4.2 Cybersecurity Hygiene
(Or: "How to not become the next headline on Data Breaches Today")
4.2.1 Password Policies
The First Line of Defense
💀 Never Allow These (Yet 63% of Startups Do)
• password123
• companyname2024
• admin@123
• Founder's pet's name + birth year
✅ Enforce This Instead:
• 12-character minimum (mix of upper/lower/numbers/symbols)
• Password manager mandatory (Bitwarden/1Password)
• Biometric 2FA for all admin accounts
🔥 Horror Story:
A Jaipur e-commerce founder used IloveMyDog2005 across 7 accounts. Hackers:
• Accessed the payroll system
• Changed bank details for 12 employees
• Stole ₹28L before detection
________________________________________
4.2.2 Antivirus & Firewalls
Your Digital Immune System
Tool Type Free Option Paid (Worth It) Why?
Antivirus Windows Defender CrowdStrike (₹1,500/device/yr) Catches zero-day exploits
Firewall Built-in router Palo Alto (₹25K/yr) Blocks advanced threats
DNS Filter Cloudflare Family Cisco Umbrella (₹800/user/yr) Stops phishing before it loads
Pro Tip:
• Schedule weekly scans (Friday afternoons)
• Whitelist only approved apps (blocks ransomware)
💀 Nightmare Scenario:
An intern clicked a "FedEx delivery notice" PDF. The ransomware:
• Encrypted 3 years of design files
• Demanded 0.5 BTC (₹18L at the time)
________________________________________
4.2.3 Phishing Awareness
(Because Your Intern Will Click That Link)
Top 3 Indian Scams in 2024
1. "GST Notice" WhatsApp forwards (Steals biz credentials)
2. "HR Policy Update" emails (Drops keyloggers)
3. Fake UPI payment screens (Empty your accounts)
🛡️ Training That Works:
• Monthly mock drills (Send fake phishing emails)
• Reward reporters (₹500 for catching test scams)
• 3-strike rule (Fail 3 tests? Mandatory retraining)
📊 Stats That Terrify:
• 91% of cyberattacks start with phishing
• Indian SMBs lose ₹3.8Cr/hour to cybercrime
________________________________________
4.2.4 Data Breach Response Plan
(Hope Isn't a Strategy)
24-Hour Breach Protocol
1. Containment (Disconnect infected devices)
2. Assessment (Determine stolen data types)
3. Notification (Clients + CERT-In within 72 hrs)
4. Recovery (Restore from clean backups)
📋 Must-Have Contacts List:
• Cyber Lawyer (For DPDP Act compliance)
• Forensic Expert (To trace attack source)
• PR Crisis Firm (For reputation damage control)
🔥 Bloodbath Case:
A Pune health-tech startup delayed breach disclosure by 14 days. Result:
• ₹1.2Cr penalty under new DPDP law
• 37% patient churn
• Blacklisted by hospitals
________________________________________
🛡️ Security Health Check
"How many seconds would you last?"
Area 😱 Sitting Duck 🛠️ Basic 🛡️ Fort Knox
Passwords Sticky notes on monitors Some 2FA Hardware security keys
Email Security No DMARC/DKIM Basic spam filter AI-powered threat detection
Incident Response "We'll Google what to do" Documented plan Quarterly breach simulations
________________________________________
🚨 Cyber Crisis Response
"When the hackers win:"
Disaster First 60 Minutes Long-Term Fix
Ransomware Attack 1. Isolate network
2. Identify strain
3. Check backups Implement air-gapped backups
Data Theft 1. Freeze accounts
2. Change all passwords
3. Alert CERT-In Deploy endpoint detection
CEO Fraud 1. Recall fraudulent transfers
2. Notify bank
3. File police FIR Train finance team on verification
📌 Founder's Cybersecurity Kit
1. The USB Kill Switch
o Keep a USB drive with shutdown scripts for emergencies
2. The Red Phone List
o Printed list of contacts:
Cyber lawyer
Data recovery expert
Insurance claims handler
3. The Breach Go-Bag
o Prepared statements for:
Clients
Employees
Media
🎯 Final Thought
"There are two types of companies: those who've been hacked, and those who don't know they've been hacked."
