Pub. 10 2021 Issue 1

13 S p r i n g | 2021 F E A T U R E In many cases, the poor cybersecurity practices of your customer(s) can lead to a compromise by a malicious attacker. A customer compromise can lead the malicious attacker to steal valuable information or access belonging to the custom- er. In most cases, the customer compromise value proposition is email access, account access, or customer funds through a single (or multiple) financial institutions. In any case, the malicious attacker may have some or all of the customer’s information and can set the customer up for a cooperate account takeover (CATO) scenario. CATO comes in many forms, but the two most popular include draining customer bank accounts, redirecting funds to unauthorized payees, or business email compromise (BEC) attacks that steal money and further the attacker’s agenda. Customer compro- mise is very difficult to combat and can often lead to reputa - tional and monetary damage to your business. Cover the Basics Training of internal employees is a must that all organiza- tions should embrace to create a strong security culture. How- ever, most organizations don’t take the proactive approach of educating their customers the same way they educate their employees to combat cyber threats. An organization with a strong security culture goes beyond internal employees and talks about cybersecurity threats with its customers as well. Educating customers about the dangers of cyber threats helps build a stronger relation- ship with the customer. Stronger customers also benefit the business since a stronger customer will reduce the risk of that customer information becoming compromised or used mali- ciously against your business. People are the weakest link in any security program, and malicious attackers most frequently target people — internal and external. Your customers can benefit from the same secu - rity awareness topics shared internally, including: • Phishing and social engineering — The most com- mon malware delivery method and compromise of account credentials is social engineering. Providing education on the different types of social engineering attacks and what controls can be added to mitigate an attack’s risk can significantly reduce risk. Stressing the dangers of phishing emails and how the organization can defend against phishing is another key point from this category. • Physical security — Educate customers about physi- cal security threats and best practices for securing physical assets. If physical security is compromised, attackers own your devices or information. • Access controls, including passwords — Educate customers on the importance of strong authentica- tion mechanisms and systems they access. Stress the importance of length vs. complexity when it comes to passwords and encourage customers to implement multi-factor authentication (MFA) whenever possible. • Remote access security — Educate customers on the importance of securing remote workers through VPNs, wireless network best practices, quality anti-malware programs, etc. • Use of encryption — Educate customers on the impor- tance of encryption around data in transit (sent over the internet) and data at rest (stored on a local device). • Mobile device security — Educate customers about security controls for mobile devices (little computers), including strong passwords, biometric (fingerprint or Continued on page 14 Training of internal employees is a must that all organizations should embrace to create a strong security culture. However, most organizations don’t take the proactive approach of educating their customers the same way they educate their employees to combat cyber threats.