About Us | Contact Us
View Cart

Your Next Assignment: Customer Awareness

By Vigilize | Wednesday, August 20, 2014 - Leave a Comment

78% of Consumers Think CyberSecurity is Not Their Problem

Now that our perimeters are hardened, now that our information security programs are fine-tuned and working, and now that our users practice basic information security habits thanks to the hard work and efforts of the past decade . . . . we need to focus where the rest of the residual risk remains: our customers.

The good news is that other industries are onto this fact.   For example, an article in the on-line magazine, “Retail Customer Experience,” is what inspired this Dan’s New Leaf post.  According to a study conducted by Kaspersky, 78% of us don’t think we need to worry about cyber attacks. We simply don’t believe that we’re on the “bad guys'” radar.

This highlights one of the most important, and difficult, tasks that financial institutions face: Customer Education. While the FFIEC finally started calling for this in the June 2011 Supplement to the 2005 Guidance on Authentication in an Internet Banking Environment (we just love typing all that out), much more work needs to be done than the five bullet points called for in the Supplement.

As a refresher, the supplement requires that we provide the following information to our customers:

1) An explanation of protections provided, and not provided, to account
holders relative to electronic funds transfers under Regulation E, and a
related explanation of the applicability of Regulation E to the types of
accounts with Internet access;

2) An explanation of under what, if any, circumstances and through what
means the institution may contact a customer on an unsolicited basis and
request the customer’s provision of electronic banking credentials;

3) A suggestion that commercial online banking customers perform a related
risk assessment and controls evaluation periodically;

4) A listing of alternative risk control mechanisms that customers may
consider implementing to mitigate their own risk, or alternatively, a listing
of available resources where such information can be found; and,

5) A listing of institutional contacts for customers’ discretionary use in the
event they notice suspicious account activity or experience customer
information security-related events.

We believe that Customer Education can be leveraged to increase our reputation, mitigate legal risk (and put us in a better position when we have to settle), and reduce our fraud losses.  Why?  Besides “we have to do it anyway, let’s do it right,” a better answer is . . . . “we’ve seen user education substantially reduce risk in our institutions, just think what it can do outside our institutions.”

Branchless banking is here to stay.  Our “user base” is no longer just our employees.  And thus, if we were to add three additional bullet points to the FFIEC requirements listed above, they would be:

1) Create a multi-disciplinary approach to tackling Customer Education.  Your marketing, e-banking, and information security personnel need to band together.

2) You’re not going to accomplish it all in a day.  Utilize multiple channels of communication to “trickle” awareness messages to your Customers . . . . social media, your website, alert banners on your website, statement stuffers, flyers in your branches, ACH contracts, focused training for ACH/Wire Transfer Originators, and (most importantly) your front-line employees (who are now trained to provide such messaging.)  Posters and signs are also effective.  Be careful to distinguish between awareness messages and awareness alerts.  Be lavish with the prior and reserved with the latter.  (You don’t want to be seen as the boy that cried wolf!)

3) Start identifying resources of information and content that can be used to feed your message trickle.   We sure hope you’re already aware of our user awareness blog, but other resources abound.  Some of our better competitors in this realm include bankershub.net, bankinfosecurity.com.  Meanwhile, I have fallen in love with Mindful Security.

(Notice how I’ll link out to them but not my competitors!)

Like board, management, technical, and user awareness training . . . Customer Education is not going to be an easy task if you want to do it right.  But I believe the rewards . . . . not only in risk mitigation, but also in improved reputation . . . . will be as great, if not greater.

Let’s get out in front of the “amateurs” from the retail industry.  We bankers can take the bull by the horn and train our customers.

Good luck!


Written by Dan Hadaway CISA
Founder and Managing Partner, infotex

The article about the Kaspersky study is here.

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]