As with any other aspect of the rapidly evolving technological landscape we find ourselves thriving in, cyber security is an ever-changing, “blink-and-you-missed-it” field. To retain a healthy security posture in any organisation, there needs to be a constant effort to stay up to date with the latest in the threat landscape, as well as best-effort prevention, mitigation, or limitation actions. In this article we will be exploring some of the top emerging or returning cyber security threats for the FinTech field, as well as best practice suggestions against them.
Artificial Intelligence & Machine Learning
The rise of Artificial Intelligence (AI) has taken it far beyond a buzzword at this point, with the effects of its usage being seen as revolutionary in multiple fields. However, despite the mostly positive coverage of AI, ML and LLMs recently, there is growing concern regarding the privacy and security guarantees of these technologies.
The concern is twofold. Externally, attackers can now leverage AI to refine their offensive strategies at much greater speed; they are already expected to significantly impact the volume and impact of cyber attacks (NCSC). But even internally, AI usage, specifically LLMs have already raised concerns in terms of input data privacy. This is especially critical for FinTech organisations, who regularly deal with sensitive financial and personal information.
The threat level imposed by the rise of AI and ML is still being determined, but one general best-practice approach is cautious, privacy-conscious internal usage of AI tools. Practically, this can mean segregation of AI tools and APIs away from critical data or infrastructure, as well as not inputting sensitive information, such as source code and personal data, in widely available AI tools. Finally, organisations can look to assess the defensive usage of AI to counteract external threats, with existing and upcoming tools such as Microsoft Copilot for Security.
Ransomware & Phishing
Ransomware continues to be one of the most prominent threats for any organisation, and the FinTech field, with its great reliance on sensitive data, is no exception. Usually deployed through Social Engineering techniques such as Phishing (tricking the user into handing out information unknowingly), ransomware typically involves the attacker encrypting the files on a victim’s computer and asking for a ransom to be paid for data restoration. This type of attack has been the most prominent and feared threat for many years now, and without a sure-fire way to prevent them, it remains in our top 2 spot for 2024 as well.
However, despite lacking guaranteed mitigation methods, there are ways to reduce the likelihood and impact of Ransomware. Internal security training programmes can go a long way towards increasing staff awareness of Phishing and Social Engineering. Additionally, on the phishing email front, using automated scanning tools can help catch the more obvious threats, like malicious attachments.
Insider Threat
The people with the highest level of access to our organisation’s information are those working inside it. The level of trust they are given, the access to assets, confidential information and physical or digital equipment and systems can be invaluable tools for an attacker.
This attacker can either be an outsider trying to exploit the insider (unintentional), or the insider themselves (intentional). In the case of an unintentional insider, they can be aware of security policies, but choose to ignore them; potentially leading to unnecessary exposure, like using outdated software and ignoring security warnings (see the second LastPass breach). On the other hand, intentional insiders usually tend to be disgruntled current or former employees, who exploit their privileged access to information to harm the organisation is some way (example).
To minimise the likelihood and impact of the insider threat, as well as training to prevent unintentional insiders, organisations should control and limit access for all staff. This limitation should be based on the principles of least privilege and separation of duties, to the point where each user only has access to exactly what they need to perform their tasks, preferably only for a set time period. This can be implemented using a robust Access Control system, with Role-Based AC being the most common implementation. Finally, there should be controls and checks in place during the hiring, onboarding and offboarding processes, to ensure the suitability of staff members to handle the organisation’s assets securely throughout and after their employment.
3rd Party Integrations & Supplier Relationships
Closely related to the above threat, 3rd Parties and suppliers are heavily reliant on an extended form of the access provided to insiders. The scenario of a supplier having insufficient information security controls while handling your own organisation’s data (and by extension your clients’ data), can be catastrophic. The infamous Target breach is unfortunately still relevant and a great source of learnings.
As an extension of the mitigation methods provided for the Insider Threat case, supplier relationships should be defined by establishing trust, agreeing on information security controls and policies, and establishing a secure baseline for all practices. To this end, your organisation should communicate clear Information Security requirements to the suppliers, and perform a Due Diligence analysis. This can check whether the supplier’s security policy and controls are in line with yours, and are satisfactory given a risk analysis of the assets they will have access to. This process should be repeated on a regular basis, to ensure continued compliance.
Non-Compliance with Regulatory Requirements
Being in the finance field, and working closely with the banking industry comes with strict requirements for compliance with associated laws and regulations. This may include data protection laws (eg. GDPR), as well as any other regulation applicable to the geographic locations and jurisdictions where the organisation is active. Despite not being a highly technical threat by nature, failing to comply with regulatory requirements can lead to substantial financial penalties, loss of trust and even shrinkage of clientele.
To minimise this risk, a collective effort is required from security professionals, legal experts, and compliance teams. They need to ensure the organisation stays up to date with which regulations and laws apply to them, and define practicable methods to reach or remain in compliance, such as data encryption, secure storage, backup and recovery of data and secure transport of information, among a plethora of others.
Conclusion
As with any field in the tech-space, defence against cyber security threats requires a constant, collective effort from all parts of an organisation. We trust that with the above points, any FinTech organisation can set off on their journey towards a safer and more secure 2024.
About the author:
Alex Melissas is a Security Operations Engineer based in Quantifeed’s London office. He is responsible for maintaining a secure and reliable environment for the company and its clients. Holding a Computer Science degree and having studied Information Security at a postgraduate level at University College London, he has delved into the intricacies of the field and built a solid foundation for his career. His main interests lie in defensive security, governance, compliance, and the bridging of the gap between security and usability.
Beyond professional endeavours, Alex spends his free time getting up to date with the latest in the field, advocating for Information Security awareness and best practice, while also enjoying life’s simpler pleasures, like long walks in parks and journaling.
