We Consumers are Fickle, But Security is No Whim

One… Two… Three…

…And then you’re gone. We consumers will wait about 3 seconds for a webpage to load and if it takes longer, we’ll abandon it and move on. We are impatient multi-taskers, and with so many digital options whether it’s websites, applications or social media and then a plethora of devices to get us there, we have little reason to be patient. Seemingly everything we need is right at our fingertips. And easy to access…at least that’s what we expect of our online experience. So we don’t love password and sign in barriers. They slow us down or more often, we get stymied trying to remember our password or username, which is aggravating to the nth degree, is it not?

Ask just about any security guru and they will tell you that poor passwords are one of the easiest targets for gaining entry into any system. In fact, according to a Verizon data breach report¹, “about 76% of network intrusions involved weak credentials.”

Ease of Use and Protection Must Balance

Balancing a seamless user experience and solid security practice management almost seems at odds, but it doesn’t have to be a complete polar opposite. Single Sign On (SSO) methods are increasingly common and integrating social media for SSO, such as using FaceBook or Twitter account credentials are an option to give the customer a simple entry-point, yet provide some semblance of protection around their identity.

In designing systems and applications, your infrastructure and your development teams both must be imbued with the understanding that User Experience (UX) and security must be part of the plan from the start. Whether you use SSO or other methods to protect customer data this has to be part of the discussion right out of the gate. And the two disciplines within IT have to find ways to work collaboratively on how the platform and the code are tightly woven together to provide both elegant design and protection for your customers once in play.

An Internal Corporate Culture of Security

From the company’s point of view, an internal security program must be given weight and supported by senior management; the value behind brand sanctity and financial protection cannot be understated as reason for initiating an enterprise-wide culture of security awareness and proactive practices. If your organization handles credit card transactions in any fashion at any level, PCI Compliance² must be pursued. Make no mistake; executing a PCI compliance initiative is not fun and not cheap.

Be prepared that the outcome of the audit almost always will reveal remediation is required. You won’t at all be comfortable to see in print that your organization isn’t so perfect. But, you can’t be fearful that holes will be found or that best practices have not been fully followed in your organization, this is almost always the case for every enterprise! Use the audit results to your advantage. It can be difficult to win support both behaviorally and financially to enforce the changes required to run a tight security-minded organization, so use the audit as the tip of the spear.

The argument that “we have to change passwords every 90 days because it is a PCI requirement” can move senior management to support you and gives your IT staff the armor they need when employees complain that changing passwords are a pain. We all know it’s a nuisance to change passwords, but as we’ve discussed already weak passwords are an easy entry point for hackers and at the end of the day it is one of the most basic and cost effective ways to protect your organization.

Elevate through Education

Our Digital Era personas demand more online access to whatever information, purchases, knowledge, or data sharing we can dream up. And as the population increasingly becomes “born to digital” security, and specifically barriers to entry, will be increasingly frustrating and unacceptable both for consumers and for employees in the workplace. So what to do about it?

Spread the message

Education on the value of security practices must apply across the board. There are three areas you should target:

1. Help your IT team understand user behavior and how to create applications that are both easy for the customer to use and yet provide integrated security stopgaps.

• Use your marketing team’s knowledge of user behavior to help you form a true understanding of what the customer is going to expect when using your website, applications, or products. Start from an informed view, and then plot your system design.
• IT Leaders need to ensure both the infrastructure and the development teams are on equal footing when it comes to carrying the weight of your security program. For example, it’s just as critical for network administrators to patch servers consistently as it is for developers to use version control and central code repositories. Both teams have to be in alignment that the security effort is a priority in all aspects of their discipline. And leadership needs to give the teams the air cover in time and resource to actually carry out the tasks.

2. Commit to a yearly mandatory employee security awareness program.

• Create a program that is geared directly to the entire enterprise. Make it personal; fit the program’s theme to your organization. Give it some humor or go for some shock and awe. Tell stories so that everyone feels they have a part to play. Make it interactive and show the consequences of not taking security seriously. Paint the picture in terms that are not at all technical, but are real-life, so that employees are drawn in and can see how the responsibility for corporate security belongs to them. A little fear here is not a bad thing. No one wants to be “that guy” that caused the breach because their USB with credit card data got dropped on the sidewalk.

3. Don’t be afraid to create customer awareness of your security posture.

• A little honest information sharing with the customer cannot hurt. Let them know what you’re doing to protect them (but bring your Legal team into this conversation). Let them know how serious you are about handling their personal information. Give them some ideas on how to protect themselves too (e.g. use of strong passwords).

While the IT team has a responsibility to find ways to integrate security best practices across all disciplines within the technology environment, it is equally important to keep the customer experience in mind as part of the strategy.

Everyone has a role to play in protecting data, especially our own. Passwords are an easy and simple example of where to shore up and build a wall against breaches, but that is one tiny piece of a security program. The entire organization has to get behind the value of the effort, and a security-minded culture has to start from the top; consistent messaging through education and daily actions cannot be pooh-poohed. Security is not a whim.

The customer too, has a part to play in the delicate balance of data security. Get the customer on your side – transparency in the company’s efforts and helpful customer focused tips can show that securing data is a partnership between company and customer, and build a level of confidence.

The Digital Era surrounds us with options and innovations, but we’re fickle. We want easy AND we want protection too. The scale is tipped in favor of fast and simple, but the smart digital enterprise will find ways to walk with a security-minded posture, yet keep in step with providing elegant product and service delivery to our customers.

Sources:

¹ “The Eight Most Common Causes Of Data Breaches.” Dark Reading. Information Week, 22 May 2013. Web. 06 July 2016. http://www.darkreading.com/attacks-breaches/the-eight-most-common-causes-of-data-breaches/d/d-id/1139795?
² “Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards.” Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards. N.p., n.d. Web. 06 July 2016.  https://www.pcisecuritystandards.org/

About the Author: