How fintechs should tackle security: 5 pillars of our security strategy
Staying secure in an increasingly open world is a vital challenge for all financial services providers, fintechs included. When consumers’ data security and privacy are at stake, rigorous risk management is the name of the game.
At Flinks we believe that dealing with a vast amount of sensitive financial data deserves the best practices. We continuously invest in security so our clients can keep their peace of mind. We’ve built our security strategy around five pillars — read on, this might help you build your own security strategy.
Security as a business asset
Consumers’ trust in their service providers has always been the key to a healthy financial system. Open banking only reinforces that fact — at its heart is the concept of users’ trust and consent. In order to gain and maintain their credibility, fintechs need to adapt their security practices. This is why security is not just an exercise in regulatory compliance for banks. It is a shared responsibility among multiple stakeholders. Those who innovate will turn security into a business asset, helping them being seen as trustworthy by their customers and business partners.
#1 — Do not fall asleep at the wheel
Having controls in place is good. Making sure they work and no one falls asleep at the wheel is better. This requires constant work, both from within Flinks and with external help.
We routinely perform internal control audits of our work teams to make sure everyone understands and follows our policies and procedures. Our alert and escalation system allows our 24/7 response team to quickly and appropriately deal with situations that could otherwise spin out of control.
External audits also play an important role in our security strategy. Flinks has a SOC 2 Type I report attesting that the internal controls and processes we have put in place over the last years are designed to ensure the security of our clients’ financial data.
SOC 2 is the gold standard of security compliance for SaaS companies. Developed by the American Institute of CPAs (AICPA), the certification is awarded by an independent auditor — in our case, it was Deloitte — that makes sure we meet strict and detailed requirements designed to safeguard information. Those requirements include security vulnerabilities management, SDLC with security in mind, proactive risk assessment, incident response plans, employee training, and vendors and third-parties assessments.
Our SOC 2 Type I report is just one step along our journey. We undergo periodic external audits to evaluate the effectiveness of our controls and processes over time.
#2 — Be ready to operate under the worst circumstances
You get to the office one morning and realize that your database is compromised, and sensitive data might have been stolen. What’s your first step?
Hint: it’s too late to sit down and draft an emergency response plan.
While we all hope things will always go smoothly, we have to be ready to operate under the worst circumstances. From knowing what can hit us to preparing our response, these are the steps we follow to properly assess and manage risk:
- Visibility allows us to consider every possible scenario: We consider anything that can have a negative effect on our operations. Risks can be internal, ranging from intellectual property theft to losing key employees, or external to Flinks, such as service provider failure or changes in laws and regulations that could force us to change the way we conduct our business.
- Classifying risks helps us prioritize: Once we have a broad perspective on the threats to our company’s success, it is time to classify them. Risks are typically ranked from “low” to “unacceptable” based on criteria such as their likelihood and impacts. This exercise facilitates prioritization and helps us narrow down our focus on risks that matter the most.
- Reducing unacceptable risks is a priority: Our risk team is tasked with reducing any risk classified as unacceptable to an acceptable level. This can be done by avoiding the risk altogether, for instance by not pursuing certain opportunities, cutting ties with a service provider, etc. However, that’s not an option in most cases. That leaves us with risk mitigation strategies designed to lessen the impacts of negative events.
- Train, test, rinse, repeat: Training our staff and testing our security strategies is now second nature.
This method provides a very thorough understanding of our strengths and vulnerabilities. From there, we can build controls such as policies and procedures that allow us to monitor risks and be ready to respond to a negative event. On the operational level, for instance, we have prepared a business continuity / disaster recovery plan — don’t worry, we’ll get back to this.
#3 — Choose your service providers wisely
They might be the weak spot or the gap in your data map.
Of course, everyone needs service providers. It only makes sense to avoid building everything from scratch, and focus on our core business. The concept of the data map reminds us of how important it is to have a comprehensive understanding of how data flows within our organization, to and from third-parties.
We don’t want sensitive data to be accessible through a vulnerable third-party.
This means that we need to rely on the best technology out there when choosing service providers, which includes best-in-class security controls and data-management practices. There are some well-known standards, frameworks and reports on controls out there, such as ISO 27001, NIST and SOC 2, that help us make these choices.
There is a larger point to make here, that goes beyond simple quality control: to prevent unauthorized access, we actively manage who’s in and who’s out. We carefully control and closely monitor who can access both our physical locations and our systems, infrastructures and data — that goes for services providers as well as clients and employees.
- Physical access controls protect specific locations where our assets are located: They start with strong doors that lock automatically, security cameras and a front desk to register guests. But, as they say, the devil is in the details: securely storing confidential documents, locking computer screens and generally keeping our desks clean, help too.
- Logical access controls protect our IT infrastructure and data: Of course, to be able to operate smoothly, we must find a balance between restriction and access. For instance, access granted to a contractor automatically expires at the end of the agreement.
Other examples are the use of strong passwords and multi-factor authentication, and limits to connection attempts. As a rule, we make all access personal — and if they absolutely need to be shared, we do so securely.
(No, a text message doesn’t cut it.)
#4 — Procedures and policies are more fun when you get to hack something
Like all businesses that are serious about security when dealing with sensitive data, we have a business continuity / disaster recovery plan. It’s based on our risk assessment, built from industry best practices and routinely tested. This plan ensures that employees and stakeholders know what actions to take in case of a disrupting event to keep Flinks running or resume its mission-critical operations. It contains step-by-step instructions to minimize the negative effects, lays out each team’s roles and provides estimated time to recovery based on our simulations.
Policies and procedures provide high-level principles and concrete instructions to prevent or mitigate threats. But if they are not grounded in our employees’ values and day-to-day
- Our risk policies are designed from and for our specific work environment: They need to reflect the reality of our employees. For instance, a strict policy against the use of third-party apps in a tech startup isn’t realistic. We have to take into account the needs and natural tendencies of our employees and provide guidance on how to use, or safer alternatives.
- No need to go all Big Brother on our employees: To enforce our policies, we foster a healthy risk culture through gamification. Here’s an example: from time to time, we challenge our employees to spot vulnerabilities in our various environments. That’s right, we take time off to hack ourselves.
This fun competition not only allows us to identify potential risks, but it also raises awareness and stimulates risk ownership.
#5 — Embrace change (management)
Look, we get it.
We all want to push new features as soon as they’re ready. We love to delight our customers. But we must resist the urge. Because without knowing it, a change to the code can introduce hidden vulnerabilities.
This is why risk-averse change management practices are an integral part of our prod infrastructure: a change never goes live without proper code review by a second (and a third!) developer; we test everything in a development environment; we make sure no individual can break our system by following the principle of least privilege and enforcing segregation of duties.
We’ll leave you with this: risk is an integral part of doing business, and can’t be treated as something else. As threats are evolving, so should our security practices. Innovation is the only way forward.
Sure, sometimes this means having to embrace change faster than we’re comfortable with — we’re only humans after all. This is why we believe it’s important to stay open to learn and experiment, making the foundation of our security strategy four parts rigorous risk management, and one part creative fun.