Protecting Customer Accounts and Information in a World of Digital Connectivity
- October 18, 2021
The digital revolution prompted widespread headway for businesses, from automating manual tasks and increasing efficiency to enabling more advanced security and safeguarding data. With all the benefits of technological progression come associated risks. The ability to quickly install new platforms parallels a cybercriminal’s ability just as quickly to install harmful malware. The dissemination of accessible consumer data used to inform customer journeys also creates heightened vulnerabilities to mass data breaches and account takeovers.
Data breaches are at an all-time high, and modern platforms and ecosystems are essential to monitor your organization, identify suspicious activity, and rank risk. As a result, CROs and CISOs must focus on solid risk planning and cyber security initiatives to realize the value of cloud computing, remote access, and other digitization efforts while offsetting the associated risks.
What’s happening in the world of risk right now?
A lot has changed since 2020. Accelerated digitization ignited the corresponding influx of more intelligent, agile, and damaging cybercriminals. Regulations changed seemingly overnight to monitor increasing instances of fraud. One in five consumers experienced online shopping fraud in 2020. Additionally, 72% of online merchants recorded an increase in fraud attempts, one-third of which reportedly lost 5-10% of their revenue to fraudulent activity.
The Office of the Comptroller of the Currency (OCC) and the other Federal Financial Institutions Examination Council (FFIEC) members issued guidance addressing authentication and access to financial institution services and systems. The cybersecurity threat landscape continues to present significant risks to financial institutions, reinforcing the need for financial institutions to effectively authenticate and control access for users and customers to protect information systems, accounts, and data.*
In addition to an increase in fraudulent activity, companies are facing another threat — account takeovers. A global survey finds that 71% of Cloud Users suffered not one but seven account takeovers in the last year alone. Three in every four companies have experienced a malicious account takeover and risk losing revenue, customer loyalty, and a favorable brand reputation. In response, organizations are scrambling to identify and intercept fraud and attacks by reviewing outdated systems and processes, upgrading technology, and shifting priorities and budgets.
Read The 5 Greatest Risks Facing Organizations Post-2020 to learn more.
How can CISOs better protect customer information and accounts?
Basic “digital hygiene” is an effective way to mitigate attacks and adhere to regulatory requirements. There are eight essential steps every CISO must follow to monitor threats and protect customer information and accounts.
1. Be transparent about how you use customer data.
Customer experience drives products, services, and organizational success in today’s market, and data transparency is imperative to customers. Organizations that prioritize data privacy earn the trust and loyalty of consumers. In one example of transparent data use, the forward-thinking tech giant Apple held a Data Privacy Day to raise awareness of the importance of protecting data. Apple released the video, “A Day in the Life of Your Data,” and showed consumers how they use their information and how it travels to third-party vendors and websites.
Other companies follow suit and provide consumers with more information about how, why, and where their data is used. Transparency around data use promotes loyalty and gives consumers the insight they need to be active participants in protecting their accounts and information.
3. Update software regularly
Outdated applications contain “gaps” that can be accessed and leveraged by criminal actors. Organizations that delay updating software and fail to replace legacy systems put their assets, customers, and brand at risk. Naturally, organizations prefer to prioritize updating and upgrading technologies during slow periods, but nefarious characters capitalize on this familiar pattern.
During the COVID-19 pandemic, cybercriminals disproportionately targeted the healthcare and pharmaceutical industries. These organizations were overwhelmed by the influx of activity spurred by the pandemic, and as a result, the organizations that procrastinated on implementing updates suffered higher instances of cybercrime. For example, NTT Ltd. researchers identified Drupal, Apache, and Microsoft products as accounting for 72% of vulnerabilities targeted in healthcare.
4. Always encrypt user data
Less than half of businesses encrypt user data. Companies that fail to use encryption are risking their organization and their customer’s private information. Most payment providers require retailers to encrypt card details by default during the transaction process, but some businesses fail to prioritize encryption without this requirement. The payment process is streamlined to enhance the customer experience, but companies must match ease-of-use with the latest encryption technologies. Encryption ensures personal information is unreadable to hackers in the event of a theft.
5. Modernize platforms and processes
Heavily manual systems and inconsistent processes are putting organizations at risk. Organizations must eliminate “swivel-chair” interfaces that require manual data entry and instead adopt modern platforms and intelligent automation. Operational risk management helps businesses safeguard weak controls, enhance performance, and prevent unintended consequences facilitated by outdated systems. NTT DATA identifies a mature and optimized organization with a score between 5.00 – 5.99 as one that uses:
- Process: Mature and automated workflows
- Metrics: Fully automated reporting
- Tools: Integrated platform with automated correlation
6. Educate employees on best practices
It’s not enough to upgrade your technology and platforms without the appropriate measures to train employees to adopt new working methods. Training and new skilling programs educate employees about identifying and avoiding fraudulent activity, from email phishing scams to unreliable network use.
Organizations should continue to educate employees on evolving COVID-19 relevant cyberattacks and consider establishing their internal communication mechanism or clearinghouse for official COVID-19 news to help reduce employees’ exposure to malicious sites and disinformation. Humans are unpredictable, and a cybersecurity education program can better position an organization to protect its data from the inside out.
7. Test for unseen weaknesses
Numerous cyberattacks attempt to take advantage of lapses in security preparedness. With the rise in hostile cyber activity, it’s more important than ever that organizations prioritize the timely application of patches and updates. For example, if your organization frequently uses a flexible meeting or communication enablement application, always run the latest versions, and monitor for updates. Beyond that, organizations should prioritize good back-ups and emphasize end-point control, including appropriate antivirus software. Cybersecurity experts or ethical hackers can audit your website and applications to identify unseen vulnerabilities and tell you areas that need updating.
8. Create a disaster recovery plan
Despite all your best efforts, CISOs and organizations must prepare for the worst-case scenario. You must develop a Disaster Recovery Plan and employ remediation to bounce back quickly from an unforeseen data breach or account takeover. Although you want to intercept instances of fraud, no industry or organization is immune to experiencing a cyber-attack. Therefore, create a backup plan that allows you to remain proactive and agile in the face of risk.
Learn more in our Quick Guide to Dynamic Risk Management and Monitoring.
* The FFIEC guidance provides risk management principles and practices that support a financial institution’s authentication of (1) users accessing financial institution information systems, including employees, board members, third parties, and other systems, and (2) consumer and business customers accessing digital banking services.