Pub. 15 2020-21 Issue 6

WWW.NEBANKERS.ORG 16 Customer Cybersecurity Awareness – Creating a Culture of Security TECH TALK Eric Chase , Information Security Consultant - SBS CyberSecurity, LLC W HILE MOST ORGANIZATIONS THINK THROUGH THE DIRECT risk of cyber threats to their business via cyber attacks, known vulnerabilities, and security flaws, not many organizations recognize the risk posed by their customers. There are (typically) two different types of customers: • Commercial Customers (B2B) – other businesses doing business with your organization. • Consumers (B2C) – individuals who utilize your online-based products and services. Customers Have Less Security More often than not, businesses (particularly those in regulated industries) have stronger cybersecurity controls in place than customers. Think about your customers – commer- cial or consumer – and ask yourself who has stronger cyberse- curity controls? If you’re not the winner of that debate, it may be time for some cybersecurity assistance. In many cases, the poor cybersecurity practices of your customers can lead to a compromise by a malicious attacker. A customer compromise can lead the malicious attacker to steal valuable information. In most cases, the customer compro- mise value proposition is email access, account access, or customer funds through financial institution(s). In any case, the malicious attacker has the customer’s information and can set the customer up for a cooperate ac- count takeover (CATO) scenario. CATO comes in many forms, but the two most popular include draining customer bank ac- counts, redirecting funds to unauthorized payees, or business email compromise (BEC) attacks that steal money and further the attacker’s agenda. Customer compromise is very difficult to combat and can often lead to reputational and monetary damage to your business. Cover the Basics An organization with a strong security culture goes beyond internal employees and talks about cybersecurity threats with its customers as well. Educating customers about the dangers of cyber threats helps build a stronger relationship with the customer. Stronger customers also benefit the business. A stronger customer will reduce the risk of their information becoming compromised or used mali- ciously against your business. Your customers can benefit from the same security aware - ness topics shared internally, including: • Phishing and social engineering – Educate customers on the different types of social engineer - ing attacks and what controls can be added to mitigate the risk of an attack. Stressing the dangers of phishing emails and how the organization can defend against phishing is another key point to cover. • Physical security – Educate customers about physi- cal security threats and best practices. • Access controls, including passwords – Educate customers on the importance of strong authentication mechanisms. Stress the importance of length vs. com- plexity when it comes to passwords and encourage the implementation of multi-factor authentication (MFA) whenever possible. • Remote access security – Educate customers on the importance of securing remote workers through the use of VPNs, wireless network best practices, quality anti- malware programs, etc. • Use of encryption – Educate customers on the im- portance of data encryption. • Mobile device security – Educate customers about security controls for mobile devices, including strong passwords, biometric authentication, encryption, anti- malware programs, and Wi-Fi connectivity. • Malware awareness – Educate customers about defending against malicious software. • Importance of anti-virus and firewalls – Stress the importance of firewalls and the use of malicious program detection programs. • Security awareness – Stress the importance of ongoing security awareness training and staying up-to- date about modern attacks. • Incident response plans – Stress the importance of corporate customers building a plan to fail well (an inci- dent response plan) in the event they are compromised.