Cybercrime is estimated to cost businesses trillions of dollars a year1. For companies such as Nutmeg, good cybersecurity to protect our customers from criminals is essential. So, what do we do to make sure your money and data is safe?
In the last few years, there’s been a professionalisation of hacking. Rather than young geeks in their bedrooms doing it for fun, threats nowadays come from organised criminals whose “job” it is to break into financial institutions.
For criminal gangs, there is a lot of money to be made, not just from defrauding financial companies, but by gaining access to customers’ identities to commit identity theft or blackmail. The risks are especially high for firms dealing with customers who are famous, wealthy or politically sensitive.
At Nutmeg, we take cybersecurity extremely seriously. These are some of the measures we take to ensure we are as resilient as possible.
Security and awareness training for all staff
Unfortunately, employees can sometimes be the most vulnerable part of an organisation. Criminals often pose as customers or legitimate institutions to try to deceive staff of financial firms into giving away valuable data – a tactic known as phishing. To protect against this threat, we train all our staff to recognise and resist phishing attempts, for instance fraudulent emails.
Nutmeg engineers are given additional training in the techniques that hackers use. One way to conduct this training is by challenging engineers to think as hackers do, by giving them an example of a vulnerable software application and asking them to try to compromise it. The best way to learn security defence is by trying to break into something.
Threat modelling for software architecture and design
To mount an effective defence against hackers, it is important to identify the assets an attacker might be interested in. Customer data is our most important asset and therefore we take the business of protecting it very seriously.
Then we look at the entry points. How could an attacker get to those assets? Nutmeg works with a market leader in cloud computing. All images, containers and configurations are regularly scanned for vulnerabilities to ensure our customers’ data is safe.
After assets and entry points, we identify the most likely attack scenarios with attack trees. These logical tree structures help us to prioritise deployment of the best security controls to mitigate risk.
We use threat modelling to help decide how to build our software to make it as resilient as possible in the face of potential attack.
Techniques to ensure secure, bulletproof code
Cybersecurity rests on having good code, which is why our engineers use several methods to tackle vulnerabilities. Static application security testing (SAST), otherwise known as static analysis, is one of them. We feed the SAST system some of our code, and based on a series of rules, it tells us if anything is insecure. You can think of this method as a bit like a spellchecker but for software. As well as recognising vulnerabilities, the SAST system gives advice on code quality, speed and performance.
A SAST system is no replacement for a human proof-reader, however. Another line of defence is for our developers to do a manual review of each other’s code before it goes live. Because we train our developers to be proficient at cybersecurity, they become good at catching vulnerabilities.
We also test our code dynamically. When an application is up on a server and running, a scanner throws malicious data at it to try to figure out if it breaks in interesting ways. If this test surfaces any vulnerabilities, we set about fixing them as soon as possible.
Manual penetration testing against software and infrastructure
The real test, however, is to simulate an attack by a hacker. To ensure a fair test, we employ a third party to do the penetration testing.
A penetration test aims to find vulnerabilities that can be exploited by hackers. For example, if you want to compromise a web application or an API, a hacker will often rely on multiple vulnerabilities and string them together to form a viable exploit.
Because Nutmeg uses a modern tech stack, a lot of security is built into the coding frameworks we use. That gives us an advantage over institutions that rely on old frameworks. However, we cannot afford to be complacent given the sophistication of modern-day hackers.
We also meet the requirements of the Payment Card Industry Data Security Standard thanks to our third-party payment processor, Stripe, which handles our cardholder data. Elsewhere, we insist on high standards from any company that works with us under any kind of outsourcing arrangement.
Poor cybersecurity can lead to costly penalties
Regulators have more power than ever to fine companies for lapses in cybersecurity. A data breach under the General Data Protection Regulation (GDPR), a piece of European regulation on data protection and privacy, can be punished by administrative fines of up to 4% of annual global turnover or €20 million, whichever is greater.
Clearly, there are huge penalties to dissuade companies from poor cybersecurity. But perhaps the biggest penalty would be losing customers’ trust. That’s why we at Nutmeg spend so much time working to protect ourselves against the efforts of hackers. Our reputation depends on it.
- A survey by Accenture Research estimated that companies globally could incur $5.2 trillion in additional costs and lost revenue over the next five years due to cyberattacks.
As with all investing, your capital is at risk. The value of your portfolio with Nutmeg can go down as well as up and you may get back less than you invest.