Written by Joseph Lau
Joseph Lau is the Chief Information Security Officer at Portag3 Ventures.
No matter how advanced your technology is, it can be quickly unraveled by a cybersecurity breach — including and especially at the seed and series A stages.
Nowhere is this more true than in the fintech space. While fintechs are under pressure to innovate at lightspeed, there is no “fail fast” when you are handling real money or equities. Fintech startups face many of the same cyber threats as large financial institutions. However, they need to be extremely strategic in allocating their limited resources to defend their platforms, since they work with much smaller teams and funding.
In my role as CISO at Portage, the most common question I hear from startups is What should I do about cybersecurity? In order to address these concerns systematically, I developed the “Startup 7” framework: a guide for how to allocate limited resources to have the greatest impact. The Startup 7 is not a checklist or a final destination; rather, it’s a set of areas for continuous improvement and self-evaluation. If you’re just beginning your cybersecurity journey, here’s where to start planting some flags:
#1 Data Handling & Privacy
In an information economy, data is the new oil: it needs to be properly handled and protected. Retroactively implementing data protections is extremely difficult, but fortunately, it’s much simpler to secure your data if you spend time categorizing your data and building in protections from the start.
First, figure out what data you need to secure, and then make sure it’s encrypted both in transit and at rest. All corporate and client data should be tagged and segregated, so that there is no cross-contamination of the two. As a next step, make sure that access to client data is restricted, logged, and audited. Ideally, how data is used across the organization can be clearly demonstrated and verified. Fintechs in particular should keep in mind that data remains in your country; if data leaves your country, it could be subject to foreign data and security laws.
Many studies have demonstrated that the weakest link in the cybersecurity chain are humans, and the best return on investment is through both basic and technical cybersecurity education. Start by making sure all new employees are given mandatory basic compliance, privacy, and cybersecurity training during the onboarding process. Education is an ongoing process, so continue to provide cybersecurity training sessions on an ongoing basis to both executives and employees.
It is much easier to defend an application or platform that has been designed and implemented securely from the start. Unfortunately, university and college computer science programs rarely touch on cybersecurity, and when they do, they often do not cover the latest technology. To address this gap, provide your software developers secure development training (cloud security, application security, secure coding) that is applicable to your environment.
#3 Cloud Security
With most startups relying heavily on cloud services rather than on-premise servers, proper configuration is key to secure cloud implementation. At a minimum, basic DDoS protection* should be in place for all public-facing web services. Additionally, user access to production environments must be tightly controlled, and all access not absolutely required should be restricted. Consider providing hardware Multi-Factor Authentication (MFA) for the few admins that have access to the production environment. As your company scales, you may want to employ a cloud-based security vendor.
*DDoS is a common form of cyber attack, where your systems become slow (or stop working) due to the volume of false requests.
#4 User Authentication
The first step to secure logins is a strong password policy. While outdated password standards used to require 8 characters and a combination of numbers and symbols, the current guidance is to use passphrases made up of three or four unrelated words, ideally 15 characters or longer. Passphrases are easy for humans to remember but hard for computers to crack.
From day one, make sure that users are only granted the minimum access required for their role. In the seed stages of the startup, there’s often an attitude of We know everybody, and we trust everybody. But as you scale quickly, issues will result from everyone having elevated access, for example admin access on their laptops. It’s better for your firm to grant minimum access and slowly increase privileges; for example, someone in marketing probably does not need access to your source code.
Research has shown that using Multi-Factor Authentication (MFA) can prevent up to 99% of bulk phishing attacks and 90% of targeted attacks. SMS authentication is better than nothing, but authenticator apps like Google Authenticator are better, and hardware MFA is the strongest.
#5 Business Continuity
If the COVID-19 pandemic has taught us anything, it’s that the worst time to come up with a response plan is during an actual incident. When I get a dreaded cybersecurity incident email or phone call in the middle of the night, unfortunately, they are oftentimes a result of things that could have been easily avoided.
It’s more than worth your time to develop an incident response playbook and perform multi-site backups. Once you have backups in place, implement tests regularly (every six months or annually) to make sure you can restore your data. Untested backups aren’t real backups. Annual tabletop exercises are an excellent tool to identify process gaps and areas for improvement. Lay out the decision-making process, who should escalate incidents, and who should be called in the middle of the night. Simulations require time and planning, but working through these exercises is important to prepare in case of a breach.
#6 End Point Security
Since network traffic is now 90% encrypted, computers and servers are now the main point of vulnerability. Fortunately, many software vendors are making real efforts to constantly patch and update their software to respond to new threats. But your employees’ systems are only really safe if their operating systems and applications can be centrally managed, audited, and patched. If you can’t verify if your employees are updating their software, you’re leaving yourself open to attacks that may already have been fixed.
Beyond patching, application whitelisting is another great tool to prevent unauthorized software from running on your most critical servers and machines. Employees should be reminded that only office productivity applications should be installed on work computers.
#7 Secure Development
It’s far easier to defend a securely designed system. Making security a primary architecture principle does not necessarily significantly slow down innovation or the deployment pipeline. To the contrary, retroactively trying to bolt on security to a deployed product will be a nightmare, and will usually result in a less secure product.
Developer resources are often focused on innovation and delivering new functionality, so there needs to be a commitment to assign developer resources to address security issues and fixes in a timely manner. While it can be expensive to hire external vulnerability assessments and penetration testing, it’s a worthwhile investment to have your application regularly evaluated — especially if you are doing a major release. It’s better (and much cheaper in the long term) to work with security researchers than to have your systems compromised by malicious hackers.
In Conclusion: Securing the Fintech Space
I hope that the Startup 7 has given you some idea of where to start on your cybersecurity journey. While it’s impossible to address every concern at once, the important thing is to allocate resources and keep improving across all of these areas. A holistic approach is necessary to defend your company against constantly evolving threats. If you ignore even one of these areas, you are exposing a weak link.
Cybersecurity shouldn’t be something that fintechs compete on. When one fintech is breached, our reputation collectively suffers. We need to openly share information and work together — because the hackers certainly are. By focusing on cybersecurity from day one and constantly re-evaluating, you can build a strong security foundation, prevent incidents, and focus on innovation and delivering value to your customers.