Lendingkart CTO on how fintech firms are protecting themselves from cyber security threats, CIO News, ET CIO
Fintechs have always been focused on building technology that brings the underserved and unbanked onto the financial map. With the increasing ownership of mobile phones, internet consumption in India has also increased. Now with the advent of 5G, this will only increase further.
According to the IAMAI report – Internet in India, 346 million Indians engage in online transactions, including digital payments and e-commerce. In comparison, 331 million people in the US have used digital transactions!
This promise was also spurred during the pandemic when India saw a surge in digital transactions. It created an opportunity for the fintech companies to acquire more customers as users got used to doing things remotely and in a contactless way. At the same time, cyber attackers also saw the rise of digital transactions as an opportunity to prey on the vulnerable and appropriate and abuse their data. While most industries face the wrath of cybercriminals, companies invested in financial services are at greater risk.
Hundreds and thousands of data points are collected by financial institutions in dealing with customers on a daily basis. Customers today seek personalized experiences—which means financial institutions collect and store data from users, including personal information, bank account information, and more. Today, even malicious actors are trying sophisticated methods to gain access to user data – through calls, clickbait messages, spam, impersonation, etc. – that facilitate the acquisition of data for fraud. It becomes the responsibility of users and organizations to strengthen their data protection and security setup and not fall victim to cyber attackers.
Here’s a look at a few measures that Fintechs need to take to ensure security and prevent cyber attacks while following the RBI guidelines.
- Product or application security: Fintechs create products to facilitate financial access for users that accommodate data collection at multiple touch points. For example, we have SAAS products for all stages of the loan process – Origination (xlr8), Collection (collec10), Credit evaluation (cred8) and Co-lending (2gthr). At each stage of a loan application, the user is required to submit data – from business, personal and bank account details. Some measures to safely store and protect data include Customer (PII) Data Encryption. All data in transmission and storage is encrypted, reduce masking of data, Implementation of role-based access control to limit data visibility, Cloud security, Internal and external penetration test and regular security audits. All fintech organizations creating products/applications should ensure maximum security right from the development stage.
- Another important practice that all fintech organizations must follow for product/application security is Threat Modelling. Constant review and update of threat models at all stages of SLDC is important, especially in case of a new release and architecture/infrastructure change. This also means that there should be regular scanning and review of design, architecture and UML models – all in compliance with privacy, government and industry standards.
- Security from external threats: It is important for a fintech to build external threat intelligence. Regular scanning for external threats and rapid mitigation of source code leaks, credentials leaks or sensitive data leaks. Infrastructure risk protection by detecting, identifying and mitigating common vulnerabilities in SSL servers and certificates.
- We follow a two-team strategy: red teaming and blue teaming in operations. Red teaming is an ethical hacking exercise we perform on our system to check the effectiveness of the defense system our organization has. This helps identify security gaps, manage risks and mitigate. The exercise also helps to find an effective safety road map. While blue teaming helps create strong defenses by evaluating the security environment.
- Internal system security: With the hybrid mode of working that is the trend these days, it is extremely important for fintechs to make sure that the data collected is protected from any internal threats that may arise. Endpoint security, OS patching, installation of only approved software on employee systems, DLP to prevent data breaches and applications, and establishment of Zero Trust Network Access. This hybrid movement of business from office to/and home requires systems, software, APIs, data and services to be made available anywhere, anytime. This means that the systems are more vulnerable to attacks from malicious actors. Strengthening workplace security to prevent malware or phishing attacks by building real-time threat defenses – continuous scanning and promoting security measures such as strong and complex passwords, alerts, secure gateways and authentication.
Customer and internal employee training: Knowledge is the most important tool. Today, public and private institutions like the RBI and fintech organizations come up with branding campaigns to spread awareness about data protection and data sharing. There are shows made on the same premise that are alarming and educational at the same time. It is essential for all organizations including Fintech to conduct regular training for employees and share preventive communications internally and to external customers to warn and inform them about cybercriminals and forms of attack.
Protecting against cyberattacks in Fintech means evolving with changing trends according to the needs of the organization, as cybercriminals develop their techniques on a daily basis. Lack of cyber security infrastructure can lead to loss of operations, reputational risk and loss of revenue. The best approach for FinTech companies to prevent this outcome is to create robust infosec, cyber security infrastructure that both protects organizations from cyber attacks and prepares them for any emergency that may arise in a cyber attack scenario.
Having said this, it is not only the responsibility of fintech/financial organizations alone, but the government’s responsibility to support awareness and establish guidelines for organizations to follow for the prevention of cyber attacks.
The author is CTO at Lendingkart.
Disclaimer: The views expressed are solely those of the author and ETCIO.com does not necessarily subscribe to it. ETCIO.com shall not be liable for damages caused by any person/organization directly or indirectly.