Cyberattacks are on the increase, with bad actors proliferating around the world. By the end of 2023, according to Cybercrime magazine, hackers will have caused $8 trillion in global damages. In 2022, Moody’s listed banks as being at high risk of attack, and Fintech is also in the firing line. As cybersecurity consultancy Cyber Arrow puts it: “Given the pervasiveness of cybersecurity threats, virtually all components of the FinTech ecosystem are vulnerable, including technologically advanced financial institutions, FinTech startups, and monetary clients.”
So what can the Fintech community do to alleviate the threat? In the latest episode of Payments Innovation, Cara Hayward, Director of Strategic Partnerships for North America, Currencycloud and Visa Cross-Border Solutions, spoke with Fraser Scott, VP of Product at threat modelling platform IriusRisk, to find out.
Understanding the risk and gaming any mitigation can help, said Scott, whose company specialises in helping developers to make robust design decisions with a 360° view of everything that could go wrong, and what could be done to fix it, so that security remains watertight.
Successful threat modelling is “something we all do naturally anyway,” he asserted. “If you go and park your car somewhere in a strange neighbourhood at night, you’re going through that kind of process: where am I? What’s the situation? What are the threats? Could someone break into my car? What am I going to do about it? Park in a public garage? Park near the street light? And did I do a good job? Maybe I look back and see if my car’s still there as I’m walking away. It’s a very natural process, and we’re just applying it to the design of software.”
Fintechs are a top target
Financial firms hold extremely sensitive data on millions of customers, and vulnerabilities can be exploited for lucrative ransoms. Fintech is meant to be the ‘tech-savvy’ cousin of traditional finance. It’s innovative, fast-moving, and often API and cloud-driven. But how secure is it? Is the industry doing enough to protect the consumers and businesses that rely on these products?
Verizon’s 2023 Data Breach Investigation report shows that the majority of breaches over the past year have been financially motivated. It comes as no surprise to Scott that the finance sector is at particular risk, and that the industry has more reason than most to ensure its security preparations are watertight.
“Financial organisations are probably some of the most juicy targets out on the internet for a hacker,” he said. “Not only do they have customer data, not only do they have big reputations, but they also, obviously, have money. So they’ve got a lot to lose from not doing cybersecurity correctly.”
To err is human
Some of the biggest cyberthreats on the horizon come from the evolution of technology, with artificial intelligence having the capacity to both power and combat attacks – including via personalised phishing expeditions – and the IoT devices often used for home working lacking the kind of security needed for at-risk organisations.
“Automation can help you do things well, but there is also the risk of automating the mistakes,” said Scott. “You could make mistakes at scale, as well as technology at scale, and you’re only one configuration mistake away from accidentally exposing an S3 bucket containing a whole bunch of data. You’ve got to have the checks and balances in place to ensure that is prevented – and if it does happen, it’s detected and automatically remediated.”
Human fallibility is also a risk – in 2022, 74% of cybersecurity breaches were down to phishing attacks, errors, or misuse. Scott said it was critical for companies to have a security-focused culture in place, because it’s easy even for developers to make mistakes without an abundance of caution.
Hackers “exploit human nature,” he said. “They exploit urgency and busyness and cognitive biases. So the one thing the whole organisation has to do is be vigilant, test, educate, raise awareness. Don’t penalise people for making mistakes – support them, guide them, take them through the journey, but don’t also rely on humans never to make mistakes.”
Early identification means better mitigation
Fully embedded compliance plays an important role, too. Scott said that while many of his clients from the finance and Fintech sectors had been undertaking threat modelling for some time, they hadn’t yet been doing it at scale, across an entire organisation. That, he observed, was essential to get ahead of regulatory changes – as well as to manage the expectations of auditors.
By seeing things from an auditor’s perspective, engineers can understand where any gaps in communication around the use of particular technology may be and demonstrate their company’s compliance. In the process, they’ll also identify any gaps where particular attention needs to be paid moving forward.
“You come out of a threat modelling process with 100 risks, you found 100 threats – that would make an auditor or a risk person cry,” said Scott, “because they typically see you’ve done some security processing, it’s come out with 100 identified risks. With threat modelling, it’s a good thing, because what you’re doing is giving yourself information that allows you to act better to improve the security of the system.”
Until next time!