One of the biggest challenges in today’s digital business ecosystem is preventing cybersecurity breaches. When breaches happen in large organizations, a bank or a major utilities company, the media and the entire business ecosystem takes a note of it. However, there are millions of other cyberattacks that take place every year, and a large number of them turn out to be successful in stealing data or hacking computers, without getting any public attention. This creates a false sense of security among SMEs and startups, making them believe that they are not well-known or lucrative enough to be targeted.
The reality is that nearly 71% of the small and medium size enterprises are targeted by cybercriminals. Almost every business has some data that is valuable to the hackers. For instance, even if a business doesn’t have sensitive credit card or healthcare data, it would still have phone numbers, email addresses, copies of employee ID cards, and various other forms of data that could be of value to the hackers. According to Kaspersky Lab, data breaches cost startups and SMEs an average of around $86,500 in recovery costs.
While the media focus is on malware, virus and other forms of hacking attacks that cause data breaches, the question that needs to be asked is how does it get injected in the first place? How do data breaches happen and what can I as a business owner do to mitigate them? Irrespective of the business vertical and organization size, there is a need to create a set of mechanisms to stop cybersecurity breaches at the company’s border.
The first thing to understand is the concept of shared security model and responsibility. Any hosting and cloud services provider will provide a set of security mitigation initiatives (DNS, network, patching and updated version) etc., as part of their hosting services. What they cannot provide and take ownership of is your application. Applications are the heartbeat of the business and if an approach to risk mitigation is taken keeping application at the center of planning, you can go a long way in securing them.
Application security though requires special expertise, has many moving parts especially with open API, and ease of integration. Although the ownership of securing them lies with the business, partnering with experts having those skills is needed. This is especially with vendors and appsec tool providers who offer this as part of their tool licenses.
Here are some components of application security.
SAST tools– Static Application Security Testing Tools and manual secure coding review must be included as an integral part of your software development life cycle.
DAST tools– Dynamic Application Security Testing tools and manual penetration testing must be included as a regular discipline of testing and getting a clear report before pushing them into production. Partner with vendors who can offer managed services and False positive checks as part of the DAST tool sets.
WAAP – Web application firewall and API protection and partner with vendors who can provide real time protection against attacks with policies. This should be backed with managed services to keep the rules updated and patched against identified risks from DAST and SAST tools.
Insist on the above tool sets and practices to be used with every application vendor and API you partner with or include them in your app tack. Apart from the above, you must have strong internal controls and policy in place for email hygiene, password, access control and other such factors.
To summarize, the best option for startups is to partner with application security experts who won’t just provide the tools, but also undertake the entire management and usage of the tools with updated policies management, false positive checks on a continuous basis.
(The author Mr. Venkatesh Sundar – Co-founder and CMO, Indusface and the views expressed in this article are his own)