Customer Awareness: 6 Tips for Perfecting Your Program

Education is the Key to Improving Regulatory Compliance and Customer Confidence
Customer Awareness: 6 Tips for Perfecting Your Program
Phishing, malware and the Nigerian 404 scam. These are among the top 2009 agenda items for the M&I Corporation in Wisconsin - not just to fight the threats, but to make customers more aware of them.

Customer awareness is a huge priority for Wisconsin's largest bank, says Scott Coghill, CISM, Vice President, Information Security Department at the Milwaukee-based financial services corporation, which has $63.5 billion in assets and operates in seven states.

M&I has a dedicated web page for its customers with an outline of the most important security messages and updates. It also offers key tips in ID theft fraud protection, a section describing how M&I is protecting its customers, tips on how to recognize online and email fraud, information on free ID theft assistance protection, ID theft resources and an ID theft prevention checklist, as well as a video on ID theft. This online information is supplemented by customer brochures at bank branches.

"We periodically send out flyers in their monthly statements, and we provide the same information to our call center, branch personnel, community bankers and other areas of customer contact whenever we post an alert regarding a new phishing or malware scam that could be of interest to people," Coghill says.

"With the way the economy is today, the bad guys will try to look for opportunities to take unfair advantage of situations," Coghill says, requiring strong awareness programs for employees and customers alike. The awareness program in place is a strong, he adds. "Our goal is to keep that information current and relevant."

The Awareness Mandate

Customer awareness on information security issues has always been a tricky equation for many institutions - how much is too much (you want to educate customers, not scare them away), and what do customers really want and need to know?

But looking back on 2008's recession, data breaches and industry-wide crisis of confidence, the case is clear to financial institutions: Customer awareness must be an important part of an overall information security education program.

Two compelling reasons to dedicate more resources to customer awareness in 2009:

More Electronic Users - Whether through online banking or mobile devices, increasing numbers of customers are doing their banking electronically and are just as increasingly vulnerable to threats. They need guidance.
More Regulatory Pressure - Education and awareness of customers and staff on information security topics has long been required by banking regulators, and the new ID Theft Red Flags Rule only underscores the criticality of demonstrating such programs to examiners.

Here are what industry experts and practitioners recommend as key elements of your customer awareness program:

1. Keep It Relevant - There are direct correlations between awareness programs for employees and customers, says M&I's Coghill. With both groups, you need to discuss the same common threats, "[And] you have to make the information readily available, easy and interesting to learn and reference," he says. The customer awareness information on the website or in brochures "also has to be similar to the information the customer would receive if they contact our customer call center," he says. You don't want conflicting or separate messages.

2. Measure the Program's Effectiveness - At M&I, the information security team measures the effectiveness of its customer awareness program by soliciting feedback from customers who directly contact the institution.

Internally, an annual security survey is conducted to gather information regarding effectiveness of the awareness message and the interests regarding security from employees. These findings are presented to management along with any suggestions for follow-up or new strategies.

The bank's HR department hands out customer information security brochures to all new hires during the orientation program. The brochures outline the importance of keeping customer data safe and the responsibilities of all employees to the security of customer data. "Feedback from new employees has been quite positive regarding the brochure and articles," Coghill says.

3. Offer More Tools and Resources - Banking institutions are the first place many banking customers turn to when they have a question about online security or fraud. Be ready to give them the assistance they need, says Anne Wallace, President of Identity Theft Assistance Center, a non-profit company supported by 44 large financial services companies. "Whether it's identity protection services, consumer education or fraud remediation services, consumers want and need resources to protect themselves," she says.

Financial services companies need to show consumers "what's in it for me" when it comes to online banking. "Consumers continue to cite security as the main reason they don't bank online, and consumer adoption is holding steady at about 35 percent, according to Javelin Strategy & Research," she adds.

Therefore, financial services companies must do a better job of telling customers what they are doing to protect them. "Fraud prevention, detection and resolution are customer care issues, however financial services companies fall short of communicating what is being done on the customer's behalf," Wallace notes.

4. Make It Team Effort - The key messages for all information security awareness for customers should cover the big issues - phishing, social engineering and general information security practices. Making it a team effort between the institution and the customer makes it easy for the customer to understand that the institution does its part to protect them -- but the customers have an important role to play as well, says information security and privacy expert Rebecca Herold.

"Customers have to be diligently careful to safeguard their own information on their own computers, especially when in public," Herold explains. "Institutions can provide the best security in the world, but if customers do not also provide their own safeguards, their information could become compromised as a result of their own actions and lack of good security."

5. Keep the Information Coming - Customer awareness by the spoonful isn't the way to go. "Institutions are often reluctant to educate their customers about security threats, for fear of either scaring them away or tipping off the bad guys to a vulnerability that they might exploit," says Tom Wills, Senior Analyst, Security, Fraud & Compliance at Javelin Strategy & Research.

This approach will no longer hold water in 2009. "Customers are now unmistakably at the front line of bank information security," Wills notes. Keylogging Trojans are fast becoming the identity thieves' weapon of choice, and so securing customers' PCs and mobile devices against malware is more important than ever. The only people who can effectively secure these devices are the customers themselves. "But in order to do so, they need to know how," Wills says, "and it's up to the banks to show them via aggressive educational programs."

Implementing a security awareness center on the bank website, including security messages in marketing and PR campaigns, and providing incentives to install and run antivirus software are just three ways to achieve this, Wills offers. Institutions can also "deputize" customers by implementing email or SMS alerts to quickly notify them when unusual activity takes place on their accounts. "Consumer research has consistently shown that customers are willing and able to participate in securing their accounts against fraud, so there's really no excuse for banks not to help them do this any more," he says.

6. Build Upon on the Basics - Customer awareness needn't be all that complicated to offer. Whether starting or jump-starting an awareness program, these are the fundamental elements of a successful program:

Basic education about security, ID theft and privacy issues;
What the institution is doing to protect their information;
How ID theft happens and general protections from it;
Non-biased explanation of consumer products for ID Theft protection/monitoring;
How to prevent credit/debit card fraud;
How to protect desktops from malware;
Where and how to contact the institution for information on any issues or to report anything suspicious.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.