Is Customer Education Still Relevant?Awareness Won't Be Effective Until It's Done Right
How relevant is customer education to security? It's a touchy issue. Obviously, no one says it should be ignored.
But many security experts believe banking institutions have leaned too heavily - and unsuccessfully - on customer education, rather than making strides to invest in stronger fraud-detection systems and enhanced authentication for end-users.
Just convincing customers to invest in and adopt the authentication and anti-malware solutions banking institutions offer requires education.
Two opposing views from members of the BankInfoSecurity board of advisers illustrate how divided the industry remains on this issue. And the dividing lines seem relatively clear - banking/security leaders believe in customer education; technologists and analysts say it's outlived its shelf-life.
Here are some of the viewpoints that were expressed in those blogs and subsequent comments from readers. Let's weigh the arguments.
Financial fraud expert George Tubin, who works as a security adviser for anti-malware provider Trusteer, says that fighting today's cyberthreats demands much more than customer education (see Why Customer Education Doesn't Work).
"The typical end-user relying simply on his brain, no matter how well-trained, is no match for today's cybercriminal," Tubin writes. "While user education is valuable, needed and helpful, there is one problem with this approach - it only partially works, and partially working is simply not good enough."
But Patti Broer, the information security administrator for BankWest Inc., a $754 million community institution based in South Dakota, says customer education should be the foundation of any online security strategy (see Customer Education an Essential Step).
"Ultimately, security and safety come down to the first line of defense - our customers," Broer writes. "Bankers already know what education needs to be provided and why. The FFIEC guidelines are pretty clear on what needs to be done. ... Be persistent and patient, and eventually you will see the benefits and results."
Readers' opinions on the topic vary as well.
In response to Tubin's blog, Morgan Nielsen points out that technology is critical. But convincing customers to invest in the solutions is the hard part.
"In business environments, an appropriate mixture of hardware/software technologies such as IDS/IPS, malware scanners, whitelisting, DLP, deny-all firewalling rules, etc. are great because they cover for each other's weaknesses," he writes. "But someone please tell me how to convince my customers they need to invest in all these technologies ... not gonna happen!"
Another reader, going by Jon M., notes: "Relying on technology as a solitary solution to combat social engineering is a serious and possibly fatal mistake. ... Without knowing what the warning signs are (education), we're seriously inhibiting our abilities to sufficiently react (mitigation)."
And another reader, known as JustSaying, in response to Broer's blog, points out that education puts the security onus on the user. Without education, banks have little to fall back on, from a liability-shift perspective, when fraud losses occur.
"With essentially no liability, a customer has little incentive to adopt secure practices," JustSaying writes. "Sadly, research has shown that customers that experience fraud on their account, even if they were the ones that did something that created the compromise, still blame the bank and often will change their banking relationship."
Education clearly plays some role. But so does technology.
I can think of no better example of this than a recent $1.5 million account-takeover heist, which ultimately forced a California escrow company to close (see A $1.5MM Fraud Mystery).
Details surrounding the incident remain a bit murky. But here's what we do know: Over the course of one month - between December 2012 and January 2013 - Efficient Services Escrow Group lost more than $1 million dollars in three separate fraudulent wire transfers - transactions that sent the funds to accounts in Russia and China.
And here's the kicker: No one - not the escrow company nor the bank - reported anything suspicious until Feb. 22.
How is that possible?
Banks have spent the last two years focused on big investments in layered security, which includes customer education and anomaly detection. Conforming to the FFIEC's updated authentication guidance issued in June 2011 has been a huge focus. But according to the 2013 Faces of Fraud Survey, losses for the majority of our survey's respondents - primarily regional and community institutions - actually increased last year. What's more, more than half of those respondents say a lack of customer awareness is the biggest challenge they face in fighting fraud.
While I agree that many institutions, especially community banks and credit unions, have relied too heavily on customers for fraud prevention and detection, education does have a role to play. Yet we continue to see account takeover losses, such as the one noted above.
Clearly, something is not working.
But institutions have done a poor job. They've been ineffective at convincing their end-users about why they need certain controls. This is where customer education has a role to play, and banking institutions need to be more demanding. Explain to customers why these enhanced security features are required, and make them adopt them.
With an effective educational campaign, convincing customers of the need for that technology should not be a hurdle. Just point to Efficient Services Escrow. If that doesn't convince them, what will?