Over the years, one of the most common things we have heard from community banks and credit unions is that they are not the target of phishing, malware, or email spoofing. It has taken years, but the general ‘head in the sand’ policy of denial is fading, and these institutions are finally getting it. Large banks have known this for a while, and most anticipate a certain level of electronic fraud losses and factor it into the cost of doing business.
But be they large or small, there are only two types of financial institutions: those who know they’ve been attacked, and those who have been attacked but don’t know it.
When a financial institution’s customer logs into their online bank account, an unspoken agreement is being made. The safety of the online session is assumed, and any security gap that lets a threat slip through – even if the source of that threat is the customer’s own computer – can lead to a loss of funds, a data breach, and perhaps worst of all, a breach of trust. Even if the institution retrieves the customer’s stolen money or reimburses them for the loss, the customer will never trust that transaction channel, or even the bank, ever again.
Fraudsters are in the business of making a quick buck, and in this effort, are always developing new ways to steal login credentials and compromise systems. They’ve gotten increasingly good at it, but the way that financial houses protect themselves against attacks has not kept pace with some of the most advanced threats out there. The inevitable result is that a bank’s best-laid security plans go awry because of the browsing behavior of their customers – a risk factor that is out of their control.
Some security vendors attempt to mitigate these threats – particularly malware – by offering products that constantly scan the PCs of their customer population, and take steps to remove such malicious programs when they are detected. But this whack-a-mole strategy does nothing to protect customers from themselves, and prevent them from navigating to websites containing malware.
So how can risky user behavior, an element of the equation that banks traditionally have no control over, be mitigated, or at least minimized? Some ideas might include providing them with a downloadable application that prevents them from visiting harmful websites in the first place. Another tactic to ensure that end users are navigating safely, especially when they’re visiting your organization’s transactional platforms, is in the treatment of the malware that’s already likely to be on their machines.
A bird’s-eye view approach is one that works not by removing any malware present on the device, but by disabling it. By severing the malware’s ability to connect to its command and control structure, it is rendered benign. Any safe browsing solution that functions in this way has a distinct advantage over the whack-a-mole approach: that secure transactions can be made, even on malware-infected devices.
Selecting the Right Security Solution Is Crucial
As the stakes have never been higher, these approaches to end-user safe browsing are needed now more than ever. Just one compromised online account can do irreparable damage to an institution’s reputation; just one data breach can cost millions. The jobs of CISOs and other senior-level managers are on the line.
It is for these reasons that forward-thinking banking executives have come to realize that safe browsing, and anti-fraud protection in general, is more than a security investment. It’s an essential part of any strategic initiative about how to position their business in the market.
It is imperative that financial institutions select the product that best aligns with their strategic goals, but not all safe browsing solutions are created equal. There can be problems and issues with dated safe browsing technologies, but in many instances, financial institutions don’t discover them until the contract is signed, payment is made, and the technology is deployed.
Such pain-points with substandard safe browsing security solutions can include:
- End-User Friction – Any safe browsing solution that causes friction with a financial institution’s end users will lead to a poor customer banking experience, and the result will be low solution adoption rates.
- Security System Interference – In some cases, solutions are not capable of integrating into a bank’s existing security systems, and the introduction of a new solution can cause those programs and applications to malfunction.
- Poor Customer Service and Support – If customer attrition and the solution interfering with secondary security systems is a problem, then this will likely become a source of frustration. Unfortunately, some fraud security vendors are light on customer support/service, and in these cases, they are not likely to respond to the customer’s concerns in a way that is satisfactory for the bank.
In addition to the above, one of the downsides of selecting the wrong solution is the potential damage to your business and brand reputation. If the wrong product, no matter how effective it might be at fraud detection, is hard to use or causes attrition, it can lead to setbacks in an institution’s strategy instead of moving initiatives forward.
It is essential that financial institutions don’t fall into this trap. Selecting a safe browsing solution that is flexible and can be made compatible with many of the legacy security systems still in use today is a prerequisite for success. Cyxtera’s approach to safe browsing is designed to be seamless and non-intrusive to the end user as it runs in the background, and will not interfere with their other anti-fraud tools.
Banks should think carefully about the safe-browsing product they have in place; if it is just a solution to a problem and not a cornerstone of their overall business strategy, then perhaps the product isn’t fully doing its job. A well-designed and implemented safe-browsing solution should be a strategic pillar. This view is based on a fundamental difference in our philosophy, and it’s one that’s increasingly resonating with the hundreds of financial institutions Cyxtera serves.