When is a Customer Too Much of a Security Risk?
To how many customers at your institution would you want to say this line?
Listening to some of the "dumb customer" stories over the last several years from banking information security professionals, I ask 'What is a smart customer worth these days?'
What is a smart customer worth these days?
Yes, you know the ones - they're concerned about their privacy and their money and take responsibility for it. They are the "Have Security on My Mind" types that are wiser, savvier and question things that don't appear to be 100 percent. They keep their machine clean and update it on a regular basis. They also call the institution's customer service center when they get a suspicious looking email that purports to be from the institution. Their worth? Well, if we all had the majority of our customers like the one described above we'd be very happy, and many more of us would sleep better at night.
The other kind of customer also cares about their money and their privacy, but can't be bothered with taking responsibility for protecting it. They expect the bank to replace every dollar taken out of their account, even when they played a role in causing the loss. They insist on accessing online accounts from the local library and just "know" they couldn't have had their username and password compromised there. You think a teenager has bad computer security habits? These customers run neck and neck with the 13-year old crowd in performing stupid computer moves. In short, these online banking customers can be defined as reckless, distracted, or just not the "brightest bulb in the knife drawer" type.
The rest of online banking customers are somewhere in between these two groups to varying degrees. Does this paint an ugly picture about your online banking customers and their acceptance of a level of responsibility?
What is heard from practitioners out in the trenches is that online banking customers need additional doses of security education and awareness, something to consider when developing your written ID Theft Red Flags documentation of your customer security awareness program. Customer education on their responsibility and accountability when banking online should be at the top of any institution's list - in the end it will benefit not just the customer, but your institution's overall security and soundness as well.
So what are you doing to educate those users who insist that their computer habits and practices have nothing to do with their account being hacked? Can you put a dollar amount on what a smart customer is worth to your institution?