Customer Awareness: 6 Tips for Perfecting Your ProgramEducation is the Key to Improving Regulatory Compliance and Customer Confidence
Customer awareness is a huge priority for Wisconsin's largest bank, says Scott Coghill, CISM, Vice President, Information Security Department at the Milwaukee-based financial services corporation, which has $63.5 billion in assets and operates in seven states.
M&I has a dedicated web page for its customers with an outline of the most important security messages and updates. It also offers key tips in ID theft fraud protection, a section describing how M&I is protecting its customers, tips on how to recognize online and email fraud, information on free ID theft assistance protection, ID theft resources and an ID theft prevention checklist, as well as a video on ID theft. This online information is supplemented by customer brochures at bank branches.
"We periodically send out flyers in their monthly statements, and we provide the same information to our call center, branch personnel, community bankers and other areas of customer contact whenever we post an alert regarding a new phishing or malware scam that could be of interest to people," Coghill says.
"With the way the economy is today, the bad guys will try to look for opportunities to take unfair advantage of situations," Coghill says, requiring strong awareness programs for employees and customers alike. The awareness program in place is a strong, he adds. "Our goal is to keep that information current and relevant."
The Awareness Mandate
Customer awareness on information security issues has always been a tricky equation for many institutions - how much is too much (you want to educate customers, not scare them away), and what do customers really want and need to know?
But looking back on 2008's recession, data breaches and industry-wide crisis of confidence, the case is clear to financial institutions: Customer awareness must be an important part of an overall information security education program.
Two compelling reasons to dedicate more resources to customer awareness in 2009:
Here are what industry experts and practitioners recommend as key elements of your customer awareness program:
1. Keep It Relevant - There are direct correlations between awareness programs for employees and customers, says M&I's Coghill. With both groups, you need to discuss the same common threats, "[And] you have to make the information readily available, easy and interesting to learn and reference," he says. The customer awareness information on the website or in brochures "also has to be similar to the information the customer would receive if they contact our customer call center," he says. You don't want conflicting or separate messages.
2. Measure the Program's Effectiveness - At M&I, the information security team measures the effectiveness of its customer awareness program by soliciting feedback from customers who directly contact the institution.
Internally, an annual security survey is conducted to gather information regarding effectiveness of the awareness message and the interests regarding security from employees. These findings are presented to management along with any suggestions for follow-up or new strategies.
The bank's HR department hands out customer information security brochures to all new hires during the orientation program. The brochures outline the importance of keeping customer data safe and the responsibilities of all employees to the security of customer data. "Feedback from new employees has been quite positive regarding the brochure and articles," Coghill says.
3. Offer More Tools and Resources - Banking institutions are the first place many banking customers turn to when they have a question about online security or fraud. Be ready to give them the assistance they need, says Anne Wallace, President of Identity Theft Assistance Center, a non-profit company supported by 44 large financial services companies. "Whether it's identity protection services, consumer education or fraud remediation services, consumers want and need resources to protect themselves," she says.
Financial services companies need to show consumers "what's in it for me" when it comes to online banking. "Consumers continue to cite security as the main reason they don't bank online, and consumer adoption is holding steady at about 35 percent, according to Javelin Strategy & Research," she adds.
Therefore, financial services companies must do a better job of telling customers what they are doing to protect them. "Fraud prevention, detection and resolution are customer care issues, however financial services companies fall short of communicating what is being done on the customer's behalf," Wallace notes.
4. Make It Team Effort - The key messages for all information security awareness for customers should cover the big issues - phishing, social engineering and general information security practices. Making it a team effort between the institution and the customer makes it easy for the customer to understand that the institution does its part to protect them -- but the customers have an important role to play as well, says information security and privacy expert Rebecca Herold.
"Customers have to be diligently careful to safeguard their own information on their own computers, especially when in public," Herold explains. "Institutions can provide the best security in the world, but if customers do not also provide their own safeguards, their information could become compromised as a result of their own actions and lack of good security."
5. Keep the Information Coming - Customer awareness by the spoonful isn't the way to go. "Institutions are often reluctant to educate their customers about security threats, for fear of either scaring them away or tipping off the bad guys to a vulnerability that they might exploit," says Tom Wills, Senior Analyst, Security, Fraud & Compliance at Javelin Strategy & Research.
This approach will no longer hold water in 2009. "Customers are now unmistakably at the front line of bank information security," Wills notes. Keylogging Trojans are fast becoming the identity thieves' weapon of choice, and so securing customers' PCs and mobile devices against malware is more important than ever. The only people who can effectively secure these devices are the customers themselves. "But in order to do so, they need to know how," Wills says, "and it's up to the banks to show them via aggressive educational programs."
Implementing a security awareness center on the bank website, including security messages in marketing and PR campaigns, and providing incentives to install and run antivirus software are just three ways to achieve this, Wills offers. Institutions can also "deputize" customers by implementing email or SMS alerts to quickly notify them when unusual activity takes place on their accounts. "Consumer research has consistently shown that customers are willing and able to participate in securing their accounts against fraud, so there's really no excuse for banks not to help them do this any more," he says.
6. Build Upon on the Basics - Customer awareness needn't be all that complicated to offer. Whether starting or jump-starting an awareness program, these are the fundamental elements of a successful program: