Fintech Firms & Data Security in the Age of Ransomware
In the past few months, the global financial landscape was rattled by a spate of targeted attacks on financial technology firms by worm-based ransomwares. The spike in hacking of FinTech firms incidentally came in the wake of a spurt in companies that deals in financial technologies having crucial data related to financial dealings with customers.Such recurring episodes take us straight to the heart of the issue; what makes FinTech firms vulnerable to hacking and who are the people behind it and what are the motives? The answers to these questions are not hard to find and the blame should be shared equally by the FinTech firms as well as customers. For instance two recent surveys by KPMG and EY found that 70 percent of data breach happens within the organization. Such leaked data eventually lands in wrong hands and results in asset losses and dents the reputation of the organization concerned. In many cases, these firms use lot of open standards for cost optimization. This trade-off often cost the firm dearly than what they save in terms of cost. Also, the security systems adopted by organizations are not fit for the organizations in the wake of indiscriminate and large-scale use of smart phones connected to internet and other devices without proper firewalls. Such devices make it easy to grab information.
Another key learning is that we have to take extra effort to protect sensitive information. Such attacks throw open an opportunity to redefine information security standards and redefining methodologies as well as rolling out security procedures and protocols. The structure and the method of developing and testing the application have also to be redefined. The pen standards used for mailing and sending text and push messages need a revisit.
It is pertinent to note here that cyber-attacks have been happening only through proper channels. You are getting some kind of VDOS attack which is easy to push through multiple filters. Also from within the organization devices are sometimes compromised. So far, there is no common mechanism to control multiple devices working on varied operating systems. There needs to be new methodology for implementing IT applications and devices and also data management.
Also, data security needs to be redefined and classified into multiple quadrants based on their confidentiality. There is also a need to redefine what is confidential and what is shareable.
Privacy rules need a complete makeover since traditional norms no longer hold good as people are putting crucial information like PAN and Aadhar numbers without thinking twice. It is like casually giving away your passport number and by doing so critical and confidential personal data is getting stolen. If this data falls into wrong hands, they can create a fake IP address or related data.
Now we are using a number of apps and while using them we are inadvertently giving away our mobile number through these applications. The business models of some firms are weaved around selling this data. This data will go as a lead to say insurance companies or other firms. So, when you get some kind of a query, mail or a call, you have to be really vigilant. This is because data is getting continuously recycled. Most important thing is customer awareness that prepare them to how to respond to such unsolicited queries. We should be responsible for the safety of our own assets and information. We should have some kind of mechanism to cross-check information.
Everyone is disclosing privacy and data unwittingly. Unfortunately, this is not getting highlighted. Public awareness on such things should be given priority. Educating customers about keeping their privacy is an imperative. UIDAI has sent out circulars on who can use their data. This is a right step as far as data security and privacy is concerned. For this customers have to do some introspection. Rapid changes in technology systems have played havoc in all these cases. When we make rapid changes, we have to expect rapid collapse also. Today, the theory is: if you act fast, you fail fast. Technology at end of the day is not 100 percent ‘fail-proof’.
Due diligence of technology is another important matter. Regulator may say you should have a testing and system audit. They may come out with written down procedures. It is the responsibility of respective organizations to have their own due diligence done before implementing the technology.
Apart from redefining security standards, it is also important to monitor their performance and their rapid dissemination. In Kerala, there are organisations such as Cyber Dome. CERT is giving advance alert to many organizations. Today, regulators have an extra eye. Stock exchanges in the country sent alerts to brokers on ‘WannaCry’ virus. Such alerts help put control in the system. Regulators are doing a good job. But they have their limitations too in the form of issuing only alerts and certain procedures. It is the organization’s responsibility to make the technology ‘fail-proof’.
Introduction of standardization for technology and devices is an unchartered territory since innovation always breaks standards and methodologies and in that sense disruptive. FinTechs must be careful on this and must develop non-technical skills also. The moral of the story is that firms should be more vigilant on security standards and procedures. And, customers on their part should drop their casual approach in sharing vital statistics.
Data security needs to be redefined and classified into multiple quadrants based on their confidentiality, as there is a need to redefine what is confidential and what is shareable
Privacy rules need a complete makeover since traditional norms no longer hold good as people are putting crucial information like PAN and Aadhar numbers without thinking twice. It is like casually giving away your passport number and by doing so critical and confidential personal data is getting stolen. If this data falls into wrong hands, they can create a fake IP address or related data.
Now we are using a number of apps and while using them we are inadvertently giving away our mobile number through these applications. The business models of some firms are weaved around selling this data. This data will go as a lead to say insurance companies or other firms. So, when you get some kind of a query, mail or a call, you have to be really vigilant. This is because data is getting continuously recycled. Most important thing is customer awareness that prepare them to how to respond to such unsolicited queries. We should be responsible for the safety of our own assets and information. We should have some kind of mechanism to cross-check information.
Everyone is disclosing privacy and data unwittingly. Unfortunately, this is not getting highlighted. Public awareness on such things should be given priority. Educating customers about keeping their privacy is an imperative. UIDAI has sent out circulars on who can use their data. This is a right step as far as data security and privacy is concerned. For this customers have to do some introspection. Rapid changes in technology systems have played havoc in all these cases. When we make rapid changes, we have to expect rapid collapse also. Today, the theory is: if you act fast, you fail fast. Technology at end of the day is not 100 percent ‘fail-proof’.
Due diligence of technology is another important matter. Regulator may say you should have a testing and system audit. They may come out with written down procedures. It is the responsibility of respective organizations to have their own due diligence done before implementing the technology.
Apart from redefining security standards, it is also important to monitor their performance and their rapid dissemination. In Kerala, there are organisations such as Cyber Dome. CERT is giving advance alert to many organizations. Today, regulators have an extra eye. Stock exchanges in the country sent alerts to brokers on ‘WannaCry’ virus. Such alerts help put control in the system. Regulators are doing a good job. But they have their limitations too in the form of issuing only alerts and certain procedures. It is the organization’s responsibility to make the technology ‘fail-proof’.
Introduction of standardization for technology and devices is an unchartered territory since innovation always breaks standards and methodologies and in that sense disruptive. FinTechs must be careful on this and must develop non-technical skills also. The moral of the story is that firms should be more vigilant on security standards and procedures. And, customers on their part should drop their casual approach in sharing vital statistics.
