Keep up to date with the experts

Get insights direct to your email inbox

Subscription Form exit intent popup

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager

Simon Darley

Trusted by industry leaders

Request a Quote.

First we need a few details.

Contact Form Primary popup

By continuing, you agree to our Terms & Privacy Policy

Penetration testing and the financial services industry

In a nutshell:
Due to the amount of data (personal and financial) that banking apps can hold, for both an individual or an organisation, you can imagine it’s like entering The Cave of Wonders for a hacker.
Older technologies weren’t developed with today’s cybersecurity threats in mind

The financial services industry is constantly under attack from numerous and significant cyber attacks and threats. There are many things a business can do, and penetration tests are one of those that can help mitigate those risks.

Vulnerabilities hackers can exploit in the financial services sector

The security challenges the financial industry face vary depending on a few things:

  • Size of the organisation
  • How established they are
  • The products/services that are on offer
  • The data that’s held on customers

Many financial organisations have apps for customers, and much like how magpies are attracted to shiny things, finance apps are like the shiniest of things for hackers. Due to the amount of data (personal and financial) the app holds and processes on an individual or an organisation, you can imagine it’s like entering The Cave of Wonders once inside one of these apps.

Insecure Direct Object References

One example of a type of web application vulnerability that finance organisations could see is an Insecure Direct Object References vulnerability typically involves a hacker logging into an app and making small changes to the URL, gaining access to the profiles of other users.

For larger organisations, key vulnerabilities often surround the use of outdated technology and the migration to the cloud. Uri Bar-El, Qualitest’s Global Head of Cyber Security explains the risks of cloud migration for the financial industry in a blog by Qualitest called, “Cloud Migration: 3 Biggest Risks Banks and Financial Services Companies Need to Know (and How to Avoid Them)”, and in summary, says:

  • Whoever owns the process of finding vulnerabilities does not own the process of mitigating them. Creating misalignment or a security-development disconnect.
  • Poor normalisation. Each security tool is an island and has its own risk metrics. So, when a bank or financial services organisation gets a set of results – and again, these are hundreds or thousands of results – they’re not normalized. So, there is no way for the organisation to compare apple with apple and know its real risk level and prioritize the mitigation process.
  • Lack of aggregation and correlation. Sometimes several vulnerabilities can be solved by a single fix. But right now, security needs to contact each developer team about each vulnerability one by one and tell them what they need to do.

Older technologies weren’t developed with today’s cybersecurity threats in mind (perhaps these businesses thought cyber-attacks couldn’t get any more sophisticated, or that we would have been able to crack down on cybercrime, or maybe they just thought it would be somebody else’s problem). As such, outdated technology can present an increased risk –, particularly if software patches and updates aren’t regularly released and applied.

For organisations that have joined the modern workplace, the above won’t be an issue – however, you’re not out of the woods just yet. A rapidly growing business such as a financial start-up can quickly exceed the rate at which they are able to protect their organisation. Another potential issue is that new technologies can lack widely documented security standards and are consequently often misconfigured.

Remote working also poses a number of security risks across the financial sector, with employees accessing networks and systems outside of the office, meaning it is vital that regular assessments are conducted to identify weaknesses. For example, if data is sent in an unencrypted format, like plan text then it might be intercepted and stolen by hackers. Financial organisations should therefore not be allowed to access any unknown Wi-Fi networks unless they are using a VPN connection.

Choosing the right security partner is key

Penetration testing should be at the heart of any financial organisation’s security posture, providing invaluable insight to help security teams better understand where their organisation is vulnerable to cyber-attacks.

Choosing the right security partner is vital to a successful pen test – it is important to select one that can demonstrate sector-specific experience and an understanding of the latest techniques being used by hackers.

Without an experienced, CREST certified partner, penetration testing will not deliver the value and outcomes your organisation needs in order to better understand the security risks they face and strengthen their cyber resilience.

Key Takeaways

Want to know more about our Penetration Testing Services?

Our latest insights

  • Cyber security threats

    Top 5 Most Dangerous Cyber Security Threats, SANS Reveals

    May 22, 2023
    Read full article
  • digital UK security

    Key findings: UK Cyber Security breaches Survey 2023

    May 9, 2023
    Read full article
  • What is Microsoft Security Copilot?

    April 21, 2023
    Read full article
  • The Dangers of Chatbots

    April 19, 2023
    Read full article
  • cyber essentials

    Cyber Essentials 2023 update

    April 21, 2023
    Read full article
  • Microsoft announces Co-pilot: The productivity game changer

    March 28, 2023
    Read full article
  • ibm x-force threat intelligence index Breakdown

    March 3, 2023
    Read full article
  • Microsoft Partner Pledge

    March 2, 2023
    Read full article
  • Microsoft price increase image of keyboard

    Microsoft April 2023 Price Increase

    February 15, 2023
    Read full article
  • Chat GPT

    Chat GPT - What's the hype?

    February 3, 2023
    Read full article
  • 12 Tips for a Cyber Safe Christmas

    February 28, 2023
    Read full article
  • The importance of back up and DR

    January 22, 2023
    Read full article