It is no gain saying the fact that fintech is the most preferred hunting ground for hackers and attackers. And within the fintech sector, the most vulnerable are those companies dealing with share trading, banking, credit reporting, and insurance—in fact, this is the usual pecking order, but then there is no established rule here. In many of the spectacular security breaches, suspicious network activity isn’t noticed until many months had already passed; for instance, in the case of Equifax data breach, the attack was identified after three months, but the damage had already been done. The general state of security in fintech has never been a comforting feature all these years; susceptibility to attacks is always so high that companies, as a policy, place more emphasis on having damage-control mechanisms over implementing top-notch security practices and tools. The upshot of such misplaced prioritization has often exposed companies to a slew of threats.
Fintech companies can prevent much heartburn by having in place an integrated security solution with built-in safety features such as:
- Advanced endpoint and data protection
- Seamless cyber security framework
- Compliant workflow process
- Smart blocking of unauthorized applications
- Proactive scanning of installed applications
Although the above steps are adequate to blunt any attacks, basic flaws in the security mechanism act as fodder for assailants waiting to exploit any weak points in the armor. These flaws arise due to negligence or poor attention given to safeguarding against potential threats. Here are some of the flaws that continue to dominate fintech firms, irrespective of their size.
Outdated system software: It is estimated that one out of five financial services companies* face issues relating to using older or outdated versions of an operating system (OS) or vendor software. As manufacturers often do not support legacy OS with patches or updates, both users and servers become highly vulnerable to exploits. Also, hackers exploit outdated vendor systems to takeover account credentials, leading to a host of other security issues. The most dangerous aspect of such a compromised state of affairs is the stream of phishing emails carrying infected files or links to infected websites. Unfortunately, financial institutions’ propensity for online transactions is not matched by their determination to upgrade their systems; many still cite the cost and effort required as a significant barrier to change their IT systems. This makes them sitting ducks to any raiding parties that are looking out for an opportunity to attack.
Unsecured channels: It is common for fintech firms to launch various versions of their product or services for desktop, mobile web, and mobile app so that customers can access them via multiple channels. However, this becomes a security risk when fintech firms do not independently consider the requirements of each channel. For instance, hackers can easily plant a malicious code in a mobile device. When a mobile user accesses the site, the hacker can retrieve all passwords and other credentials. Employing advanced authentication features, like multi-factor authentication, or pre-boot authentication, ensures that security information on a device can never be compromised.
Unencrypted data transmissions: Fintech dwarfs all sectors when it comes to the size and frequency of data transmissions taking place. At any given hour, various data streams flow between B2B and B2C entities from different channels, platforms, applications and connections. A single breach can be all it takes to bring all the entities down. Securing the networks and encrypting the data act not only as a deterrent, but also protect assets from misuse.
Cloud platform usage: Data security on cloud is one crucial area that needs constant monitoring. Fintech firms must take conscious steps when choosing a public cloud server. As third-party vendors, public cloud service providers offer little or no control to fintech firms when it comes to data protection. It is highly recommended that fintech firms develop their own private cloud, with their own security and control mechanisms. In any case, when moving the IT infrastructure to the cloud, fintech firms should ensure that data is encrypted, even before it leaves the network.
Archaic security policies: It is quite common to find companies languishing in old-school security policies that focus on the device, rather than its content; they often do not adopt policies to include emerging technologies. It is important for fintech enterprises to regularly upgrade and review their security policies and tools to protect against newer sources of threats. It is further recommended that Data Security strategy reviews should become an on-going item on Board and executive agendas; leading to environment of common and collective direction that can be supported across the organization
Manual processes and ad hoc solutions: Fintech firms prefer solutions with a separate security approach for each platform; these piecemeal solutions are inefficient and risky. Moreover, fragmented approaches make it difficult to enforce compliance because they are so difficult to administer. For instance, providing access requires a mix of security mechanisms: authenticating users, enforcing access controls, and managing encryption on endpoint devices. Automating the provisioning and enforcement of processes not only reduces a substantial workload for IT staff, but also protects the organization from human error, inefficiencies, and silos that may allow for unintended malicious access to the data.
By: Rahul Kumar, Country Manager, WinMagic