Robust security needs to come in lockstep with innovation
Brexit continues to leave the UK in a shroud of uncertainty, but this hasn’t hampered its reputation as Europe’s hub of financial digital innovation, writes Jesper Frederiksen, VP and GM EMEA, Okta. London remains the only financial centre in Europe and is second placed globally, only behind New York, in a list of the world’s highest-rated financial hubs by commercial think-tank Z/Yen Group.
This has fostered exciting innovation within the challenger bank startup community while forcing traditional high-street banks to play catch up with digital transformation. With the variety of options available to customers, banks must constantly innovate and update their product lines. This can be seen by the influx of mobile banking apps, peer-to-peer lending and online banking.
And this is only the beginning. As technologies such as AI and crypto-currencies begin to trickle in to our financial systems, fintechs will be striving to be first to offer the latest technology to their customers. But, organisations must prioritise security and invest accordingly. Now that GDPR is here, security is more important than ever.
Adoption of the Cloud
While cloud computing has been around since the 2000s, the banking sector has been predictably cautious about its adoption due to the highly sensitive nature of financial data. But advances within cloud technology have led it to be more secure than on-premise solutions. In the modern era, the cloud is crucial as it supports the rapid, continuous development of application-based services, enabling firms to react quickly to market demand with innovative new offerings. The scalability and elasticity supports a more agile business and empowers fintech firms to be more efficient.
With the sheer volume of data financial organisations create, the cloud has become a valuable asset in managing this effectively. From a regulatory perspective, this has become even more crucial in the age of GDPR. Through the ‘right to be forgotten’ measure, increased controls and the enforcement of severe financial penalties for any mishandling of data have encouraged a rethink of data ownership. Businesses have to be more cautious on the issues of consent and provide more stringent enforcement of checks and balances across the stack. The traditional server infrastructure in banking is often cumbersome, making it far more difficult to access customer data. But by using the cloud, banks can quickly pinpoint customer data, and locate, address and report any data breaches quickly and effectually. This is critical in the GDPR world, as companies are required report breaches to authorities within 72 hours.
All businesses, not just financial ones, need to adapt. Serious breaches will now cost companies up to 4 percent of worldwide annual turnover. For example, the UK Information Commissioner’s Office announced in July that it intended to fine British Airways £187m after it admitted that more than half a million customers’ data had been stolen by hackers. If a financial organisation faced the same issue, the reputational and financial repercussions may be even more damaging.
Security in the Age of Open Banking
In the pursuit of technology innovation in the fintech sector, security should not be overlooked. APIs have facilitated the shift to open banking by removing barriers between apps and systems, enabling seamless interaction between these different platforms. APIs have enabled the fintech sector to develop cutting edge banking solutions, safe in the knowledge that new applications will be able to function harmoniously with financial data.
However, vulnerabilities can arise when various applications or platforms are connected through APIs. These open connections can give hackers the opportunity to attack API services with stolen or invalid credentials, posing a significant security risk to organisations.
To combat this, APIs can be better secured by integrating and identifying contextual factors such as IP addresses, geolocation, and device identification. Imagine, when opening a door, you want to make sure only the right people (or in this case, apps) have the correct keys. If we take the example of geolocation, if the location that a user is accessing a system from seems unusual, this could indicate a malicious third party is attempting to gain access. In August 2018, the Financial Conduct Authority (FCA) announced it will force UK banks to publicly reveal the number of IT outages they have via an API, so securing APIs is more crucial than ever for banks. It is well worth remembering that financial security has to be 100% all the time. A hacker only needs to be right once, so investing in the right security measures such as multi-factor authentications (MFA), is essential.
The Threat from Within
Protecting APIs is not the only security consideration fintechs must make, internal threats must not be forgotten. According to Verizon’s 2019 Data Breach Investigations report, 35 percent of all breaches occur as a result of human error.
There are many ways employees might fall victim to compromising cyber-security. Employees could mistakenly send an email with sensitive information to the wrong recipient or be tricked into clicking on phishing links, which can appear legitimate to the untrained eye. These links can unlock secure user credentials, warranting attacks focusing on attaining high level information and data.
Additionally, it is not uncommon to see employees take valuable data with them when they leave a company, particularly if their exit was wrapped up in personal or professional grievances. With this in mind, it is not surprising that 70% agree that insider attacks are becoming more frequent, according to The 2019 Insider Threat Report. This only heightens the need for internal systems to be secured by strong identity access management (IAM) to ensure safety from both the inside and out.
Security can be achieved by restricting employee access to only files, data and platforms they need and only within the timeframe they need it. Ex-employees should have their identities entirely barred and blocked from systems.
As part of this process, and much the same process in securing APIs, fintechs need to move to a MFA approach as part of their IAM, shifting away from the sole reliance of password authentication. Verizon claims that 80% of hacking-related breaches used stolen or weak passwords. Many of us are at fault for using similar passwords for both business and personal accounts and services. If a hacker was to gain control of an employees personal identity, their work accounts might then be vulnerable to attack. Therefore, MFA should be a non-negotiable for all internal systems.
Security and Innovation Breed Success
Innovation within the financial sector will continue to flourish, but this should not come at the expense of security. Security should be front of mind to ensure customers are empowered with a secure and seamless digital banking experience.
To stand a chance of remaining successful in the future banking market, financial services companies must ensure IAM policies are thorough, while guaranteeing API security. Any lapses here will cost a financial institution dearly, from a financial and reputational point of view.