For bankers, alerting customers about online banking outages in the midst of a cyberattack is a lot like the task the flight crew faced in the movie "Airplane!"
"There's no reason to become alarmed," a flight attendant named Elaine tells passengers. "By the way, is there anyone on board who knows how to fly a plane?"
On an airliner or at a bank, it takes a deft touch to provide critical information in a crisis without amplifying the alarm - a task that's particularly challenging for a heavily regulated financial institution.
Since September, banks' skills in dealing with angry customers have been heavily tested during online banking outages caused by ongoing distributed denial of service (DDoS) attacks.
With banks, there's information that can't be disclose because of regulation. There's concern that if certain details become public they'll prolong the attacks. There's worry that digital updates will unnecessarily scare consumers. There's even an uncertainty around what words to use: To call it a cyberattack or not to call it a cyberattack?
Despite these fears, banks need to say something: People notice when a channel they have come to rely on goes down. Ignoring the problem will likely make the situation worse, analysts say.
"Banks don't have a choice," says Alphonse Pascual, senior analyst of security, risk and fraud at Javelin Strategy & Research. "Banks can tell customers what is going on or [customers] will catch it on CNBC. It's on the industry to help consumers understand what the attacks mean. It's not a question of, "Should we?" [Consumers] are already being communicated with. There's an opportunity for the industry to shape perception."
Part of that opportunity means pushing messages out to social media sites. For one thing, consumers will vent their frustrations online with or without a bank participating in the conversation. "You see the flood of madness on Facebook and Twitter of consumers in the dark," says Jacob Jegher, senior analyst at Celent. "People want answers.
"The minute [an outage] happens, the wheels need to get in motion ... and communication is an essential chain of the event."
Especially since attacks are here to stay.
"It's pretty early in the game," says Michael Wyffels, chief technology officer at Illinois-based QCR Holdings, a bank holding company. "You are starting to see more organizations say they are a victim of DDoS."
While the industry moves to collaborate and share lessons learned among each other even more, Wyffels says banks also need to continue to help customers better understand the threats, Wyffels says.
To some extent, they are doing this. "In the onset of these attacks, there was a bit of obfuscation," says Julie Conroy, a research director at Aite Group.
Conroy says part of that silence was designed to prevent satisfying hacktivists with feedback about the success of their attacks. As the outbreaks have become more widely known in recent months, the bank mentality is shifting. "Don't try to hide this," Conroy says. "At the end of day, we are very well aware this is the reality."
"Banks are always going to be targets," says Steve Durbin, global vice president of the Information Security Forum, an international association that focuses on cybersecurity issues. "Banks have been under attack since people gave them money … Threats have matured. You don't have to go down there [to a bank bracnch] with a gun. You can do it from a bed."
Be the first to comment on this post using the section below.