Customer Awareness: Best-Practices in Spreading the Word on Security
- What banking institutions are doing for customer awareness - and what they should be doing;
- Key ingredients of a successful awareness program;
- Traps to avoid.
TOM FIELD: Hi, this is Tom Field with Information Security Media Group. Today the topic is customer awareness, and I'm talking with banking attorney Charlotte Bahin with Locke Lord Bissell and Liddell, a firm in Washington D.C. Charlotte, thanks for joining me today.
CHARLOTTE BAHIN: Well, thank you.
FIELD: In general, what are banking institutions doing these days in terms of customer security awareness?
BAHIN: Well, thinking banking institutions of all sizes are doing a number of different things. Many of them are aware that their customers are very concerned about identity theft and the security of their data because of the well-publicized breaches that have occurred in the last few years. So, a number of banks are looking at how to let their customers know that they are protecting the data, and also helping to work with their customers who have been victims of identify theft or of a data breach.
FIELD: Just based on what you see in the banking community, Charlotte, and what you know about the data breaches, what should banking institutions be doing now?
BAHIN: Well, I think many banks are doing just the right things. I think that generally many banks really need to be a little bit more proactive. They need to let their customers really understand what information security procedures are in place at the bank, what it is that the bank is doing to help the customer, and also help the customer be more proactive and understand what their own actions are with regard to any kind of identify theft or data breach.
FIELD: Let's follow up a little bit, what do you see banking institutions doing? I mean, what ways are they now communicating with their customers in terms of awareness?
BAHIN: Well, I think that many banks have included statement stuffers over the past few years in their mailings to their customers. They also have information on their websites. A number of banks that I've seen have websites that have links to a number of the government sites that include information about identity theft. And I know that a number of banks that have been hit especially hard with identity theft or phishing scams send out separate letters, or they get information out in the community about how to guard against the fishing scams.
FIELD: Now, as you know, Charlotte, it is a hot topic now especially with the I.D. theft or rather the red flags deadline coming up, so lots of banking institutions are on the band wagon for customer awareness right now. For one that is just thinking of this seriously, how does one go about either initiating or jumpstarting an existing awareness program?
BAHIN: Part of it is actually looking inside the bank and seeing what the bank is doing already that maybe they don't know about. Part of it is educating everyone at every level of the bank from tellers to CSR's to loan officers, to anyone within the bank that touches any information or that has any kind of contact with the consumer. Developing an outreach program to the community, you know, whether it's having a spot on the radio or putting out flyers or arranging seminars in the bank during the lunch hour or in the evening hours to provide education to all of their customers, and really helping them to understand what the bank is doing and how they can work together to ensure that identity theft doesn't occur.
FIELD: Based on the programs that you've seen, Charlotte, what are the key ingredients of a successful awareness program?
BAHIN: An important element in giving what I've just said that may seem a little, a little difficult is a successful program really needs to be easy to implement and easy for all of the employees of the bank to understand how important it is and how important the protection of the information and also customer communication is. If it is too difficult or there are too many, too many levels of work that have to be done, then it is less likely to be adhered to very strictly. So, it's really important to get the message out inside the bank as well as to consumers.
FIELD: Now on the flip side, what do you find to be some of the traps that banking institutions want to avoid?
BAHIN: One of the traps -- and I know that a lot of banks have heard a lot of people talking about this over the past few years -- is having really great policies that are developed and that have the buy-in at all levels like from the floor down to the tellers ... and then having those policies not being followed. So it is really important from the inside out to have good policies, but then also to follow them. And then the other really important thing to avoid is thinking that the bank has a good customer communication strategy, but discovering later that it's not actually reaching the customers. So, really, it's just making sure that everyone follows the policies and that the customers really understand what the bank is trying to achieve.
FIELD: You make a good point there, Charlotte, making sure that this is reaching the customers. What is a good way to gauge that type of success that you are indeed reaching the customers?
BAHIN: Well, that is a hard, that is a great question, and it's a hard question to answer. And I think that you know that I would like to say that the answer would be that none of the customers would be victims of identity theft or that there wouldn't be a security breach, and ultimately I guess that is the ultimate little measure of success. But I think a more realistic measure is just making sure that as many customers as possible know what some of the pitfalls are, and that if they do experience identity theft that they actually know where to turn. And one of the places where they would turn, obviously, is to the bank, but that they would know where to get help and know how to solve their identity theft issue.
FIELD: Now, you've got a Webinar coming up on this topic that we are all really excited about. If you could just talk about some of the key takeaways of this webinar, what do you want people to get out of this?
BAHIN: I think one of the most important things that I'd like for people to get out of it is that the bank really needs to have its own house in order to have a credible and effective customer awareness program. And by that, I mean that you know there has to be good privacy and data security policies in place. There has to be really good customer communication. There has to be an integration of a strategy that has been developed and that has buy-in from all levels of the bank. And this strategy could include development of materials, training for all levels of employees outreached to consumers, and having focus groups to make sure that the consumers are really paying attention to what the bank is saying. And then ultimately, changing the message if necessary, and then all of this is against the backdrop of having an additional regulatory requirement that will be coming into effect in November, just making sure that the red flags policies and procedures are in place for the next time that the examiners come in.
FIELD: What's your sense: How ready for this red flag deadline are the banking institutions that you see?
BAHIN: A lot of banks have spent a lot of time looking at information security and protection of privacy, trying to avoid phishing scams or trying to be reactive to phishing scams. That if they do occur, I'm not sure that a lot of banks have really taken a hard look at developing a proactive program to try to avoid any kind of identity theft, and I think that is probably something that a lot of banks will have to spend some significant time on this summer.
FIELD: For these banking institutions that we are talking about that need to go to summer school, so to speak, if you could boil it all down, what is the one piece of advice you would offer them regarding customer awareness?
BAHIN: I think really just making sure that the bank itself has a credible and effective program in place that can be transmitted to the customers, so if the customer continues to believe that the bank itself is the trusted advisor and the trusted entity. So they can really know that the information that the bank has of the customers is being protected and that the customer can feel secure and the information that they are actually getting from the bank on how to protect, to do what they need to do to protect their own information.
FIELD: That is well said. Charlotte, I'm really looking forward to the webinar in this topic. I think it's going to be a good opportunity to take a dive into a subject that people really need to get smart about quickly.
BAHIN: Yes, I think it will be. I think it will be very timely, and I'm looking forward to it as well.
FIELD: I appreciate your time and your insight this afternoon. Thank you very much.
BAHIN: Thank you.
FIELD: We've been talking with Charlotte Bahin. For Information Security Media Group, I am Tom Field. Thank you very much.