The Covid-19 pandemic that ravaged economies across the world has forced businesses to shift into the virtual sphere. Small businesses and startups – the most affected segments – have had to significantly scale down operations or close shop altogether. Those that still maintain some semblance of normalcy have had to adapt to the use of new digital tools and platforms to help connect with customers, rebuild supply chains and keep in touch with employees during the crisis. However, this new wave of digital innovation is also creating opportunities for large scale cyber threats by malicious actors, with startup segments often falling victim to an increased number of attacks during the crisis.
In a recent interaction with CXOToday, Jagdish Mahapatra, Vice President – Asia, CrowdStrike, sheds light on how the pandemic impacted the startup security landscape. Mahapatra, who has over 25 years of experience in the field of Infrastructure, Network, Datacentre and cybersecurity predominantly at Cisco and McAfee also explains how the burgeoning segment can create a cyber-aware work culture and remain compliant and secured in an increasingly volatile environment.
CXOToday: According to you, how has the pandemic impacted the security threat landscape in India?
Jagdish Mahapatra: The Covid-19 pandemic has expedited digital transformation, but has also accelerated the need to protect a vastly different IT environment where millions of new devices and users are connected remotely, beyond the traditional perimeter. For today’s start-ups, many of whom operate in the cloud, the need for cloud-native security solutions that can scale along with a growing business but also provide services such as threat hunting and intelligence has increased. The gold standard for a robust security posture today combines prevention with detection and response, fueled by threat intelligence.
For some organisations, remote work has been ongoing for several years, and the new push was simply a matter of scaling up existing solutions and policies. In other environments, work from home was a foreign concept; technology, operations and policies were not prepared and they had to adapt quickly. Cybersecurity quickly moved up the corporate agenda. As India’s digital footprint grows, the need to address cyber threats has become more critical than ever. With thousands of malicious domains coming online every day, it is imperative to protect every endpoint with continuous monitoring and threat prevention tools.
Organizations should adopt a strong defensive posture through rigorous IT hygiene to ensure endpoints and workloads are fully patched and properly protected. Security awareness training for employees working from home is needed to develop a security first focus for the business. They need to strengthen cloud environments with a zero-trust approach for authentication and authorization, as well as leverage technologies to monitor and detect movements across cloud environments, to verify the legitimacy of a threat.
CXOToday: Why should small companies and startups be worried about security more than their larger counterparts?
Jagdish Mahapatra: Cyber-attacks on some of the biggest Indian start-ups shook the sector during the pandemic last year and should serve as a reminder of the importance of cybersecurity. While many of these incidents made headlines across the country, many more flew under the radar. Adversaries are constantly innovating and identifying new ways to exploit vulnerabilities and start-ups need to consider their security posture first and foremost because many are cloud businesses.
Recently, we’ve seen additional shifts and evolution in ransomware. Adversaries are looking for new monetization schemes and ways to increase their returns. They think, they act, and they refine their businesses. eCrime actors are developing Ransomware-as-a-Service (RaaS) business models, in which they’ll provide ransomware toolkits to third party threat actors in return for a cut of the ransom.
Also, eCrime actors are beginning to employ double extortion techniques, demanding additional fees on top of a ransom with the threat of either releasing the data publicly or selling it to the highest bidder.
CXOToday: How can startups deal with ample amount of data and ensure that they are compliant and secured?
Jagdish Mahapatra: Today, the importance of compliance and security in a company’s lifespan and overall strategy cannot be overstated. For traditional businesses, security wasn’t as high up the corporate agenda as it is today so the benefit start-ups have is they can align their security and compliance requirements in unison from the beginning. It’s much easier to do this than to have to remediate later.
When organizations establish their data security rules, implement technologies, and handle the necessary audits and compliance early in their journey, they can establish a foundational culture of security early and ensure it is apparent in every facet of their business, but also in the services and products they are selling.
Having a security focus early and a security team in place is a critical way for start-ups to secure company data and remain compliant. For start-ups, compliance is crucial for establishing trust with partners and customers. Once this trust is eroded as a result of any security incident, it will be very difficult to rebuild that trust. Being compliant and secure will enable start-ups to take trust to new heights, building and retaining customer relationships as they grow.
CXOToday: What are the best practices that startups should follow to implement a comprehensive cybersecurity strategy?
Jagdish Mahapatra: There are a number of steps that startups can take to secure their businesses:
Zero Trust: As previously mentioned, a Zero Trust approach scrutinizes access requests identifying anomalies to enforce mitigation. It continuously validates security configuration and posture before access to applications and data is granted or retained. Zero Trust security involves real-time monitoring for misuse of credentials, suspicious systems or attack patterns.
Survey the environment: Auditing systems help companies to identify potential cybersecurity threats. Performing routine vulnerability and asset management scans will enable visibility into on-premises and cloud environments. Monitoring of business-critical applications so potential attacks can be stopped quickly before spreading and good IT hygiene are also important elements of a security team’s toolkit.
Cloud-based security: An increase in data created on personal devices has opened up business to malicious attacks. Businesses need to turn to next-generation antivirus (NGAV) solutions, with endpoint intelligence based in the cloud rather than trust legacy security solutions that can no longer adequately prevent ransomware and malware from sophisticated cyber criminals.
Test operations with tailored exercises: Security team exercises, such as remote tabletop exercises, provide opportunities to rehearse incident response activities while aiding participants’ awareness of new-age attacks. Depending on the size of the business, these can either be performed internally or through the use of a third party specialist.
CXOToday: Please share some tips on how startups can create a cyber-aware work culture?
Jagdish Mahapatra: It is understood that an organisation is only as strong as the weakest link in the chain and this is precisely the way that security should be viewed. So having employees that adopt a security first mindset is crucial for modern businesses to remain secure. Here are a few tips that start-ups should keep in mind to create a more secure workplace.
- Build awareness: A secure workspace starts with an aware individual. Human error is the cause of a lot of breaches and things like opting for simple passwords for easy recall should be eradicated early. It is important to create strong passwords to make it difficult for attackers to access a system. Installing non-work related third party programs onto a work device can also compromise security. Hence, start-ups should ensure that employees are aware of how to act securely when working.
- Leadership: Employees look up to the leadership for guidance and so business leaders have a big role to play in establishing secure working practices but also discussing with employees why this is important. Leaders can use approaches such as starting a conversation with employees about how they manage their personal and work accounts so that they have a context to understand what is appropriate at work.
- Learning: It is critical to establish a cybersecurity-focused culture while onboarding new employees. Learning should never come to an end so regular security behaviour and awareness training is key.
When we talk of a cyber-aware culture, enterprises must realize that it entails more than just technology. It is about people, processes, and engagement. Cyber risk management requires a holistic strategy from businesses of all sizes including start-ups.