The following is a guest post by Jack Warner, a cybersecurity expert with Techwarn.
According to a recent ImmuniWeb study, 98 percent of the world’s top 100 fintech startups are vulnerable to cyberattacks. And it’s not surprising that fintech is an attractive target for threat actors.
The rapid growth of financial technology combined with lagging regulations means there’s much more data to analyze and too few rules to govern how data is protected. These same factors make the sector susceptible to breaches and vulnerabilities, particularly in the wave of COVID-19 inspired cybercrime.
Financial institutions are increasingly adopting fintech solutions to handle the digital wave that’s happening all over the world. This swift tech transformation comes hand in hand with emerging cybersecurity risks, alongside a few old “favorites.”
With that in mind, it’s imperative that fintech enterprises take appropriate measures to secure data and systems as well as possible. Here, we take a look at the most pressing cyber risks facing fintech and why cyber resilience and not just cybersecurity is critical.
The cyber risks fintech companies face
While not comprehensive, the below attack types and recognized vulnerabilities are among the most concerning in the financial technology sector. Let’s begin with one of the most common attacks, malware.
Malware
Malware is a portmanteau term that combines malicious and software, and it designates any program that is explicitly designed to cause harm, be it to devices, data, or individual users. Within fintech, hackers may design malware to breach a company’s system and collect sensitive or critical information.
The Gustuff banking trojan, for example, emerged in the first half of 2019 and has since targeted numerous traditional institutions but also newer players, such as PayPal and Revolut.
Data breaches
Because many fintech platforms allow customers to store payment data such as card details and password credentials for convenience’s sake, these platforms are inherently vulnerable, and an attractive target. Even a small breach could lead to sensitive financial user details being compromised.
If third-party providers are involved, the risks are heightened, which is exactly how the 2020 Dave breach occurred.
Cloud environment vulnerabilities
Fintech providers often lead the pack when it comes to incorporating cloud-based computing into their information management systems. It’s something the industry can pride itself on and something other sectors lack. However, strong cloud security measures matter. If the cloud environment is vulnerable, so too is the company’s data.
Why cyber resilience is important for fintech companies
Firstly, it’s helpful to consider the differences and similarities between cybersecurity and cyber resilience, and how these two are intimately linked.
Cybersecurity versus cyber resilience
Cybersecurity refers to a set of defensive tools, strategies, standards, and protocols, all of which are designed to keep threats out of a fintech enterprise’s systems. In this sense, cybersecurity is purely a defense strategy.
Cyber resilience, on the other hand, encompasses cybersecurity’s aim to defend against threats, but takes things a few steps further. Cyber resilience can be defined as an entity’s ability to prepare for, respond to, and recover from a cyber attack.
It merges cybersecurity in the preparedness phase but also integrates solid business strategies to ensure an organization stays afloat after an attack occurs. After all, an attack doesn’t end after the fact, rather, the effects are long-lasting, expensive, and highly damaging to a company’s reputation.
In fintech, losing customer confidence is much more damaging than in other industries as we are dealing with financial information. To that end, having a solid cyber resilience plan in place is essential. That plan should cover all the bases, from getting prepared to financially recovering and mitigating reputational losses — the more detailed and in-depth, the better.
Creating cyber resilience
A fintech company’s cyber resilience plan may be more or less detailed depending on the size of the organization, any third-party links, the number of platforms available to clients, and other such factors. However, some basics should be standard across all companies:
- Create a culture of cybersecurity — All staff should be aware that cybersecurity is everyone’s job, not just the IT department’s domain. Good digital hygiene and exacting standards make a lot of difference. Starting from the ground up means the company’s culture accepts cybersecurity as integral. Staff training and regular updates to standards and procedures help here.
- Use a full suite of cybersecurity tools — Of course, logging out of accounts and avoiding suspicious links can only get an entity so far. Proper cyber resilience covers preparedness, and that’s where security software like VPNs and email scanners comes in. One of the functions of VPNs is encrypting data transmissions, while email scanners detect threats and can make a big difference to a company’s defenses.
- Ask what happens when an attack occurs — Understand that an attack is more likely a matter of when and not if. How will the company deal with the immediate fallout, who does it need to inform and when, and how can the threat be removed as swiftly as possible?
- Staying afloat — Fintech companies should have plans in place for retaining clients, getting back on their feet after an attack, and continuing to be financially viable. This part of a resilience plan can include all sorts of factors, such as post-attack PR and ways to pay off any regulatory fines.
There’s no doubt about it, cybersecurity risks and threats are increasing both in number and sophistication. Attacks can and will occur, so having a proper cyber resilience strategy in place is critical, especially in an industry where clients entrust us with their most sensitive information.
Jack Warner is an accomplished cybersecurity expert with years of experience under his belt at TechWarn, a trusted digital agency to world-class cybersecurity companies. A passionate digital safety advocate himself, Warner frequently contributes to tech blogs and digital media sharing expert insights on cybersecurity and privacy tools.
Photo by Miguel Á. Padriñán from Pexels