"It's hard to educate customers…..but we still have to try." My boss uttered this the last time we broached the subject of customer education, and I think it perfectly captures the difficult task that banks are facing now and will continue to face in the future.
Customer education is sort of the grad school of training, right? Most of you are still working on training your employees not to click on links in email as you hope and pray that your social engineering test goes well this year. But customers? How do you create training materials for customers? How do you grab their attention when you don't sign their paycheck?
Let's look at the first part of my boss's statement. I think we can all agree that it's hard to educate customers. The biggest roadblock I see is that there is no way to know whether customers are reading training information. Most banks will include educational inserts with their mailers, but how do you know whether your customers are actually reading the material? (some would argue that there is a way to know and that there is probably only one customer reading those inserts. I bet we're all picturing the same customer right now…). I think another big roadblock is just that this isn't something most banks have done in the past. Customers don't expect training from their banks, and banks don't have a good example to look to and say, "That bank's customer education program is what we want to model ours after." Your customer base (or audience) is usually pretty broad, so who do you aim to reach as you try to create training tips?
As financial institutions, you have always been most concerned with protecting your customer data while in your network, building, care, etc. With the introduction of Internet and mobile banking, your customers have now become larger targets for hackers and other criminals. In the FFIEC's Supplement to Authentication in an Internet Banking Environment, we saw regulators mention customer awareness and education and include minimum requirements for a bank's customer awareness program. Legally, determining who is responsible (bank or customer) for a breach is a grey area. Was the customer responsible for the breach? Did the bank make every effort to protect the customer's information? Does that include educating the customer on the dangers of the Internet, phishing, social engineering, etc? I haven't found clear cut answers to these, so the legal liability area is still grey for me.
…but we still have to try. I love the second half of my boss's quote. I think those of us in the security and financial industry have been ending the sentence at the hard part. We all know the challenges of educating customers, so we've been trying to put it out of our minds…few are doing it, so we're ok for now. But we still have to try. Will there be customers who don't listen? Yes. Will there be customers who don't understand? Sure. Will there be customers who do listen, who are concerned with information security, but aren't sure what to do about it? Definitely. You don't have to be a bank employee or security consultant to be bombarded with stories of breaches and financial loss. With more of our customers relying on technology in their daily lives, the percentage of customers who care about security is larger than ever before.
What message would it send to your community if you were the bank who wanted to educate its customers? Don't wait until you have a perfect plan. You may not reach everyone, but what about starting with a short video featuring one Internet safety tip on your Internet banking site? Then, in a week or two, you feature one more and so on. What about offering a lunch and learn in a meeting room where customers can come hear about important information security topics? Posters in the drive-thru? Even if these won't work for your institution, I think it's important to get the conversation started. Brainstorm and discuss the educational channels that would work for your financial institution and for your customer base. Bring in both your technical gurus and marketing resources. You are in a unique position because your institution has been exposed to the importance of information security much longer than most industries, and you have a customer base who most likely doesn't know what you know, but who also really needs that information. The possibilities for educating your customers are endless, so let's start somewhere, and let's start now.
Stephanie Chaumont is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com.