From the data theft of reportedly 3.2 million debit cards that affected many big banks including SBI, HDFC Bank, ICICI, Yes Bank and Axis Bank, to recent security breach at Zomato that involved user data of over 17 million users, the state of cybersecurity in one of the world’s most rapidly growing market doesn’t look very promising.
If data breaches of the last couple of years are anything to go by, then Indian start-ups don’t look adequately prepared to deal with cyber-attacks.
The same was reinforced by the Cyber Security Maturity Report of Indian Industry (2017) by Fire Compass that found that Indian organizations across different sectors on an average scored only around 50 out of 100 on the cyber security scale.
The large banks and telcos emerged as the best performers with a compliance percentage of 61. They were followed by financial services and the IT industry with a score of 58 per cent and 52 per cent respectively.
The most worrisome finding was regarding start-ups and fintechs that performed rather abysmally with a score of 8 out of 100 as per security maturity benchmark.
It was an online survey for which 200+ organizations in India responded, across verticals to provide a holistic view of security performance. NIST Cybersecurity Framework (promoted by the USA government) was leveraged to classify the technology controls capabilities across 5 dimensions: Identify, Protect, Detect, Respond, Recover. The score is based on data from actual security controls implemented as well as open source security intelligence.
The report also highlighted that majority of internal technology controls are primarily based around prevention, with not sufficient measure implemented around detection and response. While the score in terms of prevention techniques was 63 percent, for detection and response they were 51 per cent and 31 per cent respectively. The picture does not change much for the startups in terms of identification, prevention, response and detection also. It is alarming to see how ill-equipped the start-ups are in terms of dealing with cyber attacks.
According to Fire Compass, cybersecurity investment should be spread out across the spectrum, by taking a balanced approach to investments, like a financial portfolio.
The firm has a word of caution for start-ups especially fintech that they shouldn’t assume ‘that start-ups are not a target for hackers. Most of the startups are easy prey for opportunistic hackers and start-up breaches are rapidly rising.’ A strong security posture can be achieved with low cost tools and a small team of skilled professionals. Security should be considered right from the design stage of the product and be continuously assessed throughout the lifecycle. Fixing issues later can be 30x higher than at design stage.