One of the biggest challenges in digital business ecosystem is preventing cybersecurity breaches. When breaches happen in large organisations, a bank or a major utilities company, the media and the entire business ecosystem takes a note of it.
However, there are millions of other cyberattacks that take place every year and a large number of them turn out to be successful in stealing data or hacking computers, without getting any public attention. This creates a false sense of security among SMEs and startups, making them believe that they are not well-known or lucrative enough to be targeted.
The reality
The reality is that nearly 71% of the small and medium size enterprises are targeted by cybercriminals. Almost every business has some data that is valuable to the hackers.
For instance, even if a business doesn’t have sensitive credit card or healthcare data, it would still have phone numbers, email addresses, copies of employee ID cards and various other forms of data that could be of value to the hackers. According to Kaspersky Lab, data breaches cost startups and SMEs an average of around $86,500 in recovery costs.
Mechanisms to stop cybersecurity
Irrespective of the business vertical and organisation size, there is a need to create a cybersecurity
While the media focus is on malware, virus and other forms of hacking attacks that cause data breaches, the question that needs to be asked is how does it get injected in the first place? How do data breaches happen and what can I as a business owner do to mitigate them?
Irrespective of the business vertical and organisation size, there is a need to create a set of mechanisms to stop cybersecurity breaches at the company’s border. The first thing to understand is the concept of shared security model and responsibility.
Ownership of application
Any hosting and cloud services provider will provide a set of security mitigation initiatives (DNS, network, patching and updated version) etc., as part of their hosting services.
What they cannot provide and take ownership of the application. Applications are the heartbeat of the business and if an approach to risk mitigation is taken keeping application at the centre of planning, users can go a long way in securing them. Application security though requires special expertise, has many moving parts especially with open API and ease of integration. Although the ownership of securing them lies with the business, partnering with experts having those skills is needed. This is especially with vendors and appsec tool providers who offer this as part of their tool licenses.
Following are some of the components of application security:
- Development Stages SAST tools– Static Application Security Testing Tools and manual secure coding review must be included as an integral part of the software development life cycle.
- Test/Production Stages DAST tools– Dynamic Application Security Testing tools and manual penetration testing must be included as a regular discipline of testing and getting a clear report before pushing them into production. Partner with vendors who can offer managed services and False positive checks as part of the DAST tool sets.
- Operation Stages WAAP – Web application firewall and API protection and partner with vendors who can provide real time protection against attacks with policies. This should be backed with managed services to keep the rules updated and patched against identified risks from DAST and SAST tools.
Partner with application security experts
One must have strong internal controls and policy in place for email hygiene, password and access control
Users should Insist on the above tool sets and practices to be used with every application vendor and API partner with or include them in app tack. Apart from the above, One must have strong internal controls and policy in place for email hygiene, password, access control and other such factors.
To summarise, the best option for startups is to partner with application security experts who won’t just provide the tools, but also undertake the entire management and usage of the tools with updated policies management, false positive checks on a continuous basis.