un-noticed and do not get traction from security cults who are watching out for things to break. This is the thing that gives them an adrenaline rush. In a layman language: Until you get hacked/ someone write a blog about you publically shaming you, never assume that you won’t be the target of an attack.
Few things we need to understand, a breach can happen to any company (Facebook / Google / Microsoft / Yahoo / RSA / Twitter /Citibank / Uber etc.) and all have suffered a breach at some point in time or the other.
The things we need to be careful are about after having so many instances to learn from, why do we still choose to neglect it .
Most notable thing is that the later you think about implementing Information security thing, the harder it is to properly implement. So, the early you understand the need for information security, the better you can go ahead.
This does give an answer to the question: NO
Mr. Saurabh : What if my dev/tech team will take care of basic security using resources available online, I guess that should do?
Me : Well one good thing that at least you cared about the security of your product. Unfortunately, what you will do will be a good start but not the right one because just like a good graphic designer can architect your application just by surfing for articles on how to do it but that does not mean he can do it the right way. You can not rely on that design when you scale? Would you be sure that there wouldn’t be too many cracks through which things can fall off?
Obviously NO, so similarly it is ok that everyone should have an understanding of security but do not have an overlapping role. You cannot break code with the mindset you created it , you need people to think out of the box.
Mr. Saurabh : Is Application Security worth investing into ? Can I somehow outsource it at a later stage, or when I will have an issue?
Me : If you don’t then the day you will become a multi-million/billion dollar startup and have a good number of customers and getting applauses from all around the world for the problem you solved. Then there would be few security folks trying to steal the limelight /few other who are security enthusiast and because they use your service would find a vulnerability in your service which has gone to millions of users and can be exploited. This is compromising just not your name, fame ,customers but also would stand a hurdle as a part of next round of funding (though it depends on the bug that was left).
Then you will have to build a security team and get all your products secured , pen testing will be done, secure code review will be done, application architecture review will be done, cloud architecture review will be done and phew… the list never ends . But the worst part will be you have to push users to updates their app- this will give you chills. Yes, there will be customers’ loss, business loss, hundreds of endpoints changes and what not.
You need to invest in information Security, sooner the better. Later it comes with an additional cost of reputation, customers, shaming and money.
Mr. Saurabh : But a bug on a mobile app can lead to an exploit of one user’s, right?
Mre : The mobile ecosystem is a double edged sword — One of which is if we push a bug intentionally/unintentionally then it lives forever.
How? You don’t agree? Patience…. I am here to unfold the mysteries
No matter how long it has been, there would be some percentage of users using those vulnerable apps. You think a force update is an option? If you are also a product manager, you know unless it’s an app that people NEED (like a bank, social media app which they can’t live without),they always have alternatives and no company would force that unless it’s really needed (It is sort of ruthless/disastrous for them). Hence, you will lose customer, and that’s way too high a price to pay because the number you need to show in the next investor meeting can be a problem
Mr. Saurabh : What are the take away of your security journey so far:
Me : I have done my research in Information Assurance and Security, and am working as security consultant and advisor to few big companies, across the globe. I have also been working for some founders and heads of fortune 500 companies. In last few months, I have met many start-up co-founders and business head, have observed their security architecture closely. I have studied security culture of India, and type of Security professionals we have.
During my observation of Indian start-ups, I have observed that none of them have any alerting and monitoring system in terms of application security, real time is too much wishful thinking. They do not have anything to keep a track of things that would be handy if a breach happens or pre-empting one. Don’t take me wrong for companies like Google, FB and others. They are the bar raisers in what can be done, for a very same reason that made them grow big and that is being open to new ideas and willing to try and fail .
As a security Researcher, my advice to every start-up is :
a)Take control of your things
b) Protect your company and customer , set up a security team NOW. If you can’t, at least get Security audits done at regular intervals, and keep an emergency response team ready.
c) Reactive by design, move to proactive approach
d)Do not rely on only (internal/external) pen-test reports from vendors. Get a complete Security audit report. Pen-test is only a part of it.
Mr. Saurabh : How to evangelize Information Security in my Startup?
Me : Application security has always been a fight with user experience (security guy vs. Product guy). The trend being, if you have a decently secure application, it would certainly have a real bad user experience; PMs are there to get better user experience and coming to a common ground is what matters(mix of good user experience with a decent security feature in place).
Things I do on regular basis:
a) Talk about critical issues you found in application with everyone with what impact it could have
b) Do as many sessions as possible for all teams
c) Talk about any recent hacks happened and how we should have handled if it was us
d) Think as if you are already breached and what can you do now to identify what has gone wrong with the network -> infra -> malware -> APTs -> insider threat -> application bug -> any of those 150+ things possible.
e) Introduce all employees to fun security games , this does help a lot.
f) Have mandatory session as a part of induction of in first few days where they get a walkthrough of all what bugs are found in the organization in general
This is a never ending list but this much is good to begin with.
(To everyone reading this you must be wondering why am I writing this?
The goal here is to make startups and developers realize that taking care of and data security does not add an additional overhead. On the contrary, it gives a lot of ROI (I bet you can’t even calculate) .It’s just that other metrics overshadows security metrics.)
There have been many cases of start-ups, all of the globe falling/having rainy day just because of lack of vision for information Security. Hopefully ,this post will help you avoid that familiar bumpy road (Prevention is better than cure! Always. No Exception. In Information security terms, it helps you from public shaming. Now, you do not need to get hacked, to understand the importance of application security).
At first, it may feel like things will get worse in terms of efficiency but actually, it will help to add to your business metrics and will make sure you just don’t go fast but a long way too.
Mr. Saurabh : What should startups do? [Any Secret Sauce]
Any checklist we can have ?
Me : Security is a process , not a destination.
Information security is never a matter of going through the checklist but thinking out of the box. But surely I have few pointers to share.
1. Get a full security audit done for your website, and get those detailed and summarized reports handy.
2. Always update yourself and your website/system/application with latest security patches. Stay updated. Better to hire a security consultant, on contractual basis.
3. Get connected with an emergency response team, so that for God sake, if some hack happens, you will not go om search for a team. Timely response will help you in many ways, damage can be recovered on time, and measures can be taken.
At The end of this conversation, I would like to say that in case you are one of those founders to whom information security only means protection against DDOS , then please have a look at this mind map, and evaluate what all are you missing.
One of the most prominent reasons why stàrt-ups fail to implement security is its cost. Cost of Security services are quiet high in India, and the world, and no company has came forward for the needs of Start-ups.
We, at Infosec Future, have for the first time, realized need of providing Security to Start-up eco-system of India. And for that, we are offering our services exclusively designed for Start-ups, focussed to their security needs, and at extremely affordable costs. Do visit our website https://www.infosecfuture.com for more details, or just drop me a message. Till then, happy innovating.
Credits to IBM, Microsoft, Facebook, and others from where statistics and reports data have been shamelessly copied.