Recently, Nigerian startups, especially those in the financial technology sector (Fintech Startups), have fallen victim to a spate of cyberattacks. These attacks not only compromise users’ information but, more critically, the funds stored on these platforms.
While these breaches are typically attributed to general security infrastructure vulnerabilities, the precise reasons behind these breaches have remained somewhat elusive. However, Deimos, a prominent African cloud-focused cybersecurity company, has shed light on the common mistakes that startups make, leading to security breaches.
Deimos recently stated Technext, pinpointing the key pitfalls encountered by startup organizations when it comes to securing their operations. According to the cybersecurity company, these issues are often rooted in human factors rather than technical shortcomings. These issues include:
- Prioritizing Speed Over Security: Startups often place a premium on quick feature releases, sometimes at the expense of robust security measures. This approach can result in the acceptance of security risks with potentially devastating consequences.
- Reactive Cybersecurity: Many startups adopt a reactive approach to cybersecurity, addressing security concerns only after experiencing breaches or cyberattacks.
- Inadequate Access Control: Implementing secure access control measures for employees handling sensitive information and systems can expose startups to significant security risks.
Deen Hans, Director of Security Engineering at Deimos, further elaborated on these points, emphasizing that startups often sacrifice security in their quest for rapid feature deployment. This approach can lead to security risks that might have severe consequences, outweighing the benefits of quick releases. He also noted that startups frequently conduct insufficient or no risk assessments.
Hans explained, “Startups tend to underestimate risk due to their smaller user base or a lack of prior security incidents. This can result in a neglect of security issues in their production environment, potentially damaging their reputation and user trust.”
One aspect that often eludes startups is understanding their risk appetite. Hans stressed the importance of striking a balance between feature development and security. Trade-offs may be necessary to improve security after product releases. Unfortunately, many startups lack a comprehensive understanding of their risk appetite, which can lead to detrimental trade-offs that harm their business.
Hans concluded, “Understanding risk appetite goes hand in hand with identifying a business’s most valuable assets, whether it’s user data, financial information, or monetary funds. Having a clear picture of what needs protection is essential to avoid making decisions that compromise critical assets and user safety.”
Ways for Fintech Startups to Defend Themselves
To protect themselves from the growing threats, startups can benefit from implementing proactive measures. According to Kaspersky, Distributed Denial of Service (DDoS) attacks reached alarming levels in Q3 2022, causing disruptions for organizations. Deimos attributes these attacks to the failure to prioritize good governance practices, security education, and cloud technology awareness.
IBM’s estimates highlight the significance of securing data stored in the cloud, which many African companies transition to as they embrace remote work. Unfortunately, overlooking access control measures and permissions creates vulnerabilities that can be exploited by malicious actors.
Verizon’s 2023 Data Breach Investigations Report underscores that the human element plays a pivotal role in security breaches. This includes social engineering attacks, errors, and misuse. Deimos recommends automating security processes to reduce human errors.
As remote and hybrid work becomes the norm, businesses increasingly rely on cloud technology. Deimos advises engineering teams to follow three vital methods to enhance their cloud security:
- Shifting Left: Prioritize security from the early stages of software development, rather than addressing it after product release.
- Defending Right: Implement firewalls and intrusion detection systems to protect products from external threats.
- Using Automated Tools: Employ automated tools to establish security measures before moving into production, such as static and dynamic application security testing and package vulnerability scanning.
These measures are critical for Africa’s rapidly growing tech ecosystem, which houses valuable data and assets in the cloud. Unprepared businesses are attractive targets for cybercriminals, and each breach affects millions of individuals. While cybersecurity solutions are available, many businesses fail to implement them effectively.
Deen Hans stressed that businesses must fortify themselves against cloud security vulnerabilities. He emphasized that the focus on growth and competitiveness often overshadows cybersecurity, resulting in costly breaches.
The consequences of neglecting a robust security posture can be severe, including reputation damage and eroded trust.