By Eric Chase, Information Security Consultant — SBS CyberSecurity, LLC
Customers Present Unique Risk
Today’s world of mobile-centric ultra-connectivity, where we have access to everything we want through our smartphones, presents organizations with an abundance of opportunities. However, the flip side to this opportunity is the ever-present cyber risk posed by the internet and all things connected.
While most organizations think through the immediate risk of cyber threats to their business via cyber-attacks, known vulnerabilities and security flaws, not many organizations recognize the risk posed to their business by their customers.
Customers who utilize the internet and mobile-centric products and services offer a unique risk to your business, requiring organizations to implement additional controls to mitigate customer risk. The catch is that most businesses cannot mandate controls and procedures that clients must follow outside of the controls implemented within products used by the customer.
Depending on your business, there are (typically) two different types of customers:
- Commercial Customers (B2B) — other businesses doing business with your organization. Commercial customer risk is increased if businesses perform financial transactions through your product or service, as more potential individuals may have access and available funds are typically greater.
- Consumers (B2C) — individuals who utilize your online-based products and services. Consumer risk is typically lower due to limited access and fewer available funds.
Customers Have Less Security
More often than not, businesses (particularly those in regulated industries) have stronger cybersecurity controls in place than customers. Think about your customers — commercial or consumer — and ask yourself who has stronger cybersecurity controls? If you are not the winner of that debate, it may be time for some cybersecurity assistance.
In many cases, the poor cybersecurity practices of your customer(s) can lead to a compromise by a malicious attacker. A customer compromise can lead the malicious attacker to steal valuable information or access belonging to the customer. In most cases, the customer compromise value proposition is email access, account access, or customer funds through a single (or multiple) financial institutions.
In any case, the malicious attacker may have some or all of the customer’s information and can set the customer up for a cooperate account takeover (CATO) scenario. CATO comes in many forms, but the two most popular include draining customer bank accounts, redirecting funds to unauthorized payees, or business email compromise (BEC) attacks that steal money and further the attacker’s agenda. Customer compromise is very difficult to combat and can often lead to reputational and monetary damage to your business.
Training of internal employees is a must that all organizations should embrace to create a strong security culture. However, most organizations don’t take the proactive approach of educating their customers the same way they educate their employees to combat cyber threats.
Cover the Basics
Training of internal employees is a must that all organizations should embrace to create a strong security culture. However, most organizations don’t take the proactive approach of educating their customers the same way they educate their employees to combat cyber threats.
An organization with a strong security culture goes beyond internal employees and talks about cybersecurity threats with its customers as well. Educating customers about the dangers of cyber threats helps build a stronger relationship with the customer. Stronger customers also benefit the business since a stronger customer will reduce the risk of that customer information becoming compromised or used maliciously against your business.
People are the weakest link in any security program, and malicious attackers most frequently target people — internal and external. Your customers can benefit from the same security awareness topics shared internally, including:
- Phishing and social engineering — The most common malware delivery method and compromise of account credentials is social engineering. Providing education on the different types of social engineering attacks and what controls can be added to mitigate an attack’s risk can significantly reduce risk. Stressing the dangers of phishing emails and how the organization can defend against phishing is another key point from this category.
- Physical security — Educate customers about physical security threats and best practices for securing physical assets. If physical security is compromised, attackers own your devices or information.
- Access controls, including passwords — Educate customers on the importance of strong authentication mechanisms and systems they access. Stress the importance of length vs. complexity when it comes to passwords and encourage customers to implement multi-factor authentication (MFA) whenever possible.
- Remote access security — Educate customers on the importance of securing remote workers through VPNs, wireless network best practices, quality anti-malware programs, etc.
- Use of encryption — Educate customers on the importance of encryption around data in transit (sent over the internet) and data at rest (stored on a local device).
- Mobile device security — Educate customers about security controls for mobile devices (little computers), including strong passwords, biometric (fingerprint or facial recognition) authentication, encryption, anti-malware programs and Wi-Fi connectivity.
- Malware awareness — Educate customers about defending against malicious software, including ransomware, trojans, spyware, etc.
- Importance of antivirus and firewalls — Stress the importance of firewalls and the use of malicious program detection programs such as antivirus or anti-malware.
- Security awareness — Stress the importance of ongoing security awareness training and staying up-to-date about modern cyber attacks.
- Incident response plans — Stress the importance of corporate customers building a plan to fail well (an incident response plan) if they are compromised.
Cybersecurity education of customers may be a requirement for some industries (like financial institutions), but it is also necessary to mitigate your cybersecurity risk.
- How to Train Your Customers
Organizations can provide cybersecurity training and education to their customers through a variety of methods. Using multiple delivery channels can help ensure your customers see this training throughout the year. Cybersecurity training and education can also provide customers a starting point or additional resources for building a strong security culture themselves. Delivery channels for cybersecurity training and education can include:
- Your business website (your own content, your policies for handling information or disclosing cyber incidents, cybersecurity news or articles, or links to other cybersecurity training)
- Posting cybersecurity resources or news on your social media channels (LinkedIn, Facebook, Instagram, etc.)
- Including cybersecurity resources with physical statements or invoices
- Providing cybersecurity resources, control suggestions (like creating strong passwords), or self-audits at the time of account opening
- Conducting periodic audits of security controls at a customer’s location (especially for organizations whose products/services involve financial transactions)
Actually Talk to Your Customers
One of the most popular and effective methods of training your customers is to invite them to a security lunch-and-learn hosted by your organization – virtual or in-person (so long as we’re not in a pandemic).
Getting out in front of your customers and talking about the importance of cybersecurity is a win/win/win:
- You are helping to create stronger customers that are more resistant to cyber attacks, which benefits both you and your customer.
- You also show your customers they are more than just a number to you. You’re strengthening relationships and demonstrating care about their well-being (digital and personal).
- You also have an opportunity to show off new products/services or new features to your customers and potentially increase the adoption of existing products or services.
Talking about cybersecurity also offers your customers a chance to see how your organization is protecting their information. In today’s market, where cybersecurity is becoming a deciding factor for consumers presented with many options, being open and transparent about cybersecurity can instill customer confidence and draw in new customers.
Whether you choose to talk with your customers about cybersecurity virtually or in-person, here are some additional considerations to keep in mind:
- Invite the community: Not only should you include your existing customers, but you should consider expanding your audience to the community at large.
- Timing: Reach the broadest audience by hosting several sessions conveniently scheduled to cover the most people possible.
- Location (if in-person): Ensure the location is conveniently accessible and big enough to comfortably host your expected audience.
- Platform (if virtual): Choose a platform that is easily accessible by your customers, user-friendly and secure.
- Partner locally: Pair up with your local chamber
of commerce, an area civic organization, or academic institution to add additional community reach
or resources. - Bring in the experts: If you’re not confident talking about cybersecurity yourself, bring in a cybersecurity expert or someone from a law enforcement agency (FBI, Secret Service, your local police department, etc.) to speak on your behalf. Choose speakers with experience in covering cybersecurity topics. Additionally, consider recording the session for those unable to attend or to use for content later.
Putting It All Together
Cybersecurity education of customers may be a requirement for some industries (like financial institutions), but it is also necessary to mitigate your cybersecurity risk. Promoting a cybersecurity culture that your customers can look to as a resource can be a tremendous advantage in today’s market. Conversely, failing to provide cybersecurity training and education to your customers can open your business to information being compromised. This can snowball into the compromised information being used in a malicious attack against your business, which can be very costly from a monetary and reputational damage perspective.
If your business is looking for cybersecurity training and education resources to share with your customers, SBS CyberSecurity has content that can help. SBS regularly publishes blog posts, articles, whitepapers, social media content, free cybersecurity webinars, and free downloads that can be shared with your customers. Learn more at sbscyber.com/education.
