To compete in today’s market, the transformational strategies of most financial services companies are aimed at increasing innovation, improving agility and the digitization of services.
FinServ companies must adapt to disruptive change and lower their risk aversion, because opting out could result in their becoming irrelevant in the face of rapidly growing customer demands.
The reality is, however, that the path to innovation, agility, and digitization could introduce considerable threats to security.
With every action, an equal and opposite reaction
Many financial services companies are beginning to embrace the disruption of FinTech innovations coming from ground-breaking start-ups, viewing these new kids on the block less as threats and more as partners in service delivery. Large banks are investing in and partnering with them, and some are even building their own technologies to deliver new value propositions for their customers.
An increasing customer demand for self-service capabilities and rapid improvements to web and mobile applications have generated the need for more agile development cycles. This is great for delivery, but expedited testing timelines and the potential for human error mean more opportunities to introduce flaws that can be exploited by hackers.
Additionally, impending regulatory oversight and third-party risk requirements mean each step must be carefully weighed against potential threats. A single misstep and could cause irreparable harm to the bank’s reputation.
Accessibility versus breaches
Consumers want their data available anytime and anywhere. Chip cards, cell phone payments, wireless transactions and cryptocurrencies offer incredible new ways for consumers to more rapidly and seamlessly acquire goods, track wealth and exchange data, but these same mechanisms present new openings for the savvy hacker.
Financial services companies are expected to meet this demand while not exposing sensitive customer data to the constantly increasing threats of malicious breaches. Regulations such as the European Commission’s Revised Payments Services Directive, or PSD2, increase these data accessibility requirements incrementally, leaving many banks scrambling to redefine not only their data structures, but their very business models.
Even with stringent security controls in place to combat these existing threats, cyber criminals persist. Because wherever there is profit to be made, there will always be those looking for the quickest path to dollar signs, even if it means breaking the law.
Enter the dark web
The dark web is an unregulated underground Internet made up of heavily encrypted sites that can only be accessed via special browsers and software. Its roots can be traced to a U.S. government initiative known as Tor, designed to prevent the digital interception of intelligence. As with every other positive innovation, the technology had a “dark” application, quickly exploited. Now, the dark web proliferates, with an estimated 30,000 active sites, according to Equifax. These sites are a haven for elicit activity, from underground drug trade to human trafficking, and financial services companies and their customer data are prime targets, since stolen high‑limit credit card numbers can be sold for as much as $20 a piece. Financial services companies are not the only targets — any business that stores and maintains credit card information is squarely in the sights of data thieves.
What can financial services companies do?
As customer and regulatory demands increase, so do the responsibilities of financial services institutions. Along with transformational strategies, they must also include appropriate countermeasures to safeguard data. Below are five ways to accomplish that goal:
- Establish ‘Know Your Customer’ initiatives to ensure that phishing scams, fraudulent account access and money laundering activities are recognized early and remediated.
- Educate innovation teams on the vulnerabilities of their organization’s code base, application development tools and platforms to ensure malware, hacking and breaches are prevented or detected and eliminated quickly. Every new solution must be designed with security built into its DNA.
- Build strong third-party risk assessment programs with regular audits, periodic testing and stiff requirements for all ecosystem partners. PCI Compliance should be the minimum standard, not the ultimate goal.
- Incorporate a dark web monitoring group into your security teams, responsible for surfing, learning, following and mitigating issues related to your company or industry. Consider investing in a dark web monitoring solution for your customer data.
- Work with your managed services providers to ensure you understand where your data resides, how it’s accessed and the encryption channels used between your on‑premises and off‑premises managed solutions.
Rackspace understands that as you innovate, the criminal world is innovating alongside you. Let us help you create a strategy to take the weight off your IT staff’s shoulders, so they can focus on innovating for your customers.