Why fintech startups should embrace recent data security breaches
Each month, the data breach of another large company makes headlines. In July, dating site Ashley Madison hit the news when over 30 million usernames and (encrypted) passwords were leaked online. Carphone Warehouse followed in August, when the personal details of 2.4 million customers were leaked. September was relatively quiet, but October brought another slew of breaches, with TalkTalk, Marks & Spencer and British Gas all admitting major incidents.
The immediate worry is about compromised bank account information, credit card details and personal data, but you also have to step back and wonder why large companies are having these problems so regularly when they have ample resources to make sure their systems are watertight. And, besides reputational damage, what might the consequences be for these companies?
Working out the financial cost from bad publicity is always tricky, but one thing that is clear is the potential to be fined. In the UK, the Information Commissioner’s Office has the power to fine companies up to £500,000 for breaching the Data Protection Act. For big companies like British Gas, that is not a life-changing event, but for an early-stage startup, it could be fatal. So it is all the more important that startups get security and privacy right from the start.
However, startups have an advantage over larger companies in that they are not plagued by a myriad of out-of-date software that is difficult and expensive to maintain, and probably hard to upgrade in a timely manner. Many large companies are still using the same systems they used ten or fifteen years ago, and projects to migrate onto more modern platforms can take many years to come to fruition. If a company rolled out their own software, it’s not unusual for no single person to fully understand the systems and the consequences of changing any given part. If they are reliant on vendors, those vendors are probably trying to shift focus to their latest and greatest product, meaning support and bug-fixes for older software is not as responsive as it needs to be.
Seen through that lens, startups are in a great position, as they are generally investing in a software estate that is brand new, and shaped by an elegant design rather than years of accretion. And these days, startups are often building their applications on top of cloud platforms, run by people whose full-time job it is to make these platforms secure. Bug fixes and upgrades are a non-event for the most part, as they just happen as part of a managed infrastructure. Added to this is the fact that the plethora of platforms and open-source frameworks means a small team can be hugely more productive than the same number of people working in a large company (or even a startup just five years ago).
At the same time, startups can easily overlook important details. When you are not serving many customers and your databases are fairly empty, you are unlikely to attract the attention of many hackers. But if you do not build in security and privacy from the start, it can be hard to retrofit these down the line.
Fintech startups are more exposed to personal data risk than many startups, just due to the nature of the industry. At PensionBee, we have thought carefully about how to respond to the problem of security and privacy. As a new brand dealing with pensions, we have taken the decision to regularly commission external penetration testing and be transparent about the results of those tests. Our first test results are now in and the feedback has already had an effect on how we design our systems. If we build something, we will always make sure it is rigorously tested by a qualified third-party and shown to be secure. This is part of taking security and privacy seriously - if a system is only as secure as its weakest link, why not shore up all the links?
