As financial transactions have evolved from paper-based to digital in just a few years, the rate of the technological change driving this quiet revolution has been unprecedented. Fintech has drastically altered the way we conduct financial transactions and opened up many new opportunities for businesses of all sizes and sectors. As new technologies appear this trend is likely to continue.
It has, however, also brought an inherent level of vulnerability. That is because criminal and malicious activity has evolved at a similarly rapid rate. Those who have embraced Fintech from the beginning need to ensure that they don’t let innovation and progress come at the expense of security and due diligence. Similarly, those new Fintech start-ups entering the marketplace should consider how they plan to maintain an information security framework from the outset – something that is easier said than done when investors, board members and staff want to see returns and immediate profitability.
While getting security right can feel like a distraction to dynamic and agile new entrants, the fact remains that those who build resilience into their systems will stand a far better chance of fending off the almost inevitable threats they will face from cyber criminals in one form or another.
What doors does Fintech open – and to whom?
It opens doors of opportunity to everyone. First appearing in the 1990s, the term was initially applied to the back-end systems of banks and other financial institutions. In subsequent years Fintech has grown to encompass a huge range of other applications which are increasingly customer-focused. From mobile payments to cryptocurrency; crowd-funding platforms to insurance, it now extends to robo-advising which provides algorithm-based recommendations and management tools, significantly improving efficiency and reducing costs.
Through every stage of its evolution, however, motivated hackers have been piggy-backing the Fintech revolution. As financial transactions moved online, hackers started to see the value in data – particularly payment card data. Where the human element could be exploited, they used it; from simple emails designed to redirect payments to phishing and other types of social engineering, which can cause havoc and introduce a vulnerability. Additional levels of sophistication have introduced malware and spyware alongside other malicious types of breach like ransomware.
Cyber criminals may have started out as individuals working in isolation but, as Fintech has evolved, so have they. The modern threat includes teams of hackers working together in collaborative business arrangements, backed by significant financial investment in technology to further their aims. As quickly as barriers are put in their way, they simply find new ways to exploit. In some cases, these hacking teams are even state-sponsored.
The fact is that cyber criminals only need to succeed once to breach an organisation’s cyber defences. Once inside they may choose to remain undetected and relatively dormant for some period of time. There is the possibility that many businesses have already been breached but are, as yet, blissfully unaware. When a breach is discovered, however, it can spell disaster if not managed correctly. In addition to the regulatory fines and immediate theft, come longer term consequences like long term impacts on revenue through damage to reputation and loss of customer trust.
Where is Fintech going next?
The global Fintech market is growing all the time as our capacity to embrace innovative technology appears to know no bounds. An inevitable consequence of this growth will be a growth in the number of attacks made by agile cyber criminals on institutions and organisations possessing large quantities of financial data
What steps can be taken to build security and resilience into business systems?
When building (or maintaining) a business, it is of course tempting to focus on the product or service being offered. But the truth is that you overlook cyber security at your peril. Those organisations that work online and store data (which is pretty much all modern businesses, Fintech or otherwise) need to ensure that their cyber strategy is keeping them abreast of the equally rapid changes in malicious practices. It is not sufficient to have a plan in place if that plan is not regularly tested and updated. Those who are starting up new businesses need to ensure that they start off with the right security framework upon which to build or risk watching it all come tumbling down if a breach occurs and is mishandled.
Ensuring that cyber security is on every board agenda is a good first step. Whether monitoring the efficacy of a plan or developing a new one, consider engaging external professional input which will bring a wider level of expertise than is found within most organisations. In addition, by scoping projects accurately, it is possible to reduce costs by only using services and products which are actually needed. Here are some further aspects to consider:
- Penetration testing
Every security strategy should include regular penetration testing. Automated tests will identify vulnerabilities but may provide false reassurance. Unless those vulnerabilities are explored and exploited through rigorous penetration testing, it will not be possible to take appropriate steps to mitigate exposure.
- Disaster recovery and business continuity
Although a properly scoped and managed security plan can provide a high degree of protection, given the value of the data and transactions, attacks are virtually inevitable. Planning for the best while preparing for the worst is therefore a good maxim to live by. Real business resilience is only achieved if there is a process for identifying, containing and mitigating the effects of a breach.
- Retained forensics support
If a serious breach occurs then, in most cases, a retained forensics team will be brought in to investigate. If, however, a retained forensics consultant is already engaged and is familiar with a business system, they will be able to use their skill and expertise to provide pragmatic, strategic support at the highest level, reducing the level of risk in a period of comparative calm, before a crisis occurs. In the event of a breach, the retained forensics specialist will then be able to direct and manage the process of dealing with an incident, limiting the damage and returning the organisation to business as usual in the shortest possible timeframe.
- ISO 27001 framework
One of the most effective strategies is to use a recognised framework to embed security into an organisation’s digital estate. The internationally recognised ISO 27001 standard provides such a framework. With the support of a qualified ISO 27001 consultant it is possible to implement a step-by-step plan for processes and procedures that improve risk posture and reduce the likelihood of a breach.Having ISO 27001 also provides customers, third parties and business partners with the reassurance that high standards are being maintained.
- Virtual CISO service
The role of Chief Information Security Officer (CISO) is one of the most challenging, both to recruit and retain. In many instances it makes better sense to engage a professional CISO service to manage the security function of a business. A Virtual CISO service can cost around a third of a retained member of staff while delivering a superior level of expertise and service. Directed and executed by real industry experts, this service can provide additional support and resource, ensuring that the incumbent officer receives strategic professional guidance in a rapidly changing cyber environment.
There is no reward without risk
The Fintech revolution is well underway and, along with all other digital and technological advancements, will continue into the future. The threat of increased cyber attacks will not stop new entrants from joining the market – and nor should it. Yet, it is crucial that businesses do all they can to avoid compromise, both for their own survival and to ensure the safety of their customer data. Built on strong information security foundations the future remains bright for the Fintech sector.