3 reasons why fintech startups get hacked and how they can protect themselves

Nigerian startups have suffered more than their own fair share of hacks and this is particularly true of financial technology startups
Google launches AI accelerator for African startups
Startup founders at a parley

Nigerian startups have suffered more than their own fair share of hacks in recent times. This is particularly true of financial technology startups and their applications. These hacks usually lead to a compromise of users’ information and more importantly, their funds domiciled on those platforms.

These breaches are usually attributed to the general security infrastructure breach. However, there are no real explanations as to why and how these infrastructure breaches happen. However, Deimos a leading African cloud-focused cybersecurity company has revealed the mistakes startups make that lead to security breaches.

In a statement to Technext, the South Africa-based cybersecurity company highlighted the common pitfalls that startup organisations encounter when securing their operations. According to the company, most problems are more human problems than technical. These include:

Startups prioritise speed and agility over security in their go-to-market strategy; Pursuing a reactive approach to cybersecurity – that addresses security only after breaches or cyberattacks have already occurred. Finally, not implementing secure access control measures for employees working with sensitive information and systems.

Nigerian fintech, Patricia recently suffered a security breach

Expanding it further, Director of Security Engineering at Deimos, Deen Hans, explained that startups tend to prioritise the quick release of features as against making sure their security is tight. He said while pursuing quick go-to-market feature deployments, they sometimes accept security risks that may have a more devastating impact instead of delaying releases.

He also pointed out that startups usually carry out inadequate or no risk assessment at all.

“Startups tend to measure risk from the standpoint of having a smaller user base, or on the basis of not yet encountering a security breach or incident yet. This leads to deprioritization, or complete oversight of security issues in their production environment that can lead to reputation damage or loss in user trust, primarily as a result of a data breach

Deen Hans, Director of Security Engineering at Deimos

Finally, he said startups fail to understand risk appetite. According to the security chief, there must be a balance between feature development and security in a startup environment. Trade-offs also need to be made to make security improvements after releases. He said many startups do not have a full overview and insight into their risk appetite and this would lead to making trade-offs that negatively impact their business.

“Risk appetite goes hand in hand with identifying and having a good grasp on what are a business’s most valuable assets they need to secure, be it their user’s private identity, financial data or monetary funds. Having a full picture of what needs to be secured, aids in not making incorrect assertions that can compromise the assets required for a business to operate and to uphold user safety and security,” he finished.

How startups could protect themselves

According to Kaspersky, the world’s largest private vendor of Internet security solutions, nearly 57,116 Distributed Denial of Service (DDoS) attacks were reported in Q3 2022. During these DDOS attacks, an attacker floods an organisation’s server with traffic to prevent users from accessing connected online services and sites.

3 reasons why fintech startups get hacked and how they can protect themselves

Deimos noted that DDoS attacks and similar breaches are due to a failure in prioritising good governance practices, education, and awareness of cloud technology from a security perspective. However, many startups are uncertain about their compliance status and the state of their security, sometimes realising security flaws at the last moment before launching their services and apps. This automatically necessitates a return to the development stage.

IBM estimates that 82% of breaches involved data stored in the cloud. As African companies transition to remote teams and embrace cloud operations in their day-to-day activities, they often overlook access control measures and necessary permissions, thereby creating vulnerabilities. A single compromised user can have far-reaching consequences.

Verizon’s 2023 Data Breach Investigations Report estimates that 74% of breaches involved the human element, which includes social engineering attacks, errors or misuse. Deimos agrees, observing that the absence of cybersecurity in Africa primarily impacts remote work. It therefore advocates automated security processes to reduce manual reviews and controls, thereby mitigating human errors.

As remote and hybrid work is the new normal, businesses increasingly rely on cloud technology. Deimos sheds light on three vital methods engineering teams must apply to increase their cloud security:

Shifting left: This involves moving the security planning, design, and testing of key products earlier in the software development life cycle, rather than after release. This means thinking about security right from the start of making a new software or product, not just after it’s finished

Defending right: This includes implementing firewalls and intrusion detection systems to protect products from external threats. This is like putting up barriers and security systems to protect your products from outside threats.

Using Automated Tools: Think of this like using smart machines to check your work. These tools can look for any mistakes or weaknesses in the code or software you’re creating. Utilising automated tools to establish guardrails before moving into production – such as static and dynamic application security testing, or package vulnerability scanning, to analyse source code, software packages, or web application respectively, for vulnerabilities. Utilising automated tools to establish guardrails before moving into production.

Security breaches could lead to startup failure

These protections are crucial for Africa’s fast-growing tech ecosystem which holds lucrative data and assets within the cloud, making unprepared businesses an attractive target for cybercriminals. Each breach further impacts millions of Africans, across the continent and diaspora, and whilst cyber security solutions are readily available, many are not followed.

Deen Hans, Deimos’ Director of Security Engineering, emphasised that businesses must “fortify themselves against cloud security vulnerabilities. In my experience working with our clients, the focus is very much on operations that lead to growth, competitive edge and so on. A Cybersecurity strategy usually comes in the aftermath of a breach. However, this can be costly, with critical vulnerabilities that damage reputation and erode trust. The consequences of pursuing growth without a strong security posture can be detrimental,” he finished.

Similar read: MoMo, Flutterwave, now Patricia; Nigerian fintechs must work harder to prevent cyber attacks

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!

Register for Technext Coinference 2023, the Largest blockchain and DeFi Gathering in Africa.

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!