Global Fintech companies are those institutions that offer technology to support the banking and personal finance industry. These financial institutions are increasingly at risk of cyberattack from hackers. Healthcare systems is the most attacked sector demanding confidential patient data and information because it is usually outdated. On the other hand, fintech is the second most frequently attacked industry according to Alissa Abdullah (source), senior vice president of cybersecurity technology at Mastercard. Latest Fintech News found that 27% of attacks target commercial banks or healthcare.
For a long time now, the banking sector has always been an attractive target for cyber criminals. However, fintech companies that digitize and store consumer data, in addition to financial transactional information, are an even better bet for bad actors. We have curled out some methods hackers use for targeting fintech companies. Attached to it are precautionary measures your fintech company can do to better protect itself and its customers.
Let me ask; Why is Fintech Under Attack?
The reason is simple; Fintech companies enable businesses and its customers to transfer money to complete a transaction. Additionally, they help people manage investments, and access lending and personal financial resources digitally, especially through mobile (app) devices. With that, fintech companies are the perfect target for hackers to perpetuate fraud.
When researching this topic, we found this statement: “FinTech firms are digital natives, born and managed in the cloud. They thrive specifically on agile development, innovation and time-to-market in what is a highly competitive sector numbering in the region of one thosand, six hundred (1,600) companies today,” explains one expert from Nominet cyber. “Unfortunately, this means security is sometimes side-lined.” the source said.
Online sources predicts that the fintech market is expected to grow to $309.98 billion by 2022. The forecast goes ahead to say that it already accounted for nearly half of all venture capital investments in the year 2018. Online and Digital payments and personal finance make up the majority of the fintech market. This is exactly where hackers are typically focusing their attacks.
Fintech companies regularly face threats in the form of the following methods:
- Malware
- Phishing attacks
- Data breaches
- Cloud security
- Application security
As can be seen online, a research completed by ImmuniWeb found that about 98% of the top 100 global fintech startups are vulnerable to major cyberattacks.
A Case study: it is o recored that since 2018, a group called Evilnum has been targeting financial technology companies with an evolving arsenal of malware and phishing. “Evilnum surfaced on the radar of security companies in early 2018 when it started targeting FinTech companies in European countries. They came up with spear-phishing emails that try to pass malicious files as scans of banking credit cards, ID cards, drivers licenses, utility bills.
They also sent malware via mail to enable them access other identity verification documents required by know-your-customer (KYC) regulations in the financial sector,” reported CSO Online. “The emails they sent included links to ZIP archives hosted on Google Drive. The files contains specially crafted Windows shortcut files (LNK) appearing as JPG images. All the LNK files had malicious/deceiving JavaScript code attached to them which that is not known to the receiver. If the email owner click on the image, it will start an infection chain resulting in the deployment of a JavaScript-based Trojan.”
Due to the size of the fintech market, plus the fact that these companies handle sensitive consumer data & information, make it a very attractive target to groups like Evilnum. That brings us to the question; what can a fintech company do to improve cybersecurity?
What can Fintech do to Increase Data Protection?
The fact that many fintech companies are relatively unsophisticated in protecting their data is both good and bad news. Bad news, because it means financial and customer information is insecure. Good news, because it means that there are some basic measures a fintech company can implement to prevent future data breaches.
A study was done by Accenture, and they found out that few financial companies have invested in their cybersecurity: “only one-third of companies are deploying technologies such as machine learning or Artificial Intelligence (AI). On the other hand, only about 24% said they were using cyber analytics and user behaviour analysis to their advantage. The latter figure had actually decreased from 31% last year.”
As investments increases, cybersecurity promises to have a big impact in the fintech and financial sector. As luck would have it, there seem to be some clear areas where it’s possible to reduce a fintech business’s attack vulnerabilities. We have explained some precautionary measures these Fintech companies can take to prevent attack.
1. Improve Cloud Security
It is known that financial services industry uses cloud services at several different points in their business operations. Viz; Digital wallets, Payment gateways and mobile apps and so on, all utilize the cloud to provide security, speed, and scalability to businesses and customers.
The addition of a cloud data loss prevention (DLP) service can dramatically reduce the risk of data exfiltration. That is; the risk of your information and data ending up in the wrong hands where it doesn’t belong. It should be known that a cloud DLP solution, specifically discovers, classifies, and protects personally identifiable information (PII) and other unique identifiers, secrets and credentials. These automated solution quickly alerts security teams when content that contains sensitive tokens has been viewed, accessed or shared in an in-appropriate setting. Furthermore, it gives a red flag when it is modified by an unauthorised user.
2. Increase Sector-Wide Collaboration
For sometimes now, the World Economic Forum (WEF) has been tackling the issue of cybersecurity in fintech through a number of initiatives. All things considered, one important setback the WEF has acknowledged is the lack of industry-wide collaboration.
“Established financial services providers have a number of frameworks, standards and industry-driven initiatives readily available. they are used to test the security of FinTechs and other third parties. Moreover, the volume of industry initiatives – driven by the pace of technological change and the multiplication of regulations – is now creating ‘a lot of noise’. Generally speaking, this makes it difficult for FinTechs to direct their resources in a way that allows for security while also facilitating commercial partnerships,” reports the World Economic Forum (WEF).
In the light of this, it’s important for fintech companies to participate in developing risk assessments and frameworks for improving cybersecurity. Keep in mind that some Industry groups like the Center for Internet Security can offer assistance and resources to growing fintech companies. The popular MasterCard works with other financial companies through the FSISAC (Financial Services Information Sharing and Analysis Center). By the same token, the World Economic Forum’s FinTech Cybersecurity Consortium continues to provide research findings for this sector.
3. Educate Your Tech Team
It wont be fair if we say “FinTech firms are not staffed by very bright, smart and tech-savvy employees, but it takes just one mistake and/or loss of concentration of a team member to potentially expose the entire organisation to data theft, ransomware, or even more”.
Computer Hacking groups like Evilnum count on user error to make their attacks successful to steal. But unfortunately, user error is often the best-case scenario the have. As can be seen above, Accenture’s research shows that the “human factor” plays a huge role in the cybersecurity of the banking industry. “3 over 4 of the banking companies our team surveyed had experienced people-related incidents such as phishing and social engineering. (This is just behind malware and web-based attacks, the top answers), with an average cost of $118,000 to resolve. As a matter of fact, about 40% had experienced a malicious insider event, with an average cost of $116,000 dollars.”
In conclusion, a good failsafe is leverage a cloud-native DLP platform to set custom actions to prevent staffs from the un-authorized sharing of info & data. Make it mandatory to delete messages that contain API keys and other credentials like credit card numbers, or other sensitive customer information. Make sure you hire a security company that has a cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Leave your comments and contributions below.