As with any other aspect of the rapidly evolving technological landscape we find ourselves thriving in, cyber security is an ever-changing, “blink-and-you-missed-it” field. To retain a healthy security posture in any organisation, there needs to be a constant effort to stay up to date with the latest in the threat landscape, as well as best-effort prevention, mitigation, or limitation actions. In this article we will be exploring some of the top emerging or returning cyber security threats for the FinTech field, as well as best practice suggestions against them.
Artificial Intelligence and Machine Learning
The rise of Artificial Intelligence (AI) has taken it far beyond a buzzword at this point, with the effects of its usage being seen as revolutionary in multiple fields. However, despite the mostly positive coverage of AI, ML and LLMs recently, there is growing concern regarding the privacy and security guarantees of these technologies.
The concern is twofold. Externally, attackers can now leverage AI to refine their offensive strategies at much greater speed; they are already expected to significantly impact the volume and impact of cyber attacks (NCSC). But even internally, AI usage, specifically LLMs, has already raised concerns in terms of input data privacy. This is especially critical for FinTech organisations, who regularly deal with sensitive financial and personal information.
The threat level imposed by the rise of AI and ML is still being determined, but one general best-practice approach is cautious, privacy-conscious internal usage of AI tools. Practically, this can mean the segregation of AI tools and APIs away from critical data or infrastructure, as well as not inputting sensitive information, such as source code and personal data, into widely available AI tools. Finally, organisations can look to assess the defensive usage of AI to counteract external threats, with existing and upcoming tools such as Microsoft Copilot for Security.
Ransomware and phishing
Ransomware continues to be one of the most prominent threats to any organisation, and the FinTech field, with its great reliance on sensitive data, is no exception. Usually deployed through Social Engineering techniques such as Phishing (tricking the user into handing out information unknowingly), ransomware typically involves the attacker encrypting the files on a victim’s computer and asking for a ransom to be paid for data restoration. This type of attack has been the most prominent and feared threat for many years now, and without a surefire way to prevent them, it remains in our top 2 spot for 2024 as well.
However, despite lacking guaranteed mitigation methods, there are ways to reduce the likelihood and impact of Ransomware. Internal security training programmes can go a long way towards increasing staff awareness of Phishing and Social Engineering. Additionally, on the phishing email front, using automated scanning tools can help catch the more obvious threats, like malicious attachments.
Insider threat
The people with the highest level of access to our organisation’s information are those working inside it. The level of trust they are given, the access to assets, confidential information and physical or digital equipment and systems can be invaluable tools for an attacker.
This attacker can either be an outsider trying to exploit the insider (unintentional) or the insider themselves (intentional). In the case of an unintentional insider, they can be aware of security policies but choose to ignore them, potentially leading to unnecessary exposure, like using outdated software and ignoring security warnings (see the second LastPass breach). On the other hand, intentional insiders usually tend to be disgruntled current or former employees who exploit their privileged access to information to harm the organisation in some way (example).
To minimise the likelihood and impact of the insider threat, as well as training to prevent unintentional insiders, organisations should control and limit access for all staff. This limitation should be based on the principles of least privilege and separation of duties to the point where each user only has access to exactly what they need to perform their tasks, preferably only for a set time period. This can be implemented using a robust Access Control system, with Role-Based AC being the most common implementation. Finally, there should be controls and checks in place during the hiring, onboarding and offboarding processes, to ensure the suitability of staff members to handle the organisation’s assets securely throughout and after their employment.
3rd party integrations and supplier relationships
Closely related to the above threat, 3rd Parties and suppliers are heavily reliant on an extended form of access provided to insiders. The scenario of a supplier having insufficient information security controls while handling your own organisation’s data (and, by extension, your clients’ data) can be catastrophic. The infamous Target breach is, unfortunately, still relevant and a great source of learning.
As an extension of the mitigation methods provided for the Insider Threat case, supplier relationships should be defined by establishing trust, agreeing on information security controls and policies, and establishing a secure baseline for all practices. To this end, your organisation should communicate clear Information Security requirements to the suppliers, and perform a Due Diligence analysis. This can check whether the supplier’s security policy and controls are in line with yours and are satisfactory, given a risk analysis of the assets they will have access to. This process should be repeated on a regular basis to ensure continued compliance.
Non-compliance with regulatory requirements
Being in the finance field and working closely with the banking industry comes with strict requirements for compliance with associated laws and regulations. This may include data protection laws (eg. GDPR), as well as any other regulation applicable to the geographic locations and jurisdictions where the organisation is active. Despite not being a highly technical threat by nature, failing to comply with regulatory requirements can lead to substantial financial penalties, loss of trust and even shrinkage of clientele.
To minimise this risk, a collective effort is required from security professionals, legal experts, and compliance teams. They need to ensure the organisation stays up to date with which regulations and laws apply to them and define practicable methods to reach or remain in compliance, such as data encryption, secure storage, backup and recovery of data and secure transport of information, among a plethora of others.
Conclusion
As with any field in the tech space, defence against cyber security threats requires a constant, collective effort from all parts of an organisation. We trust that with the above points, any FinTech organisation can set off on their journey towards a safer and more secure 2024.
Read the original article here.
