It’s not just the “giants” that face cyber-crime. Everyone is familiar with the recent hacks into J.P. Morgan, Target, the US IRS, and Defense Departments. What is not so publicized, is the smaller organizations that get hacked on a regular basis – medical practices, small retailers, and even local and regional FinTech companies
Criminals are looking for anything from bank card numbers, to customer personal information data, and even – in the case of JP Morgan – emails.
Startups are particularly vulnerable, because security measures may not yet be “fully baked” when companies open their doors for business.
Yet, this should never be the case with a FinTech startup – the consequences of falling victim to cybercrime include total loss of trust on the part of customers/consumers, loss of business to the point of failure, and legal and financial consequences from which it will never recover. The highest level of FinTech cybersecurity must be in place before the doors open.
While FinTech founders are savvy in many financial sectors, most do not have the expertise in how to build a perfectly secure FinTech application. This post should offer you the essential insights and common vulnerabilities to account for.
The Common FinTech Security Issues
Ensuring cybersecurity in FinTech requires the use of the latest technologies and the highest level of expertise that can be found. For the protection of customers' personal and financial information to secure payment systems, the system must be protected from outside threats, as well as those networking challenges within the organization. There are solutions, but they involve a solid plan and a willingness to invest the time and money to do it right.
Here are seven of the most common cyber security mistakes FinTech startups make – and they all can be avoided.
1. Not Managing Digital Identifies Carefully Enough
FinTech companies want to provide an omnichannel user experience while offering a variety of services. At the same time, consumers are increasingly using mobile devices to access those services.
Establishing authentication measures are critical. These can be put in place through the ever-increasing use of biometrics (e.g., fingerprints), one-time passwords, and code-generating apps, such as Google Authenticator, can bypass all of the conventional methods (passwords, PINs, security questions, etc.) and provide that added layer of protection.
One of the upcoming trends in Fintech security is the use of AI to analyze risk-based authentication by analyzing user behaviors.
2. Not Managing Security in Transmissions with Partners
One of the top challenges in health records management has been in the storage and transmission of patient records among providers. This challenge exists on a scale just as large for FinTech data security as well. The answer? Encryption.
Every piece of data in a system should be encrypted, both as it is transmitted in-house or between company and customers, and company and partners. While startup founders worry that encryption may slow down their apps, in fact, it can be run on a dedicated server.
While encryption is a relatively easy technology, it requires expertise in setup, and especially in the protocols for how the access to keys will be granted.
3. Non-Secure Payments
FinTech involves banking, insurance, lending, and more. In the course of being a user, payments will be made. And, of course, the payer wants an easy and convenient method to make payments. He also wants security measures in place so that he is not left vulnerable to hackers who get into systems. The challenge for FinTech is to find the best merger of security and convenience. Tips for secure payment processing are found in the first three vulnerabilities already discussed.
The problem often comes when a FinTech app scales and new layers of architecture are added. There is always vulnerability when this happens, so using the same developers over time may be the safest solution here. The expertise and the technologies are out there, and the wise FinTech founder will spend the money to get the best.
4. Use of the Public Cloud
This should go without saying, but it bears repeating. Here’s the thing about the public cloud: your data can be at risk, especially if you use a cheaper, less-known company. Even with the larger companies, you are still open to attack, and you also risk getting locked out of your data.
For top results, FinTech companies should develop a private cloud server for data storage.
5. Not Educating the Workforce
There is an old military saying – “Loose lips sink ships.” The same is true in cybersecurity, only it has to do with “loose fingers.” There should be a common security training manual, and all employees must be required to complete that training and demonstrate mastery before they have access to any data.
A part of employee training must also relate to how to address the most common security issues, along with detecting and reporting any potential security issues. Cybercriminals love to get into systems through employees email and social media accounts.
6. Not Monitoring and Conducting Regular Audits
There must be a plan in place for both continued monitoring and vigilance so that all systems are watched for threats. And there should be one individual in charge of receiving information on all potential issues from everyone and everywhere. That may be an in-house security executive, or, in the case of small FinTech operations, a contracted expert, preferably from the development team that created the app itself. Those with intimate knowledge of architecture are best able to fix it if bugs or gaps are discovered.
Audits should not just occur for the FinTech system; they should occur with any technology partners as well. Who is managing their security and what is the level of expertise? Do they monitor and audit themselves too? There is a huge vulnerability in the transmission of data if the interfaces between systems are not wholly secure.
7. Not Staying Abreast of Latest Security News
The tech bubble is far from bursting. New technology hits the horizons continually. And hackers, too, are continually developing new technology to commit their intrusions and thefts.
It is critical that the individual in charge of a FinTech security stays abreast of all new developments in industry security, breaches that have occurred, gaps that have been found in the security of others’ systems, and the latest technology that criminals have developed to successfully hack into databases and payment systems. These hacks will not always be within the FinTech industry itself – they may occur in healthcare, or in any e-commerce enterprise that stores personal and financial data of consumers.
In short, a FinTech security executive, whether in-house or contracted must remain an expert on any type of cybercrime that is afoot.
The Core Truth
The growth of Fintech will not slow. From 560 venture funding deals in 2013, through well over a thousand by the end of 2017, there will be a steady flow of new entrants in the industry. Without a doubt, many of them will make cybersecurity a top priority and put into place the most robust solutions. It is also quite realistic to understand that some new enterprises will not be as robust.
The best advice for anyone entering this industry is to take a breath and not make getting to launch quickly the top priority. Any founder must take the time to get the security in place and to test, test, test – before and during. There is a reason for the huge growth in cybersecurity consulting firms today. Any FinTech founder without the expertise can find it and should use it.