The financial sector is one of the favorite targets of cyber criminals. The examples of a security breach in the financial world are available a dime a dozen. The latest one was the 81 million USD online robbery at Bank of Bangladesh which was done by breaching the cyber security of the bank. On an average, each security incident is estimated to cost around 1.8 million USD to the financial sector. The FBI and most cyber security experts warn large companies that they should not be asking themselves “if” they will be hacked, rather “when they will be.” In such situations, a successful attack early in the life of a firm can cripple it forever. It is imperative that startups, especially those in the financial sector, understand the threats and protect themselves against the cyber attacks.
What are the key threats?
Loss of Customer Data – Loss of customer’s financial information has a direct and immediate impact on customer’s finances. Information lost due to the theft of a credit card, can be used to make purchases and leave the victim to pay the bill. Loss of personally identifiable information, allows the hacker impersonate the victim and make large transactions in his name. In a worse case, the hacker might procure an illegal material and leave the victim entangled with the law. Hackers may even use the money obtained from such stolen cards to fund terrorist operations in other parts of the world. The implications of the loss of data in such situation could pitch the firm against the government.
Loss of Reputation – In the world of finance, reputation is everything. Customers never go to a bank or another financial service provider who cannot guard the money they are trusted with. The same is true for Fintech companies. If a Fintech firm cannot protect customer’s data, it is highly doubtful that the clients will approach them with their business. In fact, one of the reasons for a cyber attack on financial services company is to destroy their reputation and take away their business.
Key measures to defend against cyber attack
Appoint Security Incharge – Having a single person such as CIO or CISO, holding the overall responsibility for cyber security, helps in establishing a much-required focus on the safety of the infrastructure. Based on the size of the organization, it could be a part time or a full-time role. This person can drive the efforts to establish the culture of security in the enterprise. This person will be responsible for taking security to the boardroom and ensure that it gets the adequate attention and resources allocated. CISO must also be proactive in looking out for new sources of cyber threat to the organization and take appropriate measure to combat the threat.
Review Architecture and Code – Often the technology architecture is designed with a focus on functionality and speed of the transactions. While safe coding practices are getting their due attention, safe architectural practices are still neglected. This is especially dangerous for Fintech companies. A gaping security hole in the architecture is tough to plug once the product is fully built. Security requirements should be defined along with the product features at the conceptualization stage itself, so that they can be incorporated in the solution architecture. Getting independent reviews of the design is a must to ensure security requirements are not overlooked in a zeal to provide more features. On the coding front, the code reviews should frequently be done, either before or immediately after the release to identify the security gaps. Organizations must imbibe the culture to follow best coding practices.
Use Encryption – When it comes to cyber security, the companies have two choices: Defend the fort or devalue the data. Devaluing data means it is of no use to the thief, even if it is stolen. Encryption plays an important role here. Encrypted data is useless without the encryption key hence all data, whether in transit or stationary should be encrypted. Every record in the database should be encrypted so that even if a thief gets hold of encrypted credit card information, it cannot be misused. It is true that encryption may affect the speed of product a little, but the benefits of encryption are too large to ignore. Besides, a good architecture can ensure that product speed does not drop with encryption in place.
Security assessments – Similar to human personalities, many organizations also have a blind spot – something that they cannot see within themselves. Many times, despite the best of intentions, companies are unable to see security holes in their infrastructure. Getting an independent security assessment helps in identifying those spots. Getting a white hacker to try to break the security cover will test the security systems for protection against real hackers. In the world of cyber threats, hackers are evolving and devising new methods of attack. White hackers use these methods to crack the security system but with benevolent intentions of identifying the gaps.
Monitor Risks – Organizations should have a framework to monitor risks from various avenues. Often organizations overlook internal risks. Hackers are expert and may fool even the savviest employee into giving them the access to network or data. Internal security audits are required to ensure there are no loose ends and employees are following secure practices. It is easier to review and imbibe security in employees when the organization is small and young. Once the organization gets in the habit of following secure practices, it becomes a core value of the growing organization.
FinTech companies are at high risk of cyber attacks. They carry sensitive customer data that needs to be protected but don’t have enough resources to implement the expensive security solutions. However, they can overcome this by following best practices and deploying right tools such as Seqrite Terminator and Seqrite End Point Protection solutions which will secure their network and data against all cyber threats.