As the third largest startup ecosystem, India hosts more than 77,000 DPIIT-recognised startups (1). They provide solutions in 56 diverse sectors, from healthcare, finance and banking, IT services, life sciences, education, professional services, agriculture, etc. Most startups are also adopting digitalisation to grow their business base, especially since the pandemic.
The rapid digitalisation and inadequate cybersecurity planning is leaving startups open to cyberattacks. A Google report cited that India witnessed 18 million cyberattacks and 2 lakh threats per day in the first quarter of 2022 (2). Out of these, 43 per cent of the cyberattacks are targeted at startups and SMEs, according to the Cyber Peace Foundation (3).
An IBM security index (4) even placed India in the top three most targeted countries in Asia in 2022. The prime reason for targeting startups is that they are more focused on growing their customer base and operational activities in the early years rather than safeguarding the data. So, the lack of proper security infrastructure and the vast volume of data (likes and dislikes, credit card information, preferences, KYC, etc.) startups are amassing make them easy targets.
The remote and hybrid work environments also expose them to cybersecurity threats. As the employees work from different networks and locations, it’s difficult to safeguard the network if it is not under a single umbrella. Also, the cybercriminals can target devices available in a remote setting, such as routers, gaming and entertainment systems, tablets, digital cameras, smart appliances, etc, to find their way into the corporate network. According to a Fortinet’s 2020 Remote Workforce Cybersecurity report (5), 60 per cent of the surveyed enterprises reported an increase in cybersecurity breach attempts and 34 per cent experienced actual breaches following the transition to remote working.
However, despite the management difficulties, the cybersecurity threats are not being dismissed or pushed to the backburner, especially given the breaches, leakages and losses of data in the past. Examples of records leaked or lost include Big Basket (20 million), Dunzo (3.4 million), Unacademy (20 million) and Juspay (35 million).
The startups are taking active measures to protect themselves against cyber threats like ransomware. It infiltrates the website and applications and often demands a ransom to give back control of the web applications. Ransomware attacks increased by 92.7 per cent in 2021, compared to 2020 (6). Other common cyberattacks include phishing, social engineering, SQL injections, cross-site scripting (XXS), distributed denial-of-service (DDoS), botnets, API threats, supply chain attacks and Trojan horses.
Consequences of cyberattacks
When cybercriminals steal data or demand a ransom, it has repercussions on the startup, which includes hefty economic costs.
Cyberattacks open a startup to lawsuits and government fines for not being able to protect the data of its customers. The startup must bear the high legal costs. They would even have to offer compensation for identity theft insurance or some other services, which could further add to their financial burden.
It also damages the reputation of the startup. Customers lose faith and trust in the company when their entrusted data is stolen and sold on the dark web. Therefore, new and existing customers would also think twice before engaging with the startup’s services. Thus, the startup would have to deal with a loss of sales and put in added effort and money in marketing and public relations to rebuild trust.
Solutions to cyber threats
Startups are constantly updating their security measures and infrastructure to protect their information services and operational technology. They are doing it by conducting audits to evaluate cybersecurity threats and identify weak points in the security infrastructure. They also focus on installing and maintaining the latest operating systems, security software and patches. They adopt an automated preventive measures system, which monitors the network, accurately detects threats and orchestrates a rapid response.
Startups are also investing in cloud-delivered security services and transitioning to hybrid cloud or multi-cloud systems. They incorporate a zero-trust approach, which implies that one must get verified to gain access and not trust any user, device or data flow. These services improve monitoring and alerting systems and streamline the security policy creation for the startup.