Published February 17, 2021
WRITTEN BY MICHAEL SOLOMON
Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
The year 2020 will go down in history as being a year of uncomfortable changes. Just about everyone was forced to approach aspects of personal and professional life differently, from buying groceries to conducting business to maintaining safe interactions with others.
Fortunately, existing technology and service offerings allowed us to make adjustments and work through the changes. Zoom went from being a useful way of meeting virtually to a staple of business, education and social interactions.
Likewise, the financial technology industry, often called fintech, expanded products and services to make contactless financial exchanges safer and more accessible. But as Fintech’s popularity grew in 2020, so did its attack surface.
Fintech is the industry that provides individuals and businesses with the technology to carry out financial transactions. If you’ve ever sent someone a payment using Venmo, accepted a payment card using your smartphone, or applied for a loan online, you’ve consumed fintech services. In short, fintech’s goal is to leverage technology to compete with, or even replace, traditional financial services by making them cheaper, easier and more accessible.
Smart devices and nearly universal internet access make the process of carrying out financial transactions in a socially distanced environment easy. But to keep fintech’s growth on track, cybersecurity has to stay ahead of the attackers. Fintech companies can’t afford to lose their customers’ trust.
Let’s look at the most important cybersecurity trends in fintech that are needed to keep that trust.
Technology reliance creates risk
Any transition to a greater reliance on technology introduces risk. Additional devices and software can provide opportunities for attackers to find and leverage weaknesses.
The COVID-19 pandemic punctuated the importance of touchless and socially distanced interactions. One of the most common pre-COVID-19 close-proximity interactions was paying for products and services. Although touchless and remote payment options were available prior to 2020, the pandemic made touchless payments a welcome feature. The number of suppliers and consumers who used touchless payments for the first time skyrocketed in 2020.
Any industry-wide growth naturally attracts cybercriminals to prey on a new group of potential victims. According to a recent Fintech News article, attacks are up across the industry and included a 600% increase in phishing attempts and a 630% increase in cloud-based attacks. One reason for such large jumps is the increased use of personal devices to engage in financial transactions. Personal devices often aren’t managed to be as secure as many legacy devices owned by service providers.
In addition to facing increased attack frequencies and veracity, many fintech companies are still in the process of digital transformation. While startups may begin their commercial lives with new infrastructure and software, most fintech companies still rely on some legacy devices and software. Each type, or layer, of software, devices and infrastructure means the potential for security vulnerabilities to exist.
While it is possible to upgrade hardware devices with the latest models, software poses a bigger challenge. Even startups go through a software development process that results in code written using outdated standards or best practices. It isn’t possible to write perfect code in one pass, so virtually every software application contains older legacy code that is often referred to as technical debt. Organizations must deal with technical debt by identifying and updating legacy software without interrupting ongoing operations or security. Paying off technical debt is time-consuming and risky, so 2021 is likely a good year to revisit applications after a hectic 2020 and pay off the technical debt that is most accessible.
As fintech expands interoperability with features to make financial transfers as transparent and safe as possible, it relies on more players. Transactions of all magnitudes depend on a growing number of actors to handle simple aspects of secure transactions. It is common for different service providers to handle identification, authentication, authorization, communication, logic, data transfer, validation, verification, auditing and reporting. (And that list isn’t exhaustive.) Any service provider along the way is a potential weak link in the supply chain.
While not directly related to fintech, the recent SolarWinds hack was a supply chain attack. The attackers added some of their code to the software build process that provided backdoor access to attackers at any site that installed the affected devices.
The moral of the SolarWinds story is that you can’t just be secure yourself; you have to ensure that your supply chain and other business partners are secure as well.
Cybersecurity can reduce risk
Growth doesn’t only benefit cybercriminals. Increased volumes of financial transactions and supporting data helps cybersecurity personnel to stay ahead of the cybercriminals.
Advances over the past 10 years in machine learning and artificial intelligence are now being applied to vast amounts of data, often just called big data, to protect suppliers and consumers. Algorithms are getting better all the time at detecting anomalies and flagging suspected behavior. These algorithms help by scanning huge amounts of data to detect fraud or trends that could help provide better customer service.
In addition to detecting problems, AI and machine learning can predict potential behavior that could give fintech companies the ability to place security controls to prevent attacks or misuse. And in the case of a successful attack, automation can help identify the damage and recover faster than manual procedures.
As cybersecurity takes a larger role in fintech’s health, many organizations are pushing it “to the left” in the development process. Instead of merely adding security to the finished software product, organizations of all markets are finding that integrating cybersecurity into the development and post-deployment operations process results in fewer vulnerabilities.
One popular approach to expanding software development to include security and operations is DevSecOps. DevSecOps helps to remove information silos, improve communication, and generally support more eyes on the development process. Many DevSecOps shops find that their efforts produce better software with fewer defects at a lower overall cost.
One of the more important trends in cybersecurity is its integration with continuity planning. Last year’s uptick in cyberattacks on fintech, along with the multi-year increase in ransomware attacks, has shown that successful attacks can interrupt normal business operation. Interruptions are annoying at the very least and can threaten a business’s existence if they aren’t resolved quickly.
Continuity depends on availability, which is a core tenet of security. Cybersecurity is a natural component of continuity, and a growing number of fintech businesses are formally recognizing that fact with leadership and process realignments.
Bringing cybersecurity into the boardroom
Not all of the leadership realignment with respect to cybersecurity is at the operational level. Executive leadership also has recognized the strategic value of cybersecurity. A lack of cybersecurity due diligence can be the primary reason for business failure. In addition to potential financial loss, a successful cybersecurity attack can also result in a damaging loss of customer confidence, and even hefty fines from regulatory violations.
Consequently, boards are increasingly expanding to include cybersecurity roles. Two popular examples are the chief information security officer (CISO) and the chief security officer (CSO). These two roles differ in their scope. The CISO primarily focuses on information security and the supporting infrastructure, while the CSO likely also holds responsibility for operational security. In either case, the presence of these roles shows how cybersecurity is now a primary strategic concern.
The CISO/CSO provides guidance to the executive leadership team to help navigate the increasingly complex security landscape. Technology is becoming more complex, diverse and capable, but at the same time, attackers have become more sophisticated and brazen, which leads to more regulations, laws and standards. The CISO/CSO guides their organization in achieving and maintaining compliance with requirements and keeping the overall organization secure.
In the past, cybersecurity was perceived as a firewall to stop attacks. The discipline has grown to be far more than a tactical response. Now strategists can employ sophisticated methods to not only identify existing vulnerabilities, but also examine “what if” scenarios before increasing risk.
This ability allows executive leadership to consider cyberthreats separate from cyber risks. A cyberthreat is an existing threat that should be addressed through mitigation. A cyber risk is a potential threat that may be the result of implementing a strategic initiative. Separating these two gives executive leadership the ability to incorporate risk management that includes cybersecurity at the highest levels.
None of the current cybersecurity trends in fintech are new, but after 2020, we recognize these focal areas as some of the most promising developments in the industry.
Would you like to know more about implementing a application security solution in your company? Get in touch with our Kiuwan team! We love to talk about security.