Securing FinTechs: How to Maintain Agility Without Compromising Security

Quick disclaimer; Banks are slow for a reason. Financial institutions have always been a prime target for hackers and organised criminals looking to make a quick buck, and this is now more true than ever, with the risk of cybercrime growing daily. That's why dozens of processes have been laid on top of each other over many decades to try and ensure that everything a bank produces has been reviewed, assessed, analysed, and scrutinised every-which-way until they can be confident that they are secure.

In this blog we explore how you can adopt modern solutions so that, when it comes to security, you can still compete with the big dogs without undermining the speed and efficiency that makes you so unique.

‍

Test Iteratively

You don't release updates once a year, so why should you let a lap of the sun tell you when to do your next pentest? Every feature, functionality, asset, or change that you introduce can have its own unique security implications and that's why we recommend being prepared to perform focused security testing before you roll it into production.

Now, if you're used to a security test meaning a five-day intensive exercise costing thousands of pounds and taking several weeks to organise, I've got some good news. With the right partnership in place, modern PTaaS companies should be capable of doing focused bite-size tests at short notice and without breaking the bank (no pun intended).

Embrace Tools

The same technology revolution that you've identified in finance is shared with security. That means that automation has come a long way in the last few years, from archaic signature-based scanners and primitive patch-auditing tools, to a new wave of AI-driven deep-learning code reviews and cross-platform attack-path mapping suites.

While the banks have teams of security analysts working night and day to manually detect new vulnerabilities across their estate, you can achieve the same thing in minutes at the click of a button.

What's more, with the right Vulnerability Management suite in place you can cut out the noise of 100+ page PDF reports and spreadsheets riddled with false positives, and access actionable information in a fraction of the time.

Work Collaboratively

There is not always one right answer when it comes to mitigating certain security risks. As someone who's spent the last decade recommending technical security measures, that's a hard thing to admit... but sometimes the right answer isn't to buy the latest silver bullet or to spend weeks refactoring that area of code.

Instead, get some clever people to sit around a desk (or a slack channel) to talk the problem out first.

Maybe a feature has a vulnerability that's blocking your go-live? Your developer might say it'll take weeks to fix and risk derailing next month's milestones, while your sales director says there's a big contract riding on the release coming out on time. Thankfully, your CTO might be able to tell you that the affected feature isn't needed for now and can just be disabled, or your ISM can roll a WAF rule to prevent and monitor while you work on something more permanent.

Show Off

Being the new kid on the block comes with certain challenges. Not only will you be expected to adhere to the same standards and requirements as all traditional businesses, but you're also likely to come under increased scrutiny as customers and regulators build trust over time. That's why, when you're not just achieving but exceeding what's expected, you should be shouting it from the rooftops. This is never more true than when it comes to Security.

Every now and then you will be asked to produce evidence that you're proactive in your security, usually in the form of a customer-facing report that says "on X date, a test was done which found Y". Businesses often come scrambling a few weeks before their audit or a procurement deadline, get one of these reports produced, and then panic when it shows up a dozen or so findings including open high-and-critical severity vulnerabilities.

Instead, when asked, imagine producing a document that shows your exact security posture over the last 12 months that demonstrates how you have never had more than a few open issues and how every high-risk finding got identified and closed off in a matter of days. Without wanting to teach you to such eggs, these are the sorts of things that win new business.

Build Defensively

Introducing security into the design phase is often one of the best ways to make your life easier, preventing issues from ever being introduced in the first place rather than going back and fixing them after-the-fact.

Here's a list of security questions I would recommend asking whenever you're designing something new:

1. How will you ensure the proper storage and protection of sensitive customer information?
2. What measures will you implement for secure authentication and authorization of user access?
3. How will you secure network communications to prevent unauthorized access and data interception?
4. What types of security testing are necessary, such as code reviews and vulnerability assessments?
5. How will you monitor and identify suspicious behaviours?
6. Is there a plan in place for responding to security incidents and breaches?
7. How will you manage the security practices of third-party vendors?
8. How will you ensure compliance with relevant security and data privacy regulations, such as GDPR and PCI-DSS?
9. What security policies and procedures will you establish, e.g. information handling & awareness training?

It's always a good idea to ask more than one person in the business to answer these questions; you might find the engineer, developer, and ISM all have different ideas and the best solution can often be a hybrid of these.

Know when to ask for help

Nobody can be an expert in everything, and while you're growing it's often best you focus on the things you're best at. That's why it's important to recognise when it's time to reach out and ask for help.

That help is never better than when it's offered by a trusted partner who understands not just FinTech's, but also your business specifically. That's why Cytix provides year-round support to our customers, so that you can leverage our expertise to achieve any security goals you have. Our customers get a dedicated cluster of security testers who act as a true extension of your team. Whether it's performing a new test, suggesting a tool, or jumping on a call to talk through an idea, we're always on hand waiting to offer our support.