As a consumer, I sometimes question why my financial institution makes it so inconvenient to complete a transaction. Do I really have to worry about fraudsters, malware or phishing campaigns affecting my account? Do these monsters haunt my every digital move?
As a security practitioner, however, I read articles and emails every day on security breaches or incidents. It often seems like I’m overloaded with news on threat actors trying to hijack my account, steal my personal information and sell it to the highest bidder.
Every digital interaction is on some level an implicit risk. Entering card information on a retailer’s site, allowing Facebook to access our contacts, swiping a card instead of inserting the chip… which of these virtual handshakes might have been made with a bad threat actor?
It doesn’t help that many consumers lack trust in how companies use their personal information.
I recently received a notification that Equifax has extended my Trusted ID Premier subscription following the September 2017 cybersecurity incident that affected 150 million people. They “sincerely hope this product has been a useful tool in helping [me] remain vigilant about [my] credit.” It almost seems like the lack of sound institutional security practices leading to the theft of my personal information was my fault. Truth be told, I’d almost forgotten about that “security incident” — let’s just call it what it was, a breach — so it was convenient that the Equifax Customer Care team reminded me.
Consumers — myself included — crave digital experiences at every turn and we all expect apps to be flexible enough to adapt to our next desire. Unfortunately, customers’ demands are changing faster than their behavior. They ask for the world but lack the self-awareness to identify those character traits that are inherently risky or susceptible to illicit cyber activity, which means that financial institutions have to do it for them. If an app asks them to enter a credit card number and they want instant satisfaction, they’ll enter it. Hence the challenge for anyone developing products and services to make life simultaneously easier, more convenient and secure.
Multi-layered security controls and protocols are perhaps the only way to ensure that products and services can adapt to changing customer demands and still maintain effective security. Not all customers – or, in credit unions’ case, members – and transactions are created equal, so a multi-layered security solution can help your credit union manage and regulate unruly behavior from even the very worst of members. This approach requires that credit unions develop robust training and education programs to proactively promote a culture of security and fraud resilience with employees as well as members. This training can and should be delivered seamlessly in the digital app, so that training can occur as the transaction is initiated. Utilizing a comprehensive approach that stresses education, prevention and remediation can combat even the most vulnerable of consumer tendencies.
Let’s take phishing, for example. Although I am an active security practitioner, most people aren’t so they may not be aware of common indicators of phishing emails. Without knowledge of what attackers hope to accomplish, many consumers will invariably click on bad links. But if we can have conversations with consumers and offer demonstrations of what a typical phishing attack entails, they’ll be better prepared to raise a red flag when they see something suspicious.
This same practice can be applied across entire fields of membership or employees. It’s that simple. Financial institutions can help train their users through sample attack emails, distributed (perhaps ironically) through an email campaign. Encourage users to report phishing emails directly to a team that focuses on protecting the whole financial institution so that employees across the entire organization know exactly when an attack occurs.
As fraud persists, so do bad habits. Consumers will assume the financial institution is responsible for all security breaches and mishaps, even if the member or one of his or her connections inadvertently caused it. Education is an imperative first defense against even the worst fraudsters, meaning credit unions must take it upon themselves to actively educate their members through helpful videos, social content, blog series on their websites, infographics, email campaigns and other forms of direct communication through the mobile and online channels.
With the right level of user-friendly security in place, credit unions can expand their digital service offerings. By taking a multi-layered security approach, they can meet member needs by simplifying the experience for less risky transactions and ramping up security for the transactions that carry greater risk.
