Another year of threats: where fintech firms will need to focus security efforts in 2023
From open banking to embedded finance, digital transformation has been driving a not-so-quiet revolution in financial services over recent years. As the pace heats up in 2023, fintech IT teams must double down on cybersecurity or risk undermining all of their hard-won gains. But it’s becoming increasingly challenging knowing where to focus these efforts, in a world characterised by distributed IT environments, expansive supply chains and determined threat actors.
That’s why fintechs and other organisations will increasingly be looking to zero trust and platform-based approaches to guide them through the current turbulence.
The perimeter expands
There’s an uncomfortable truth at the heart of digital transformation: as organisations increase their reliance on cloud infrastructure, DevOps-driven application development and remote working, their respective corporate attack surfaces will continue to expand. Research reveals that 75% of global financial services firms are concerned about this, with half (49%) arguing their attack surface is “spiralling out of control”.
This will continue to be the direction of travel in 2023, as Trend Micro reveals in its latest predictions report. As the pandemic highlighted, home working environments are often less well protected than their corporate counterparts, with remote workers likely to be using under-secured equipment and potentially distracted by family and housemates. The bad guys will capitalise – targeting users with sophisticated phishing attacks and looking to exploit vulnerabilities and misconfigurations in VPNs, home routers and cloud accounts.
From there, they could directly steal sensitive company data or use the home office as a stepping stone into corporate networks.
Attack surfaces spiral
These challenges are perpetuated not only by low user security awareness levels but also depleted in-house IT skills. That will be increasingly telling when it comes to securing cloud environments, which are the mainstay of fintech operations. These skills shortages will lead to more misconfiguration of cloud infrastructure, which can in turn mean that data stores become exposed to anyone with an internet connection.
Expect more targeting of cloud APIs in 2023, as well as use of techniques like “living off the cloud” – whereby hackers will leverage native cloud tools for their own uses, such as data exfiltration, to stay under the radar.
Cloud developers, meanwhile, will face an ongoing threat stemming from their use of the third-party open source components which help to accelerate time to market. One report claims that there’s been a 742% average annual increase in software supply chain attacks over the past three years. Attackers either compromise existing vulnerabilities in these components, or insert malware into them upstream, so that they’re able to compromise a range of targets downstream.
Just like cloud and open source software suppliers, managed service providers (MSPs) could also be a source of risk for fintechs in 2023. The reason is simple: by targeting these third-party firms, threat actors can compromise a huge sweep of their customers effectively in one go. That’s good ROI from the hacker’s point of view. It’s the kind of logic that resulted in the breach of IT software firm Kaseya, resulting in dozens of MSPs and thousands of their customers being hit by ransomware last year.
Tackling these cyber risks over the coming year will require a multi-layered response from the fintech industry. That means enhancing user education so that home and office-bound workers are better able to spot phishing attacks, and maintain good cyber-hygiene practices such as regular updates to PCs and devices. For many organisations, it will also mean adopting a zero trust roadmap.
Ideal for mobile, cloud-based application environments, this approach posits that all users and devices should be continuously verified and authenticated, and granted only the minimum privileges needed to do their work. Monitoring tools spot any signs of compromise early on, while network segmentation ensures that any breach can be quickly contained.
A final piece of the puzzle governs the kind of security tools organisations will gravitate to in 2023. For too long, firms have been laboring away with a surfeit of point solutions accrued over the years. It’s expensive, inefficient and leaves security gaps – not to mention the impact on security staff productivity. As the year progresses, IT and security leaders will increasingly gravitate towards platform-based offerings that help them to simplify security, improve visibility and control, and become more cost-efficient.
With a single platform via which to map their attack surface, and then protect, detect and respond to threats across it, fintech firms will be in a relatively good place next year.
By Lewis Duke, senior security engineer, Trend Micro