Whether you’re a leading enterprise or an ambitious startup, your path to growth from this year onward is clear: get quality data and use it to drive your decisions and operations.
By 2025, it’s estimated that 463 exabytes of data will be created each day. In other words, four hundred sixty-three billion gigabytes every day! Finance and fintech won’t be the largest contributors to these numbers (most of it will probably be video data on social media), but there’s something special about financial data. Much like healthcare data, financial data is extremely sensitive and under constant threat of attack by hackers.
Any cybersecurity specialist will tell you that you can’t keep all of your data safe all the time. There are vulnerabilities in systems, weaknesses in networks, and bugs that take years to unearth themselves.
For example, content delivery network Fastly recently experienced a bug that brought down a big chunk of their infrastructure, and it was caused by one user doing a standard configuration option (it’s the same as if you clicked “Publish” on a new article in WordPress and caused all WordPress sites to crash).
This is something that simply can’t happen when users rely on your system to pay rent, trade stocks online, or manage personal finances.
Security and compliance need to be a priority from the start for fintech startups as well as finance incumbents.
Startups, in particular, can experience a whole world of trouble (and huge fines) when they don’t take security and compliance seriously. Once you run into these issues, especially when your company is in a crucial growth stage, it’s very difficult to bounce back. Very few fintechs will have as much luck as Robinhood, which just had a successful IPO despite the recent regulatory scrutiny and the more than $100 million it’s been fined so far.
Robinhood is a unicorn and it doesn’t operate in the same environment as your company or ours. In our world, regulatory fines destroy budgets and security issues destroy businesses. So if you want to drive toward growth on a relatively smooth road, you need to take the right exit off the startup highway early on. Cybersecurity and compliance need to be your priorities from the moment you start working on a new project.
This is mostly a managerial issue, not a technical one. Driven by the pressure of investors, project stakeholders, and competitors breathing down your neck, it can be difficult to make hard choices. Investing in security and compliance early on is definitely a hard choice, but a necessary one in finance and fintech.
Having a proper budget for security and compliance from the ideation and prototyping stage onward will enable your team to build a solid foundation for your product to grow. If you don’t do it early on, you’re going to have to implement new security when your project is bigger, and it’s going to be a much more difficult and complex process.
For a finance incumbent as well as a fintech startup, this means that you have to take cybersecurity seriously and start investing. You need to make room in your budget for:
It might seem simple, but it’s actually quite a challenge to implement thorough monitoring that you can trust to always tell you when something goes wrong in your system.
Early detection is the key to an early fix. With good monitoring, you can solve vulnerabilities before they’re exploited and fix issues before they do anything bad to your users.
The tricky thing here is that monitoring fintech software is as much a technical issue as it is a managerial one. Because software in finance needs to be both secure and compliant with a very broad range of regulations, it takes a lot of work to make sure that you’re meeting both of these requirements at all times.
When you fix a bug in a finance app, your fix might cause new issues with compliance. When developers make code compliant by any means necessary, it might introduce new bugs that make your app difficult to use.
Maintaining security and compliance is a constant balancing act, and it’s very difficult to do if you’re not monitoring your system properly.
The second part of this is keeping your system updated. It seems logical and perfectly simple, but the reality is different. Countless programs use outdated technology, and their creators don’t bother to update them for different reasons. In some cases, the technical debt is so huge that updating one thing would cause the whole system to stop working.
And this is why you get cyber-pandemics like 2017’s WannaCry, a global cyberattack that was basically caused by “continued use of outdated computer systems and poor education around the need to update software.”
From a managerial point of view, you should direct the focus of your development team toward constant monitoring and updating so that you avoid tech debt and security vulnerabilities. Even if developers are forced to push out a bit of poor-quality code, it should be reviewed and refactored as soon as possible.
Building an overly complex system might seem like a purely technical issue, but never forget that developers build the tech to meet business requirements. So if a project is unnecessarily complex, non-technical managers might be the ones responsible for it.
It’s an old issue, as old as the history of capitalism. Business requires a different brain than engineering, and few people can be experts at both. When you have people with different brains on two sides of the project trying to reach common ground, naturally you’re going to run into some difficulties.
One great visualization of this is the short film The Expert. You probably know it; the scene takes place at a meeting where an engineer is grilled by business people for 7 minutes straight about whether he can achieve their impossible and illogical requirements—for example, if he can draw a red line with blue ink.
Building software is difficult. The bigger your team is, the more difficult it becomes. If you’re building software for finance, the difficulty level grows exponentially. So, from a managerial point of view, you should aim to simplify the project as much as possible.
Focus on core business requirements and core functionalities. Anything that’s unnecessary goes in the backlog and stays there until you have enough time to deal with it.
One of the trickiest issues here is that plenty of software these days is built using a lot of third-party services. You can build an app by gluing together ready-made services provided by different companies. New industry standards, like multi-cloud infrastructure, come with security issues that few experts fully understand at this point.
Multi-cloud is a great example because it’s the solution to a business issue (vendor lock-in from using only one cloud provider) that introduces a whole new world of technological issues (security vulnerabilities caused by mixing multiple cloud providers).
Therefore, one of the main ways to limit complexity in your project is to optimize infrastructure providers and third-party services—most importantly, make sure that their tech meets the strict requirements of the fintech market.
In May 2021, CBS reported that there were 500,000 open cybersecurity jobs in the US alone. This means that millions of cybersecurity specialists are needed across the whole world. Why is it so hard to find people who know how to make software secure?
One reason is that it’s an extremely tough and demanding job that can’t really be taught in school or at a bootcamp.
How come? Well, imagine that you’re a cybersecurity specialist working on industrial Internet of Things products. Your company sold several implementations to clients that rely on your systems to keep their factories running. And now you find out that the underlying technology that enables your devices to communicate, the TCP/IP stack, has 14 vulnerabilities that you now need to retroactively fix somehow.
That’s not a theoretical scenario, but something that cybersecurity experts in IoT companies are dealing with right now, after a group of researchers published a report bringing these security issues to light.
Here, unfortunately, there is no clear answer on what to do. The best solution is to work with experienced partners that know your industry, so you should only work with development companies and cybersecurity consultants that have a successful track record in finance or fintech.
Plenty of hacks happen simply because one person clicked the wrong link in an email. Other hacks are caused by skilled programmers that can analyze your code for vulnerabilities and painstakingly gain access to your system through even the smallest opening.
There are many ways to hack your company and you need to be prepared to guard against them from all sides. Technology is just one part of the equation; you also need to invest in educating your team about cyber dangers and practices for safe digital work.
Many people still don’t take it seriously, and in the next few years, they’re all going to learn just how important cybersecurity is. Like the Colonial Pipeline, which had to pay a $4 million ransom in bitcoin just to get operations going again. Or the world’s biggest meat producer, JBS, which paid $11 million in bitcoin.
Hackers are getting hungrier and smarter. Vulnerabilities can be found even in global industry leaders like John Deere, which one security researcher found to have holes in their infrastructure.
We’re entering times when cybersecurity has to become a priority, it can’t be an afterthought anymore. Especially in finance, where leaky code might mean that people lose all of their savings or their highly sensitive data gets stolen.
There’s been an increase in ransomware attacks in the past few years, and it’s only going to get worse. With the growing number of programmers in the global workforce, there’s also the dark side that more people than ever know how to find and exploit vulnerabilities in code.
For finance and fintech, this means that cybersecurity has to be built into your product and all of your operations from the start. It has to be a strong part of your business DNA.
The practices outlined above are intended for managers rather than developers. If you’re a manager who’s looking for experienced fintech programmers, our team is ready to help.
We’ve worked with fintech clients from all over the world and are keen to share our insights. Feel free to check out other fintech articles available on our blog: