Cybersecurity: Top Five Things Fintech Leaders Need to KnowBy Swapnil Deshmukh May 15, 2018
Business leaders in the financial technology industry face technical challenges and risks, and cybersecurity near the top of many list. Faced with an evolving cyber threat landscape, rapid development lifecycles and significant regulatory and compliance obligations, fintech leaders face the same security challenges as behemoth incumbents of the financial world, but have significantly smaller budgets and far less in-house cybersecurity expertise than their larger peers. With attack patterns constantly evolving, proactive implementation of cybersecurity best practices is more important than ever before. Chances are, you are already considering how best to build the cybersecurity capability your fintech company needs. The following are ten things you need to ask yourself to help make a plan of action:
1. Is Your Software Development Lifecycle Secure?
In modern world software is the DNA of business, so it is imperative that it must kept secure from data breach and disruption. If your company develops software internally but does not have a formal software security initiative drawing from best practice frameworks and security assurance process (encompassing architecture risk analysis, source code review and external penetration testing for production applications) you’re lacking foundational application security capability and potentially exposing insecure code to cyber threats. Perversely, many companies lack a truly proactive approach to software security, which is unfortunate because finding and fixing vulnerabilities in an existing design is far costlier than designing for security upfront. Even a cursory architecture risk analysis by an experienced security consultant will often identify potential security weaknesses, such as poor network segmentation, or the use of insecure protocols to transmit sensitive data.
Once you’ve implemented a formal software security initiative encompassing architecture risk analysis, source code review and external penetration testing for production applications, your company should seek to feed lessons learned into policy in order to find defects earlier, avoid recurring vulnerabilities and eliminate blind spots. Consider seeking software security advisory to help unify cybersecurity best practices with DevOps principles and to derive greater value from penetration tests.
2. What Steps Should You Consider to Ensure Your Outsourced Applications and Infrastructure (including Cloud Services) are Secure?
Unfortunately, there is a mistaken belief among many fintech leaders that data stored with giant cloud service providers such as Amazon, Microsoft and Google is secure by default. On the contrary, sophisticated password spray attacks designed to evade detection by staying below account lockout thresholds are being effectively leveraged by attackers to obtain unauthorized access the companies’ cloud deployments. While cloud service providers provide some level of security, in reality much of the work is left to consumers of cloud services (That’s you!) and from a regulatory and legal perspective, outsourcing to cloud service providers does not abrogate company leadership of ultimate responsibility for protecting sensitive data.
Proactive fintech leaders need to evaluate their use of outsourced applications and infrastructure to ensure their data is in fact secure. Pay particular attention to vulnerability management, data protection, password policies and multi-factor authentication.
3. Have you Identified Your Most Sensitive Data and Devalued it through Encryption?
Fintechs subject to regulatory and compliance scrutiny, including regulations with data breach management and notification requirements such as General Data Protection Regulation (GDPR), should identify their personally identifiable information (PII) obligations and pseudonymize or encrypt 100% of their company’s PII volume. This will help your company from being the next big data breach headline, as the GDPR includes exceptions to its data breach notification requirements where stolen data has been rendered unintelligible by encryption prior to the breach.
By applying cryptographic protections to 100% of your most sensitive information you devalue your company’s data to determined attackers seeking to exfiltrate and monetize your company’s PII. Focus on ensuring your company has coherent and effective policies around sensitive data discovery, classification as well as an initiative to encrypt all sensitive data-at-rest.
4. Do You Have a Cybersecurity Framework, Strategy and Quantifiable Security Objectives to Measure Your Team’s Progress?
Building application and cloud security capability in a fast-growing fintech company can be difficult. It’s even more difficult without a framework, strategy and clear, quantifiable goals to catalyze the right kind of action. Think about having an external cybersecurity maturity assessment completed to gain a comprehensive understanding of where your company stands relative to cybersecurity best practices and to chart a course for capability improvement where necessary. The more you know about your cybersecurity risk posture, the easier it is to define a strategy and metrics to catalyze action across your company’s technology team.
5. Has Your Company Taken Appropriate Steps to Manage Identity and Access Management Risks?
Identity and access management to control access to applications and systems is a foundational cybersecurity capability for all companies but is particularly important for fintechs given the sensitive data they controls. Make sure your company has a strategy and methodical approach to ensure it is disabling all inactive accounts; implementing least privilege access controls to ensure access limited to those with job-function based need; and conducting periodic reviews of granted access. Also, know that multi-factor implementation represents a significant improvement over passwords as a form of authentication and its use makes your company a more difficult target for attackers.