Cyber security practices at Zerodha

14 Jul 2023

Cyber risk is one of the biggest financial risks. I heard of a single scam of Rs 20,000 crores that affected lakhs of Indians. A precaution you can take to significantly reduce the odds of being a victim of cyber fraud is to enable two-factor authentication (2FA) everywhere.

What’s 2FA?

The first factor in a login is a password you remember, but it has the risk of being easily compromised. 2FA is an additional factor to secure your account. Biometric authorization, TOTP (time based expiring codes) etc. makes account compromise much harder.

Everyone is a target today, especially businesses, since hacks can be financially lucrative. Almost all companies would’ve faced some cyberfraud attempts. Not taking preventive action means it is just a matter of time.

Cyber risk is a business and existential risk.

Firstly, you need actual technologists who also understand UX and user behaviour to design measures to mitigate risks. You should never be overconfident and should always be paranoid about security. Some simple, common sense measures we follow at Zerodha.

  1. We have mandatory 2FA even for all internal employee systems.

  2. Strict role based access. Everyone gets least access and least privilege by default.

  3. Nothing is connected to internet by default & access is over “zero trust” networks. Even incoming external e-mail for employees is only available where necessary

  4. Botnet & DDoS protection in front of all internet facing systems. Realtime monitoring and analysis systems

  5. Almost the entire employee base including non-technical folks use Linux desktops to reduce the attack surface. Yeah, I have switched as well 😀 I use Zorin (Linux). The shift was smooth since a browser is what I use the most.

  6. We are paranoid about external vendors and SaaS services. We self-host all our internal systems on private networks and almost no SAAS vendors. Everything is pretty much self-hosted FOSS (Free & open source).

An older post on this.

There is no way to ensure there is zero cyber risk and it is not a purely technical problem. A significant number of hacks in the world involve exploiting human weaknesses.

It’s constant vigilance, good tech and non-tech practices and processes and awareness about the risks and the steps we can take to constantly reduce attack surfaces. We continue to be paranoid and afraid.

Btw, someone on our team got a WhatsApp message from a fake profile of mine asking for money. The message was very convincing. Imagine if this were a deep fake video or even a voice message of me using AI. It would be tough for anyone not to fall for the trap.

In a world of NFTs, crypto, AI, the metaverse, etc., we need to be almost paranoid about all digital interactions. Also, to always remember that if something sounds too good to be true, it usually is.

View on Twitter →