Fintechs will be at the heart of the next wave of security wars

The announcement that JP Morgan is set to acquire robo-advisor Nutmeg once again demonstrates that, over the last decade, fintech has been the defining success story of the British economy.

Hackers are rapidly adapting their tactics to target features of modern fintechs

Today, UK fintechs make up 10% of global market share, are collectively worth more than £11 billion in annual revenue, and earned more investment than the next five biggest European countries combined.

Seeking to capitalise on this staggering growth, the UK government recently published the Khalifa Review, a strategy document for how governmental support could help to further nurture and grow British fintech unicorns as well as the sector as a whole. The report laid out a series of targets, including:

• Growing the UK’s market share to 12% (or £46 billion) by 2030.
• Doubling the number of UK domiciled fintech unicorns by 2025/2030.
• And, most importantly, for UK fintechs to “become the recognised global leader in scalable fintech solutions that demonstrate security, privacy and resilience by design.”

Effective security has been a crucial factor in the success of UK fintechs, as it has enabled customers to trust businesses like Starling, Wise, and Monzo, allowing them to become household names. Today, nearly three quarters (71%) of Brits are customers with at least one fintech brand.

Yet in the era of digital transformation and open banking, protecting sensitive customer data has never been more difficult. Personal and financial information has become more diffused than ever before, meaning a much higher chance of it being lost or stolen. And with hackers rapidly adapting their tactics to target features of modern fintechs, the future of the industry as a world leader depends on its ability to fight back.

App, app, and away

One of the biggest strengths of fintechs is that many are digitally native, app-first companies. This has allowed them to be more convenient, more responsive, and easily able to personalise their offerings for each customer compared to legacy players.

However, while interacting with customers this way has a host of advantages, it also creates a lot of security issues – not least of which is the application itself. In recent years, apps have become the number one vector for data breaches, accounting for half of all breaches (50%) in total.

While fintechs have a strong reputation for implementing good security measures – fintechs have been leading the way on biometric authentication for some time – the fact is they are built around apps that are vulnerable to a huge range of attacks.

Every day, fintechs need to protect themselves from API exploits, supply chain attacks, ransom-focused DDoS attacks (RDoS), and coordinated bot activity (like scraping or credential stuffing) to name but a few.

These attacks can result in a range of negative consequences, including taking a company offline for extended periods of time, loss of sensitive data, or severe reputational damage.

Public cloud problems

Beyond the sharp rise in app breaches, fintechs also have to cope with the incredible complexity of securing data while being cloud-native. Like app attacks, public cloud data breaches are increasing dramatically as more companies move workloads and operations away from private servers. As a result, nearly one in six breaches now come from ‘publicly accessible’ open services.

Such breaches can be caused by cloud configuration issues or vendor defaults but, all too often, it’s not a failure of security policies, but a total lack of any sort of security posture at all which leaves sensitive data available for anyone who happens to find it. For hackers, there are a host of ways to find such data.

Planning a defence

In order to effectively identify, prevent, and mitigate the threats from apps and the public cloud (not to mention a host of other attack vectors), fintechs need to have visibility over all their data environments so that sensitive information is never left exposed.

Unfortunately, all too often, security teams are trying to respond to these threats with a panoply of different point solutions, each one designed to combat a different threat, without having a single unified view. Such solutions can help to block a majority of attacks, but without a clear overview, gaps inevitably emerge for which smart hackers will exploit.

Fintechs should aim to protect workloads and data regardless of the environment. This means not just providing protection for sensitive data, but also all paths that lead to that data through a multi-layered application and data security platform that can identify incoming attacks or bad actors while not disrupting legitimate traffic from customers and partners.

As the Khalifa Review notes, the fintech industry is at a pivotal moment. UK unicorns have a golden opportunity to dominate the global market, especially with the government prioritising the creation of favourable trading conditions on their behalf.

However, in order to realise this possibility, British fintechs must heed the advice of the Khalifa Review and place security and data privacy at the heart of their operations. Cyber-criminals are constantly refining their approach to pinpoint weak spots, and fintechs need to fight back.

About the author

Chris Waynforth is an experienced cyber-security professional.

Prior to his current role at Imperva, Chris has worked at New Relic, Splunk, Identiv and RSA.