FinTech Platform Security: How to organize processes when outsourcing development
Subpar security while outsourcing endangers your FinTech product
Most recently, FinTech was struck by the LPL and its vendor Capital Forensics data breach that occurred on November 1, when one of Capital Forensics’ third-party platforms was attacked. Later, BlackRock’s data leak struck 20,000 advisors when accidentally published a small number of sales-related documents, exposing names, email addresses, and other information. All these announcements made FinTech companies anxious regarding their own platforms’ reputations and integrity.
Product security begins with company security. When one keeps development in-house, it’s easier to ensure that everything is secure. But when one outsources development, it isn’t obvious how to check processes’ security. How can one be sure the vendor hires reliable workers? That they aren’t stealing the company’s intellectual property and putting it into competitors’ hands? How does one guarantee the teams’ continuous communication?
In this article, I’ll introduce the hacks to establish secure outsourcing development processes for a security-sensible FinTech industry. Give it a careful look — missing some aspects of security endangers your FinTech product!
Is it worth it to outsource security-sensible software development?
Software development security is an ongoing process that ensures three main aspects: platform confidentiality, integrity, and availability.
- Confidentiality stands for restricted data and algorithms access.
- Integrity envisages the failure-free operation of the platform.
- Availability means that the development process can be managed flexibly and that all of its participants are available in real time.
Secure outsourcing is easy when one abides by a few simple rules. At the same time, the global economy principle enables companies to find talent abroad with great skills or relevant experience, and they feel no shortage of a qualified workforce. Hiring people abroad eliminates operations overhead while allowing flexibility and low reputational expenses as companies will be able to quickly scale and cut down the team as outsourcers will take personal charge of the human factor. So, if arranged skillfully, it can become your ticket to success.
What makes outsourcing security a success?
The following security aspects describe a secure company that will keep your data and innovation out of risk.
It’s vital to ensure security, beginning with the physical level. Otherwise, strangers can enter your brick-and-mortar office and learn what they’re not supposed to know. A pass-entry system allows a company to know exactly who can enter its offices.
Also, it’s worth running background checks for candidates. Companies should check the following:
- Law enforcement records
- Police clearances
- Tax control records
- Psychological portraits
- References from companies candidates have already worked in, etc.
After the completion of all the checks mentioned above, a company should sign an NDA with the employee and/or let them sign it with you as a customer.
Code-driven security and certifications
When employees join a new company, secure companies provide internal and external security training for employees. It’s best to have an experienced engineer in chief review all the processes on your projects.
There are ways to ensure product security while writing code in a specific way — for example, by utilizing UI/UX techniques. A secure company pushes its employees to complete software security courses and certifications such as these.
Additionally, organizations such as the Securities and Exchange Commission (SEC) monitor companies and organizations for compliance with state-of-the-art security standards. For instance, the SEC recently charged Voya Financial Advisors $1 million for cybersecurity failures. Ask your vendors whether they have had experience working in compliance with such standards as SEC, FINRA, SOC 2, ISO/IEC, and others and what certifications they have before outsourcing to accelerate establishing secure development processes.
Data encryption and channels
An essential part of your security is the guarantee that deadlines will be met and work will be done. That’s why it’s worth adhering to several rules:
- Establish multiple internet connectivity channels to ensure uninterrupted connectivity as well as secure connectivity channel for remote employees.
- Have a pool of spare notebooks with all the tools and environments installed. When hardware problems occur, employees can use these notebooks and continue working without delay, bringing value to customers. The data that notebooks store is also encrypted so that even if they’re stolen, no one can access customers’ data.
- Monitor who accesses data — mock-ups and training recordings used to get employees into the picture that are stored locally and in the cloud — in real time. Doing so will help you ensure that no one can access your data externally.
As a rule, data are most endangered when accessed by people who don’t use them directly. So it’s important for an outsourcer not to store more data than they need for work locally. Moreover, users’ business data are restricted from offshore access by US regulations. What should FinTech startups do to give outsourcers access to business data and ensure that they [outsourcers] don’t break any laws?
To ensure this, companies use obfuscated data, which stand for the data not connected to real names. Even if your platform was attacked and hackers accessed your clients’ obfuscated data, they would never know which clients the data refer to and therefore wouldn’t be able to do any harm.
On the one hand, obfuscated data ensure that the product will be tested on real market data in real market conditions. On the other, there would be no way for impostors to steal your clients’ data.
Local infrastructure security
The local infrastructure allows outsourcers to quickly test and debug features. When developers build new features, they can access production data via a staging box using a secure VPN connection. When testing them, though, the staging box isn’t a silver bullet, as the process becomes too complicated. That’s why sometimes it may be necessary to roll out the local test environment. Mind that it’s worth logging all the actions with the box or local infrastructure to exclude internal data corruption threats.
The security of your product doesn’t depend on whether it’s developed onshore or offshore; it depends on how your teams ensure that their development is secure. I hope that the aspects of providing security I’ve outlined in this article help you guarantee that your partners know what to do to keep your product and data safe.