Improving Security Education: Robert Siciliano

What must financial institutions do to improve security education?

Identity theft expert Robert Siciliano shares his thoughts on the need to change the mindset of financial institutions when it comes to educating their customers about identity theft and security issues. Among the topics he discusses:

Why "old school" approaches to security education must change;
How "Soccer Moms" are now becoming "Security Moms";
Why security education must come from the financial institutions.

LINDA McGLASSON: Hi, I'm Linda McGlasson, Managing Editor of www.BankInfoSecurity.com. Today's Information Security media Group Podcast will be with identity theft expert Robert Siciliano. He will speak to what financial institutions need to do more of when it comes to educating their customers about identity theft and safe computing practices. He is a noted expert on personal security and identity theft issues. He is CEO of www.idtheftsecurity.com, author of several books on identity theft and personal safety, and he is a frequent speaker on cyber crime and identity theft.

Hello Robert. Tell us a little bit about yourself.

ROBERT SICILIANO: I am Robert Siciliano. I am CEO of www.idtheftsecurity.com.

McGLASSON: What is the message customers should be getting when it comes to identity theft and overall safe computing practices?

SICILIANO: You know studies show that most people don't believe that their banks are doing enough to protect them. And I would say that when it comes to the issue of identity theft, there is new account fraud when they open up new accounts using the consumer's personal information, Social Security numbers and so forth. And then there is account takeover and account takeover is essentially when they will get their credit card or debit card information and they will go ahead and take over their account. Or, they will even access their online banking account because they used a public PC like a public terminal in a library or they had spyware on their own PC. And the consumer feels that the banks are not doing enough to protect them and the reality of it is is that the bank really can't protect them in these instances. But, the bank is in the best position to at least educate them on what they can do to protect themselves. And while the bank has the necessary systems in place the firewalls, the IT security professionals, all the hardware and software to make sure that the bank's network is secure, it is the consumer that is generally the path of least resistance to the bank's servers. The consumer is the path of least resistance for new account fraud and account takeover.

So now today, with identity theft running rampant with 10 million people being victimized, the banks have an opportunity here to say "hey we are doing a spot on job of securing your data at the server level and here is what you need to do as a consumer to secure your information, to protect yourself from new account fraud and from account takeover; here are all the different things that you need to do to protect yourself."

And as a financial institution, if you are right there for that client, for that consumer, and you are showing them step-by-step what their responsibilities are, what their priorities should be regarding information security at the consumer level, studies show that the consumer will gravitate towards that lending institution. In fact many studies have pointed towards security as an effective marketing tool and today, security is certainly top of mind for many.

McGLASSON: Robert, what are some of the best trends that you are seeing out there that financial institutions are suing when it comes to educating consumers and customers about identity theft?

SICILIANO: I am a professional speaker so I travel the country and I work with a number of different industries to get the word out as to what you need to do to protect yourself. I have worked with a number of different lending institutions where they have actually brought me in and we have done tours that they may work independently on their own as their own lending institution by going to all different branches, and in the communities to different branches, to the high schools, to the senior centers or they may work with other lending institutions and bring in the local politicians and so forth and make it a community-wide effort and essentially what we are doing is getting in front of as many people as possible to make them aware of the issue, to understand just how bad the problem is and unfortunately just how much worse it is going to get, but what you can do today, right now, to protect yourself.

With that heightened awareness, people understanding immediately what their responsibilities are to protect themselves, it is not just a feel good event. There are action items that people walk away so that they can effectively do something about this crime. So that is one, just getting in front of the people and talking about it, answering their questions. I find that when you get in front of a group of people, they have so many questions related to the problem and I might have an hour and a half presentation planned that I have a certain amount of information that I want to get out in an hour and a half, and I find that I have got an hour of questions that I have got to answer, which is perfectly fine because people walk out of their satisfied that okay now they have clarity on the issue and that is a problem.

In this day and age I would think that everybody should have already had their questions answered, but the banks haven't done an effective job of that. What I do see to help answer those questions, besides the community effort and getting out there and presenting in front of the public, websites because most banks have something on their website that provides the consumer, the client, with some type of information as to what is going on and what they should be doing and the extent of the problem and what their immediate responsibilities are. But that is just not enough. It is not enough to just have that website. Often they will have something at the teller line, there will be some documents or some three-fold brochure, that will have information on identity theft along with a link to that website. There may be information contained in the monthly statements that they receive in the mail that will also remind them of the issue and again what their responsibilities are on how to protect themselves. Different lending institutions are also offering different forms of identity theft protection, whether that is credit monitoring, fraud alert, sometimes they will work with that consumer to initiate a credit freeze, often they will work with that consumer, that client, to go and actually get a copy of their credit report.

They will go to www.annualcreditreport.com or they will actually have a relationship with an existing vendor who they use to access that client's credit report at all three credit bureaus along with their scores. They will work with them to see if there are any discrepancies or any accounts that are opened up under their name in the event of their identity is compromised. Sometimes that lending institution may actually hold the hand of the client and work with them to restore that identity. That obviously can be a very long and tedious process, not just for the consumer but for the bank themselves so that is when they may bring in third parties to do that for them, they may actually forward that client to the identity theft resource center that works in that capacity to restore victim's identity.

So there are a number of things that the institution can and should do to bring awareness, to educate, to work with that client to make sure they are being taken care of in this matter because when it does happen, when identity theft happens, whether it is new account fraud or account takeover, often the first thing that the client does is they call the bank. Often I find that the bank isn't prepared to respond in that manner and they should have systems in place, they should have some type of response plan to deal with victims and that is something that needs to be continually reviewed.

McGLASSON: So banks should already have an incident response plan for identity theft in place ahead of time, right?

SICILIANO: Exactly. And when they have that response plan, that same response plan should also include a proactive plan; this is what we are doing right now in the community to bring awareness to the issue and in the event that our awareness campaign fails that for whatever reasons someone slips through the cracks and they are victimized, here is our response plan. So both a proactive and a reactive plan to deal with the issue.

McGLASSON: You have seen a lot of the different messages from banks educating their customers on identity theft. What are some of the best ones that you have seen out there?

SICILIANO: Well certainly we all remember the Citibank commercials where they spent an awful lot of resources on educating the public on the issue of identity theft through humor. The funny commercials we saw on television were definitely a step in the right direction. It certainly heightened the public's awareness of the problem. You know you had the women with the men's voices and so forth and it definitely brought attention to the issue and it made a lot of sense to most people who watched it and all of those videos went viral on YouTube as well. So they got a lot of traction and that was an education campaign. The more effort and energy that you lend to bringing awareness to the issue, the public is hungry for it and the more they are going to gravitate towards you. So that was definitely one effective campaign that they did, not just via video but they also did it via a magazine campaign and they won a lot of awards for that as well. So I would suggest that any institution take advantage of social media and YouTube and the web as a whole, and again, bring attention to it.

Also, the Chief Marketing Association, the CMO Counsel for Chief Marketing Officers, did a study years back and they found that plain and simple, if you brand yourself as a secure brand, that security is part of your brand, that if you allocate part of your budget to security and marketing security, that consumers are paying attention. They are hungry for this information and they are looking for direction. They want to be informed. They will consume products and services that are built and designed around information security because they see the need.

We are in a different culture today. You know while it is very post-911, it is still very fresh on people's minds at some level and we now have soccer moms that are now security moms and security moms are paying attention. All the mommy bloggers out there, many of them talk about security issues because they are the ones ultimately responsible for protecting their family; at least they have adopted this attitude, which I believe is fantastic.

McGLASSON: Interesting Robert. As for this new breed of soccer/security moms, are there any special messages that they should be getting from their institutions?

SICILIANO: You know there is a campaign going on right now with many of the major security companies that want to harness the vibe that is going on out there with the mommy bloggers and the security moms and so forth. McAfee and Symantec and many others, they are directly reaching out to these security moms, mommy bloggers and so forth, that are spreading the word. Whether you do it nationally, whether you do it locally, whether you are a regional institution, whatever the case is, it is to your advantage to get involved with the voice of the people so to speak; those out there that are spreading the word, that are bringing attention to the issue.

You know we are in a social media age and that is never going to go away. It has taken a strong foothold. We are 300 or 400 million people on FaceBook and everybody has access to the internet in this capacity and to get the word out there via Twitter and FaceBook and so forth and to keep it out there and to keep pumping out that information to have somebody internally that a portion of their responsibility is to manage that social media, to continually bring attention to the situation. I think it is a fantastic way to heighten the awareness to the public. I often work with local credit unions and local banks and every three to six, eight months, they keep bringing me back and we keep going to the high schools, we keep talking about the issues, we keep bringing the parents in. It is just an ongoing campaign of awareness and every program that I do, there is always somebody or a few people that were in the last program that I did. So the same people are coming over and over again, along with new people that have heard about it and they want to know more about it. So there is definitely an interest there and there has never been a better time to bring more attention to the issue than now. And additionally, the fringe benefits are that you strengthen your brand and brand loyalty.

McGLASSON: And, at the same time, reinforcing your message of how important you think securing their data is.

SICILIANO: Yeah. And it is really a no-brainer. I mean why wouldn't you want to bring awareness to the issue? You know it is funny because banks being old school, I mean they have been around for quite some time, and there is a lot of old school thinking when it comes to the lending institutions. You know they are not so quick to adopt new; they kind of like old and how it has always worked well, and that is fine. What works, don't' fix it if it's not broke - great. But, as far as security goes and bringing awareness to security issues, I find that banks are very old school as far as that is concerned. They don't really like to talk about security because the old school of thought is that well, if you sweep it under the rug maybe it will just kind of go away. Once you highlight security issues then it instills fear in people that security has some paranoia involved there and that it puts fear and it makes people uncomfortable, but today it couldn't be farther from the truth. And this is an analogy that I have heard over and over again, and I have used it myself, you know it is kind of like do you want your kids to learn about the birds and the bees from somebody else and they don't learn the correct information and they kind of go along with being misinformed about the issue or do you want them to learn it from you? Do you want them to understand the reality of it? Do you want them to understand what is appropriate and what is not and so forth?

It is the same thing with security. Do you want them to learn about security from somebody else or do you want them to learn it from you? If they learn it from you they are going to learn your version of it, what you see as in how to be protected and so forth, what steps they need to take, and generally that would involve working with your institution. So it is one of those things where if you keep sweeping it under the rug, eventually another organization is going to bring it to their attention and that may be where they head next.

McGLASSON: Thank you Robert for sharing with us your insights here today.

SICILIANO: Thank you.

McGLASSON: I'm Linda McGlasson, for Information Security Media Group until next time.




Around the Network