As cyberattacks become more frequent and sophisticated, start-ups must proactively protect their businesses. However, many founders worry that having a robust cybersecurity infrastructure could restrict the seamless data flow, internally and externally. 

Ritika Basu, global technology lead at Mercer Marsh Benefits and Mercer India, believes that data can flow seamlessly and be protected simultaneously with the proper controls in place. To achieve this, it requires planning and consideration. 

She tells Outlook Start-Up that the alternative has a negative impact on the brand and causes a loss of trust among customers. A robust cyber-security infrastructure is no longer an option but a necessity.

Edited excerpts: 

According to the CyberPeace Foundation, small businesses and SME start-ups are the target of 43 per cent of cyberattacks. In light of the evolving nature of cyber risk and the narrowing funding runway, how should start-ups rework their current playbooks to be more proactive and agile?

Security can no longer be an afterthought and start-ups need to plan, design and implement controls from the get-go. Some key considerations to proactively consider include conducting risk assessments on an ongoing basis to identify potential vulnerabilities and prioritize cybersecurity efforts. This assessment should include an inventory of all assets, an analysis of potential threats, and an evaluation of existing security controls.

They can also develop a cybersecurity plan that outlines security goals, strategies, and tactics. The plan should include policies and procedures for data protection (including penetration testing), incident response and employees training.

I also advocate that they implement security controls such as firewalls, antivirus software, intrusion detection systems and encryption technologies. Prioritise and deliver regular training to employees on how to identify and respond to cyber threats and follow security policies and procedures.

Most importantly, start-ups should ensure all security measures are current and up to date, including monitoring for suspicious activity, updating software and security patches, and conducting regular security audits. 

Why should start-ups conduct risk assessments of their supply chain? 

Customers buy an end-to-end service offering. Hence, third-party products or services leveraged to provide the end-to-end product offering must be subject to the same proactive security controls, policies and procedures as the start-ups. 

Even while using a third-party service, the approach of network segregation, ensuring data back-ups, and fault-tolerant infrastructure will ensure a seamless service offering.  

Some Indian start-ups have already instituted robust protections. A leading food delivery platform has implemented a bug bounty program to incentivise ethical hackers to identify and report vulnerabilities in their systems. This has helped the food delivery platform to identify and fix potential security issues before malicious actors can exploit them.

Similarly, a digital payments start-up has implemented multi-factor authentication and encryption to protect user data and prevent unauthorised access to their systems.

While start-ups often have a digital-first approach, how can they build resilience in their networks as they scale their operations without breaking the bank?

This used to be tricky and one of the reasons start-ups didn't put security first. But given the availability of cloud services and open-source tools, it is now very much doable. 

Cloud providers can provide a range of services for network resilience, such as load balancing, auto-scaling and data replication to ensure critical systems and data are always available. These providers also have support for multi-factor authentication and back-ups. 
Segmenting your network can help contain the impact of a cyberattack. Open-source tools are available for network segmentation, network monitoring, intrusion detection, etc.

As the world shifts towards deglobalisation and regionalisation, how can cybersecurity efforts complement these trends, especially in light of start-ups' pursuit of digital sovereignty?

This is an issue all countries are grappling with and will require balance between all parties involved. On the one hand, increased regionalisation and digital sovereignty can lead to more localized control over data and potentially stronger cybersecurity measures.

On the other hand, deglobalisation can lead to fragmentation of the internet and reduced global interoperability, making it more challenging to manage cyber intrusions and threats. 

Adopting global standards and best practices limits adoption barriers for start-ups and helps ensure participation in a global marketplace. One of the critical areas of investment is growing talent in this space that can support the local start-up ecosystem. 

The policy setting must also be clear from a data processor and controller perspective and not open to interpretations. Progressive regulation that allows for a secure and interoperable solution that supports and enables the start-up ecosystem and global firms with large set-ups in India is always enabling. 

The government is already doing a great job around these. But as the technology landscape keeps evolving, we will continue to have opportunities to enhance this area.

What technologies can start-ups leverage to thwart new-age threats like AI-augmented hacking, VALLL-E, which can recreate any voice from a sample clip, and sophisticated deepfakes used for social engineering attacks?

AI hacking and deep fakes are unchartered territory for most, but a real threat. To protect from these threats, start-ups need to ensure they have a strong security posture that is implemented using automation for detection and response. 

They can consider implementing a Zero Trust architecture, which assumes all users, devices and applications are untrusted and must be verified before granting access. This approach can help to prevent unauthorized access and limit the impact of potential breaches. Other options are leveraging blockchain or biometric authentication for verifying the authenticity of data or individuals respectively.

How can start-ups design processes around cybersecurity skills (hiring, learning, succession) to bridge the talent gap?

Globally, there is a skill shortage in this space. Universities in India have started focusing on courses related to cyber security, but we are likely 2-5 years away from any surplus availability of talent. The best way to bridge the talent gap is to create awareness and training across all development teams so that the products can be designed to address vulnerabilities from the start. 

Encourage a Secure Software Development Life Cycle (SSDLC). The SSDLC framework includes security requirements, design, implementation, testing, and deployment phases, and it aims to identify and mitigate security risks throughout the software development life cycle. Team members within risk and audit have the option of cross-skilling into cybersecurity.