A big part of cybersecurity is educating consumers about risky behaviors. Many security incidents involve a customer or employee clicking on something they shouldn't, like a malicious email attachment or website, or exposing personal information to criminals.
Most banks have seldom-read security tips pages on their websites. It's hard to induce customers to care. A handful of banks are going the extra mile.
mBank in Poland recently launched a clever series of television commercials and website videos encouraging customers to protect their personal information online. Counterparts in the U.S., including U.S. Bank and Bank of the West, are using similar tactics to put the fun back into security awareness.
Why don't more banks do this kind of outreach? One reason, says Ron Shevlin, director of research at Cornerstone Advisors, is that such programs have to go through internal compliance and public relations departments.
"That's no piece of cake," he said. "There could be something in the language that ticks off some internal compliance guy, who thinks it implies you provide certain protections that you don't."
In one mBank commercial, the camera follows a man walking through a shopping mall, holding his trench coat open. Bystanders react with shock, some taking pictures with their smartphones. A woman wearing pearls and a Chanel suit holding a Chihuahua gazes with icy disapproval. A shot from the front shows the man in the trench coat is fully clothed; what he's exposing are his bank account numbers and PIN number. The message: If you don't do it in real life, don't do it online.
The inspiration for the series came from people in mBank's security department, said Iwona Ryniewicz, the bank's director of communication and marketing strategy.
"They came up to the marketing department saying, 'There's too much to do in respect of protecting personal data,' " she said. Consumers, the security team lamented, give away too much personal information and don't protect their computers and devices. "They protect their car, they might wash it every day, but they don't take care of computers," Ryniewicz said.
The bank's public relations department developed the campaign with the help of an ad agency, Brand New Heaven. "They're very short — 15 seconds for TV and 20 seconds for Internet videos — so you cannot get bored," Ryniewicz said.
The commercials began running at the end of December and continued through January. The videos are still running on the bank's website, and the bank is hoping that by the end of February they will have brought a million page views. By early February the tally was 700,000.
The spots cost only about $500,000 to create and broadcast. "Fifteen seconds is cheap — nobody advertises products with 15-second spots," Ryniewicz said.
The business case for the project was "unofficial," she said. "I think it could help the business, not only in terms of security but also in terms of the image of mBank," she said. "It's right to educate on Internet security."
Three years ago U.S. Bank in Minneapolis came out with a similar series of videos featuring TMI Tami, who tells everyone she meets personal details about herself, including her online banking password.
"They're still out there now on our YouTube page," said Jason Witty, the bank's chief information security officer. "Laura Gross, the bank's security awareness coordinator, made the point that feelings are going to be remembered a lot longer than facts. So instead of being sterile and corporate, we thought we'd do something funny."
More recently, U.S. Bank published a series of tips on how customers could protect their personal information during the holiday season. Witty plans to start blogging regularly about cybersecurity issues and publish articles on LinkedIn.
The bank also hosts an annual "Trust in Us" information security conference; last year 400 customers attended as well as six Minnesota agencies. Former Governor Tim Pawlenty, who is now the CEO of the Financial Services Roundtable, and the chief risk officer for the National Security Agency gave speeches.
Mostly corporate clients send their chief financial officer or chief operating officer to the event. "There's a scam going on right now [called] business email compromise," Witty said. "Emails are sent to the chief financial officer that look like they're really from the CEO and prompt a legitimate approval. It isn't until weeks later they realize that wasn't the CEO that sent the email, and they're out the money. Those types of things have been elevating people's awareness."
Bank of the West in San Francisco has also been working on security awareness for some time. It recently published a white paper that looks at common fraud and security risks, such as wire fraud, securing intellectual property and protecting websites and email. The bank participates in webinars, posts videos on YouTube, writes blogs and Twitter posts, hosts local events and publishes security updates in a customer newsletter.
One of the most dangerous mistakes customers and employees make, according to David Pollino, the bank's fraud prevention officer, is throwing away old cellphones.
"For every phone sold there's probably a previous model being tossed — many, no doubt, chock full of personal data," he said. "So we work to educate consumers to let them know that before they dispose of old phones, laptops, desktop computers or portable storage devices, to take a few minutes to securely wipe the hard drive."
These campaigns are low-risk and could make people think. It would be nice to see more like them.
Editor at Large Penny Crosman welcomes feedback at email@example.com.