Winning the innovation arms race with business defence for FinTech

With Singapore continuously strengthening its position as a global financial hub – now ranked third in the current Global Financial Centres Index – government bodies like the Monetary Authority of Singapore (MAS) are increasingly looking to technology to not only support and expedite growth in the financial sector, but also to protect it.

Central to achieving this is innovation – creating new ways to conduct business, quickly and more efficiently with new customers and, importantly, more securely than ever before.

Innovation, unfortunately, is not the sole prerogative of those operating on the right side of the law and ethics. On the flip-side, cyber criminals are also continuously developing new and creative mechanisms to separate money, intellectual property, and other assets from their rightful owners.

This was clearly demonstrated earlier this year, when cyber attackers found a way to change just two bits in the computer code handling SWIFT transactions at the Bangladesh Reserve Bank, enabling them to make off with US$81m for their efforts in the single largest cyber-heist in history.

The innovation 'arms race'
Boiling down to industries, nowhere are innovations emerging as quickly than in the financial services landscape, where financial technology (FinTech) is blazing through and disrupting traditional structures that have been in place for centuries. Adding on to this is Singapore’s evolution as a major FinTech hub in Asia Pacific whilst also being a regional base for global FinTech firms and national start-ups¹. 

Driving Singapore to the top is the role of financial regulator MAS, with its active involvement in the start-up community as well as its support for a FinTech accelerator. In fact, MAS have committed US$225m to grow the local FinTech sector in the next five years².

But whilst FinTech is steering the financial services industry into new territory, these disruptive technologies are also being quickly evaluated and exploited by cyber criminals. For example, internet-based shopping saw the rise of new forms of fraud – here in Singapore, e-commerce cheating cases increased by nearly 30 percent in 2015³.

Meanwhile, online banking services and payment gateways saw the creation of new ‘Man In The Middle’ (MITM) and so-called ‘skinning’ attacks and even more new fraud techniques. Another example is the growth in crypto-currency adoption giving rise to specialist malware and attacks targeting crypto-wallet applications, and so on.

This innovation ‘arms race’ means that new technologies must consider security as paramount if their potential benefits are to be realised. Trust relationships with other participants must be robust and provable.

Controls must extend beyond an organisation’s increasingly hard to define perimeter and must protect transactions beyond any one single entity’s control. We need to defend outside our perimeters as well as within; it’s more than just needing perimeter security – it’s the need for business defence.

Building in business defence
Innovation requires investment and investment demands a return. Protecting the investment isn’t a technical requirement, it’s a business one and needs to be treated like any other business investment; evaluate the risks, development a treatment plan and enact it.

But herein lies the challenge – how do you evaluate and defend investments from potentially unknown risks and threats? Whilst there is no single catch-all answer, the following are always true:

• Someone, somewhere will always want what you have or what you provide. Attacks are a matter of ‘when’ and ‘how’, not ‘if’. The economics of cyber-attacks are asymmetric and favours the attacker. Rebalance the equation by incorporating this from the start;
• Business defences built in from the get-go are always more effective and cheaper than anything built later as an after-thought or ‘phase 2’;
• The better the information you have about those who pose a threat, the better your risk position and ability to defend. Threat Intelligence is highly cost-effective when used well – in fact, companies using security intelligence technologies were more efficient in detecting and containing cyber attacks, resulting in an average cost savings of $1.9m as compared to companies not deploying security intelligence technologies⁴;
• You can’t prevent an attack you don’t know about; you need to be able to detect an attack before you can defend against it. Maximise your visibility over your technical estate and employ solutions that can detect attacks early in their lifecycle. This gives you the maximum opportunity to address risks and effect mitigations before peak impact.

Fintech is truly a burgeoning realm of great opportunity and reward. With plans in place by MAS to establish Singapore as a Smart Financial Centre that aims to foster innovation and support the FinTech community, the need to build in our business defences and develop robust trust models from inception is even more essential. If not, we risk losing not only our investment, but also more valuable things – opportunity, reputation, trust, and time. 

¹https://www.accaglobal.com/content/dam/ACCA_Global/Technical/Future/FinTech-transforming-finance.pdf
²https://www.pwc.com/sg/en/publications/assets/fintech-startupbootcamp-apac-2015.pdf
³https://www.police.gov.sg/~/media/spf/files/statistics/20160212_annual_crime_brief_2015.pdf
⁴https://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states