Skip to main content

Resources

Customer Cybersecurity Awareness – Creating a Culture of Security

Customer Cybersecurity Awareness – Creating a Culture of Security

Customers Present Unique Risk

Today’s world of mobile-centric ultra-connectivity, where we have access to everything we want through our smartphones, presents organizations with an abundance of opportunity. The flip-side to this opportunity, however, is the ever-present cyber risk posed by the internet and all things connected.


While most organizations think through the direct risk of cyber threats to their business via cyber attacks, known vulnerabilities, and security flaws, not many organizations recognize the risk posed to their business by their customers.


Customers who utilize internet and mobile-centric products and services offer a unique risk to your business, requiring organizations to implement additional controls to mitigate customer risk. The catch is that most businesses cannot mandate controls and procedures that clients must follow outside of the controls implemented within products used by the customer.


Depending on your business, there are (typically) two different types of customers:

  • Commercial Customers (B2B) – other businesses doing business with your organization. Commercial customer risk is increased if businesses perform financial transactions through your product or service, as more potential individuals may have access and available funds are typically greater.
  • Consumers (B2C) – individuals who utilize your online-based products and services. Consumer risk is typically lower due to limited access and fewer available funds.

 


Customers Have Less Security

More often than not, businesses (particularly those in regulated industries) have stronger cybersecurity controls in place than customers. Think about your customers – commercial or consumer – and ask yourself who has stronger cybersecurity controls? If you’re not the winner of that debate, it may be time for some cybersecurity assistance.


In many cases, the poor cybersecurity practices of your customer(s) can lead to a compromise by a malicious attacker. A customer compromise can lead the malicious attacker to steal valuable information or access belonging to the customer. In most cases, the customer compromise value proposition is email access, account access, or customer funds through a single (or multiple) financial institution.


In any case, the malicious attacker may have some or all of the customer’s information and can set the customer up for a cooperate account takeover (CATO) scenario. CATO comes in many forms, but the two most popular include draining customer bank accounts, redirecting funds to unauthorized payees, or business email compromise (BEC) attacks that steal money and further the attacker’s agenda. Customer compromise is very difficult to combat and can often lead to reputational and monetary damage to your business.

 

 

Cover the Basics

Training of internal employees is a must that all organizations should embrace to create a strong culture of security. However, most organizations don’t take the proactive approach of educating their customers the same way they educate their employees to combat cyber threats.


An organization with a strong security culture goes beyond internal employees and talks about cybersecurity threats with its customers as well. Educating customers about the dangers of cyber threats helps build a stronger relationship with the customer. Stronger customers also benefit the business, since a stronger customer will reduce the risk of that customer information becoming compromised or used maliciously against your business.


People are the weakest link in any security program, and malicious attackers most frequently target people – internal and external. Your customers can benefit from the same security awareness topics shared internally, including:

  • Phishing and social engineering – The most common delivery method of malware and compromise of account credentials is social engineering. Providing education on the different types of social engineering attacks and what controls can be added to mitigate the risk of an attack can significantly reduce risk. Stressing the dangers of phishing emails and how the organization can defend against phishing is another key point from this category.
  • Physical security – Educate customers about physical security threats and best practices for securing physical assets. If physical security is compromised, attackers own your devices or information.
  • Access controls, including passwords – Educate customers on the importance of strong authentication mechanisms within and on systems that they access. Stress the importance of length vs. complexity when it comes to passwords and encourage customers to implement multi-factor authentication (MFA) whenever possible.
  • Remote access security – Educate customers on the importance of securing remote workers through the use of VPNs, wireless network best practices, quality anti-malware programs, etc.
  • Use of encryption – Educate customers on the importance of encryption around data in transit (sent over the internet) and data at rest (stored on a local device).
  • Mobile device security – Educate customers about security controls for mobile devices (little computers), including strong passwords, biometric (fingerprint tor facial recognition) authentication, encryption, anti-malware programs, and Wi-Fi connectivity.
  • Malware awareness – Educate customers about defending against malicious software, including ransomware, trojans, spyware, etc.
  • Importance of anti-virus and firewalls – Stress the importance of firewalls and the use of malicious program detection programs such as anti-virus or anti-malware.
  • Security awareness – Stress the importance of ongoing security awareness training and staying up-to-date about modern cyber attacks.
  • Incident response plans – Stress the importance of corporate customers building a plan to fail well (an incident response plan) in the event they are compromised.

 

 

How to Train Your Customers

Organizations can provide cybersecurity training and education to their customers through a variety of methods. Using multiple delivery channels can help ensure your customers see this training throughout the year. Cybersecurity training and education can also provide customers a starting point or additional resources for building a strong security culture themselves. Delivery channels for cybersecurity training and education can include:

  • Your business website (your own content, your policies for handling information or disclosing cyber incidents, cybersecurity news or articles, or links to other cybersecurity training)
  • Posting cybersecurity resources or news on your social media channels (LinkedIn, Facebook, Instagram, etc.)
  • Including cybersecurity resources with physical statements or invoices
  • Providing cybersecurity resources, control suggestions (like creating strong passwords), or self-audits at the time of account opening
  • Conducting periodic audits of security controls at a customer’s location (especially for organizations whose products/services involve financial transactions)

 

 

Actually Talk to Your Customers

One of the most popular and effective methods of training your customers is to invite them to a security lunch-and-learn hosted by your organization – virtual or in-person (so long as we’re not in a pandemic).


Getting out in front of your customers and talking about the importance of cybersecurity is a win/win/win:

  1. You are helping to create stronger customers that are more resistant to cyber attacks, which benefits both you and your customer.
  2. You also show your customers they are more than just a number to you. You’re strengthening relationships and demonstrating care about their well-being (digital and personal).
  3. You also have an opportunity to show off new products/services or new features to your customers, as well as potentially increase the adoption of existing products or services.


Talking about cybersecurity also offers a chance for your customers to see how your organization is protecting their information. In today’s market, where cybersecurity is becoming a deciding factor for consumers presented with many options, being open and transparent about cybersecurity can instill customer confidence and draw in new customers.


Whether you choose to talk with your customers about cybersecurity virtually or in-person, here are some additional considerations to keep in mind:

  • Invite the community: Not only should you include your existing customers, but you should consider expanding your audience to the community at large.
  • Timing: Reach the broadest audience by hosting several sessions conveniently scheduled to cover the most people possible.
  • Location (if in-person): Ensure the location is conveniently accessible and big enough to comfortably host your expected audience.
  • Platform (if virtual): Choose a platform that is easily accessible by your customers, user-friendly, and secure.
  • Partner locally: Pair up with your local chamber of commerce, an area civic organization, or academic institution to add additional community reach or resources.
  • Bring in the experts: If you’re not confident talking about cybersecurity yourself, bring in a cybersecurity expert or someone from a law enforcement agency (FBI, Secret Service, your local police department, etc.) to speak on your behalf. Choose speakers with experience in covering cybersecurity topics. Additionally, consider recording the session for those unable to attend and/or to use for content later.

 

 

Putting It All Together

Cybersecurity education of customers may be a requirement for some industries (like financial institutions), but it is also a necessary component in mitigating your cybersecurity risk. Promoting a cybersecurity culture that your customers can look to as a resource can be a tremendous advantage in today’s market. Conversely, failing to provide cybersecurity training and education to your customers can open your business to information being compromised. This can snowball into the compromised information being used in a malicious attack against your business, which can be very costly from a monetary and reputational damage perspective.

 

 


Written by: 
Eric Chase, Information Security Consultant
SBS CyberSecurity


 

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Servcie} Security Awareness Training: It is SBS’ ultimate goal to best suit the needs of your organization and your customers when it comes to Security Awareness Training. We can host live webinars, provide recorded webinars, and conduct onsite training; it is solely up to you to determine what works best. 
  • Education: SBS is a leading provider of cybersecurity education. We are uniquely dedicated to delivering quality, industry-specific education to financial institutions to empower our clients to take security into their own hands.

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, February 25, 2021
Categories: Blog