Simon-Pierre Lebel is Flinks' VP of IT Operations & Security. He's the person that makes things work.

How fintechs should tackle security: 5 pillars of our security strategy

By Simon-Pierre LeBel on February 14th, 2019

Staying secure in an increasingly open world is a vital challenge for all financial services providers, fintechs included. When consumers’ data security and privacy are at stake, rigorous risk management is the name of the game.

At Flinks we believe that dealing with a vast amount of sensitive financial data deserves the best practices. We continuously invest in security so our clients can keep their peace of mind. We’ve built our security strategy around five pillars — read on, this might help you build your own security strategy.

Security as a business asset

Consumers’ trust in their service providers has always been the key to a healthy financial system. Open banking only reinforces that fact — at its heart is the concept of users’ trust and consent. In order to gain and maintain their credibility, fintechs need to adapt their security practices. This is why security is not just an exercise in regulatory compliance for banks. It is a shared responsibility among multiple stakeholders. Those who innovate will turn security into a business asset, helping them being seen as trustworthy by their customers and business partners.

Data security is a shared responsibility between fintechs and banks, which is why it's important that every stakeholder has a robust security strategy

#1 — Do not fall asleep at the wheel

Having controls in place is good. Making sure they work and no one falls asleep at the wheel is better. This requires constant work, both from within Flinks and with external help.

We routinely perform internal control audits of our work teams to make sure everyone understands and follows our policies and procedures. Our alert and escalation system allows our 24/7 response team to quickly and appropriately deal with situations that could otherwise spin out of control.

External audits also play an important role in our security strategy. Flinks has a SOC 2 Type I report attesting that the internal controls and processes we have put in place over the last years are designed to ensure the security of our clients’ financial data.

SOC 2 is the gold standard of security compliance for SaaS companies. Developed by the American Institute of CPAs (AICPA), the certification is awarded by an independent auditor — in our case, it was Deloitte — that makes sure we meet strict and detailed requirements designed to safeguard information. Those requirements include security vulnerabilities management, SDLC with security in mind, proactive risk assessment, incident response plans, employee training, and vendors and third-parties assessments.

Flinks's SOC 2 Type 1 report means that we have internal controls and processes in place as part of its security strategy

Our SOC 2 Type I report is just one step along our journey. We undergo periodic external audits to evaluate the effectiveness of our controls and processes over time.

#2 — Be ready to operate under the worst circumstances

You get to the office one morning and realize that your database is compromised, and sensitive data might have been stolen. What’s your first step?

Hint: it’s too late to sit down and draft an emergency response plan.

While we all hope things will always go smoothly, we have to be ready to operate under the worst circumstances. From knowing what can hit us to preparing our response, these are the steps we follow to properly assess and manage risk:

  1. Visibility allows us to consider every possible scenario: We consider anything that can have a negative effect on our operations. Risks can be internal, ranging from intellectual property theft to losing key employees, or external to Flinks, such as service provider failure or changes in laws and regulations that could force us to change the way we conduct our business.
  2. Classifying risks helps us prioritize: Once we have a broad perspective on the threats to our company’s success, it is time to classify them. Risks are typically ranked from “low” to “unacceptable” based on criteria such as their likelihood and impacts. This exercise facilitates prioritization and helps us narrow down our focus on risks that matter the most.
  3. Reducing unacceptable risks is a priority: Our risk team is tasked with reducing any risk classified as unacceptable to an acceptable level. This can be done by avoiding the risk altogether, for instance by not pursuing certain opportunities, cutting ties with a service provider, etc. However, that’s not an option in most cases. That leaves us with risk mitigation strategies designed to lessen the impacts of negative events.
  4. Train, test, rinse, repeat:  Training our staff and testing our security strategies is now second nature.

This method provides a very thorough understanding of our strengths and vulnerabilities. From there, we can build controls such as policies and procedures that allow us to monitor risks and be ready to respond to a negative event. On the operational level, for instance, we have prepared a business continuity / disaster recovery plan — don’t worry, we’ll get back to this.

#3 — Choose your service providers wisely

They might be the weak spot or the gap in your data map.

Of course, everyone needs service providers. It only makes sense to avoid building everything from scratch, and focus on our core business. The concept of the data map reminds us of how important it is to have a comprehensive understanding of how data flows within our organization, to and from third-parties.

We don’t want sensitive data to be accessible through a vulnerable third-party.

This means that we need to rely on the best technology out there when choosing service providers, which includes best-in-class security controls and data-management practices. There are some well-known standards, frameworks and reports on controls out there, such as ISO 27001, NIST and SOC 2, that help us make these choices.

There is a larger point to make here, that goes beyond simple quality control: to prevent unauthorized access, we actively manage who’s in and who’s out. We carefully control and closely monitor who can access both our physical locations and our systems, infrastructures and data — that goes for services providers as well as clients and employees.

  1. Physical access controls protect specific locations where our assets are located: They start with strong doors that lock automatically, security cameras and a front desk to register guests. But, as they say, the devil is in the details: securely storing confidential documents, locking computer screens and generally keeping our desks clean, help too.
  2. Logical access controls protect our IT infrastructure and data: Of course, to be able to operate smoothly, we must find a balance between restriction and access. For instance, access granted to a contractor automatically expires at the end of the agreement.

Other examples are the use of strong passwords and multi-factor authentication, and limits to connection attempts. As a rule, we make all access personal — and if they absolutely need to be shared, we do so securely.

(No, a text message doesn’t cut it.)

Register to our newsletter

 

#4 — Procedures and policies are more fun when you get to hack something

Like all businesses that are serious about security when dealing with sensitive data, we have a business continuity / disaster recovery plan. It’s based on our risk assessment, built from industry best practices and routinely tested. This plan ensures that employees and stakeholders know what actions to take in case of a disrupting event to keep Flinks running or resume its mission-critical operations. It contains step-by-step instructions to minimize the negative effects, lays out each team’s roles and provides estimated time to recovery based on our simulations.

Policies and procedures provide high-level principles and concrete instructions to prevent or mitigate threats. But if they are not grounded in our employees’ values and day-to-day behavior, they run the risk of becoming stagnant reference documents that are dusted off only when problems arise. We design and enforce our policies and procedures with our company’s risk culture in mind — both as a starting point and something to cultivate.

  1. Our risk policies are designed from and for our specific work environment: They need to reflect the reality of our employees. For instance, a strict policy against the use of third-party apps in a tech startup isn’t realistic. We have to take into account the needs and natural tendencies of our employees and provide guidance on how to use, or safer alternatives.
  2. No need to go all Big Brother on our employees: To enforce our policies, we foster a healthy risk culture through gamification. Here’s an example: from time to time, we challenge our employees to spot vulnerabilities in our various environments. That’s right, we take time off to hack ourselves.

This fun competition not only allows us to identify potential risks, but it also raises awareness and stimulates risk ownership.

#5 — Embrace change (management)

Look, we get it.

We all want to push new features as soon as they’re ready. We love to delight our customers. But we must resist the urge. Because without knowing it, a change to the code can introduce hidden vulnerabilities.

This is why risk-averse change management practices are an integral part of our prod infrastructure: a change never goes live without proper code review by a second (and a third!) developer; we test everything in a development environment; we make sure no individual can break our system by following the principle of least privilege and enforcing segregation of duties.

We’ll leave you with this: risk is an integral part of doing business, and can’t be treated as something else. As threats are evolving, so should our security practices. Innovation is the only way forward.

Sure, sometimes this means having to embrace change faster than we’re comfortable with — we’re only humans after all. This is why we believe it’s important to stay open to learn and experiment, making the foundation of our security strategy four parts rigorous risk management, and one part creative fun.

Feel free to comment on this article

Let us know what you think below

Stay up to date