Verizon’s analysis of more than 32,000 security incidents and 3,950 breaches has revealed the financial sector ranks fourth among all sectors in security incidents (1,509 incidents), and seventh in data breaches (448 breaches).
In addition, these financial organizations suffer the third highest average cost per breach at $5.85 million, which is nearly $2 million more than the global average for all industries, according to Ponemon and IBM 2020 Cost of a Data Breach Report.
Fintech Security Challenges
The financial sector has always been a target due to the types of data it collects about its customers. This year, the sector is the favorite playground of financially motivated bad actors, just as it was in 2019. According to Verizon, web application attacks compete with the miscellaneous error pattern for the top cause of most breaches, making employees’ mistakes account for roughly the same number of breaches as external parties.
“Pressure on DevOps teams to produce results quickly might lead to security not getting the attention it deserves,” said Juta Gurinaviciute, chief technology officer at NordVPN Teams. “Leveraging cybersecurity to gain an edge over competitors leaves fintech organizations and their customers open to cyberrisks. But risks can originate from more traditional routes — like phishing emails — and it only takes one person losing concentration to expose the organization to ransomware, data theft, or more.”
Hackers could target investment apps, online financial data processing systems, and cryptocurrencies, along with providing paid access to banks’ infrastructures and developing new strains of mobile banking malware based on leaked source codes.
“The most common threats fintech companies face are phishing attacks and data breaches, as well as cloud and application security breaches,” Gurinaviciute said.
According to a new report by the World Bank and the Cambridge Centre for Alternative Finance (CCAF), almost four in every five regulators count cyberthreats among the top three risks that have increased during the pandemic. The same report reveals that, over the course of the pandemic, fintech providers have seen a 15% increase in cybersecurity threats. However, only 29% of them say they have taken any action so far, as more needs to be done to consolidate frameworks and update the policy in this area.
With the COVID-19 crisis accelerating the need to become digital-first, financial services firms have been impacted in two fundamental ways. From a network perspective, organizations have had to act quickly to solve issues associated with network redirection caused by the increase in remote working. At the same time, they have also been tested to mitigate elevated threats, such as credential stuffing, account hacking, and fraudulent emails.
“No industry is immune to cyberthreats, but, for financial services organizations, the risk has always been significantly higher,” Gurinaviciute said. “Fintech companies are perfectly aware that they’re prime targets for cyberattacks and are usually more secure than digital services in other industries. However, the very nature of fintech companies involves them holding massive amounts of highly sensitive data. Therefore, even the smallest risk, if not taken seriously, could have devastating consequences.”
The fact that many fintech companies are relatively unsophisticated in protecting their data is both good and bad news. The bad news, is this means financial and customer information is often not secure. The good news, is there are some basic measures fintech companies can implement to prevent future data breaches.
1. Improve cloud security. Adding a cloud data loss prevention (DLP) service can dramatically reduce the risk of data exfiltration, which is the risk of data ending up somewhere it doesn’t belong.
2. Encrypt sensitive data. This safeguards both the end user and corporate environment, ensuring that no one is able to decipher sensitive data traffic.
3. Secure authentication. Secure and precise identification and authentication is vital for fintech software. Role-based access control, password expiration, shorter session lifetimes, and tracking of failed sign-in attempts could help mitigate some of the risks.
4. Multifactor authentication. Multifactor authentication (MFA) across the ecosystem can prevent hackers from moving across the network and gaining additional controls. In more sensitive areas, physical MFA devices and/or biometric authentication is also vital.
5. Security education. Last but not least, although fintech firms are digital natives, one should not assume they do not need digital security training. Security education sets the team for success and should be the backbone of any security strategy.
It’s important for fintech companies to participate in developing risk assessments and frameworks for improving cybersecurity. Industry groups such as the Center for Internet Security can offer assistance and resources to growing fintech companies. Mastercard works with other financial companies through the Financial Services Information Sharing and Analysis Center (FSISAC). And the World Economic Forum’s FinTech Cybersecurity Consortium continues to provide research findings for this sector.