The protection of U.S. citizens’ personal data has taken center stage over the past few months. For the Consumer Financial Protection Bureau (CFPB), the new initiatives aren’t just about personal privacy. The CFPB considers data brokers, which harvest and share consumer data, to be a threat to national security.

Congress is just as concerned. The American Privacy Rights Act (APRA) is a newly unveiled bipartisan venture designed to regulate the buying and selling of personal data collected from consumers, both with and without their consent. The goal is to establish a national data security standard that gives consumers control of their information.

Earlier this month, Rohit Chopra, Director of the CFPB, asserted that data brokers fall under the scope of the Fair Credit Reporting Act (FCRA)—and that legislation prohibits the sharing of vital data, such as credit reports, with anyone unless that have a specific, clearly-defined legal reason to have it.

Data Under Fire

Chopra went on to cite the growing prevalence of data breaches. Among the major breaches he mentioned was the 2018 Marriott incident, where foreign bad actors hacked the hotel giant’s database. Hackers got access to 327 million records that included personal data ranging from birth dates to phone numbers.

Data brokers don’t need breaches to obtain consumer data, it’s typically readily available to purchase. Once it’s in their hands, the data can then be sold to anyone, including foreign intelligence agencies.

According to Chopra, data brokers are compiling lists that can single out individuals based on multiple criteria. For example, brokers could cross-reference a list of U.S. intelligence personnel with terms like “substance abuse,” “heavy drinker,” or even “behind on bills.” Those lists could then be used to target those individuals for blackmail schemes or other attacks.

Do Not Collect

One of APRA’s primary goals will be to ensure that data brokers clearly identify themselves and expressly inform consumers of their motives. Brokers should tell people exactly what data they’re gathering and where they’re transferring it.

APRA is also tasking the Federal Trade Commission with creating a database to track brokers that handle data for more than 5,000 individuals. Consumers would then be able to send “Do Not Collect” requests to all the registered data brokers to safeguard their information.

Too Little, Too Late

For some critics, the recent push by legislators, including APRA, is too little and too late. The global data broker industry is expected to top $460 billion by 2031. It’s a highly profitable industry that is still largely unregulated, and poses an urgent, significant threat to consumers.

“When Americans’ health information, financial information, and even their travel whereabouts can be assembled into detailed dossiers, it’s no surprise that this raises risks when it comes to safety and security,” Chopra said.

The post Congress, CFPB Take Aim at Data Brokers appeared first on PaymentsJournal.

The cyberattack on payments processor Change Healthcare has left crucial reimbursement systems down for nine days since its discovery, and it could take weeks before full service is restored. Rick Pollack, CEO of the American Hospital Association (AHA), called it “the most serious incident of its kind leveled against a U.S. health care organization.”

United HealthCare, Change Healthcare’s parent company, reported on February 21 that a hacker had breached its IT network. Change Healthcare promptly shut down the affected systems. Since then, providers have been struggling to receive reimbursements from insurance companies.

According to the AHA, hospitals are having issues with processing claims, billing patients, and checking insurance coverage for care. They may soon face challenges in paying their workers and making routine purchases. Change Healthcare officials said the outage could last for weeks, according to a recording obtained by the healthcare news site STAT.

Change Healthcare processes 15 billion healthcare transactions, including eligibility verifications and pharmacy operations, along with claims transmittals and payments. A spokesperson for Change Healthcare said that more than 90% of the 70,000 U.S. pharmacies using its payment processor have resorted to alternative methods for handling payments.

Assistance for Affected Users

Pollack said the AHA has issued a series of Cybersecurity Advisories to provide users with guidance about the cyberattack. A webpage devoted to the incident offers updated information for hospitals, pharmacies, and other users of the Change Healthcare system. 

The AHA has also asked the Department of Health and Human Services to “minimize the fallout from the cyberattack” by helping with Medicare processes. Pollack said they have requested “guidance to providers about how they may request Medicare advanced and accelerated payments; provide flexibility with respect to e-prescribing regulations; and provide an extension to the timely filing requirements under federally regulated health plans.”

Change Healthcare has said that ransomware group Blackcat claimed credit for the attack. Also known as Noberus and ALPHV, Blackcat steals sensitive data from institutions and threatens to publish it unless a ransom is paid.

Despite the severity of this attack, ransomware payments have actually been declining in recent years. The percentage of ransomware victims who paid ransom demands dropped to 29% in Q4 2023, according to data by Coveware. The report also found that the average ransom payment in Q4 2023 decreased by 33% to $568,705 compared to the previous quarter.

The post Hospitals, Pharmacies Still Scrambling to Get Paid After Cyberattack appeared first on PaymentsJournal.

Secure Email Gateways (SEGs) are struggling to keep up with sophisticated email phishing campaigns. According to Cofense’s 2024 Annual State of Email Security report, there’s been a 104.5% increase in the number of malicious emails bypassing SEGs in the past year.

In just two years, Cofense’s software has uncovered almost 800,000 unique malicious email campaigns. The raw numbers of detected emails indicate a 37% increase in 2023 compared to 2022 and a staggering 310% increase over 2021. This marks a fourfold rise in email attacks in just two years.

The Rise in Credential Phishing

More than 90% of data breaches detected in 2023 centered around credential phishing, a 67% increase from the prior year. This form of attack usually involves convincing individuals to disclose their login information or other sensitive data, which can then be used to gain access to secure systems and networks.

Cofense says that credential phishing can lead not just to ransomware attacks and data breaches, but to business email compromise (BEC) schemes that defraud companies out of millions of dollars. According to the FBI, BEC attacks accounted for a total of $2.7 billion in losses in 2022.

Healthcare and finance sectors remain the top targeted industries for phishing attacks. They saw increases in malicious emails bypassing SEGs at 84.5% and 118%, respectively, over the past year.

Growing on Many Fronts

This isn’t the only recent data demonstrating weakness in the ability to thwart phishing attacks. The 2024 Email Security Risk Report, published by Egress, revealed that 79% of account takeover (ATO) attacks started with a phishing attempt. More than half (58%) of organizations surveyed said they suffered their own ATO attacks. The three most common activities cybercriminals performed after taking over an account were making fraudulent credit card transactions, moving funds out of person-to-person services like PayPal, Venmo or Zelle, and changing account contact information so they can confirm transactions when an institution reaches out.

Last month, research from Trustpair revealed that 83% of companies were targeted by cyberattacks in the past 12 months, resulting in losses exceeding $1 million for 36% of those successfully targeted. Despite 67% of companies having full knowledge of this trend, a significant number still lack robust defenses to thwart such cyber threats.

The post Phishing Attacks Continue to Beat Security Measures appeared first on PaymentsJournal.

The post Citibank Sued for Insufficient Fraud Protection appeared first on PaymentsJournal.

The introduction of the Cyber Resilience Act by the European Commission is getting pushback from some of the leading electronic manufacturers in Europe. Six electronics companies, including Siemens, Ericsson and Schneider Electric, have teamed up with industry group DigitalEurope to warn that the rules governing smart devices could disrupt supply chains on a scale similar to what we saw during the COVID-19 pandemic.

Proposed by the European Commission last year, the Cyber Resilience Act requires manufacturers to assess the cybersecurity risks of “products with digital elements” and take measures to fix those problems for a period of five years or through the expected lifetime of the products. To achieve this, it will establish a framework for developing hardware and software with fewer vulnerabilities.

The CRA is empowered to oversee a broad range of products, such as routers, smart meters, internet of things devices, processors, and physical network interfaces, as well as software like operating systems, password managers and web browsers. The letter arguesthat, given this broad mandate, the EU currently lacks the capacity to certify these products in a timely fashion without creating significant bottlenecks in the system.

The broad mandate also means that many of the products under discussion are pivotal to the European economy’s growth. Even products that are fully secure could be prevented from reaching EU markets due to congestion in the certification process.

Alternative Solutions

The alternatives proposed by the letter would allow manufacturers to self-assess their products and narrow down the number of products subject to the legislation. They also asked for a two-year implementation period before the rules would take effect.

It’s easy to see why the CRA is pushing for greater scrutiny. A series of high-profile incidents of hackers damaging business processes and demanding huge ransoms has raised concern throughout the EU. The proposed legislation could restore confidence in all internet-related products, while greatly reducing the risk of a catastrophic cyber meltdown.

Allowing manufacturers to implement their own protocols is basically the status quo, and it’s understandable that neither the EU nor European consumers would consider that a practical solution. The request for pausing the implementation—presumably until the necessary infrastructure was created—would go a long way toward addressing both the manufacturers’ concerns and the CRA’s desire for reliable safeguards.

The post European Manufacturers Push Back Against New Cyber Rules appeared first on PaymentsJournal.

It’s an unfortunate fact: financial services institutions make a compelling target for cybercriminals.

Research from 2022 shows that the finance and insurance sector was the second most impacted by cybercrime, with 566 reported breaches and 254 million leaked records. Overall, successful cybercrime attacks have cost the sector around $5.9 million—and that was last year.

Cybercriminals are only getting more sophisticated, and unprepared institutions will likely suffer more severe attacks as time passes. Banking service providers have resultantly found themselves posed with a challenge: keeping customer data safe from this ever-evolving threat.

The Cyberthief’s Playbook: Scams, Ransomware, and Phishing

Before diving into best practices, business leaders must have a fundamental understanding of how cyber breaches occur. In most cases, cybercriminals must first be allowed access to your company systems; and while a few are extremely creative in how they go about obtaining that access, garden-variety cybercriminals will use one of many recognizable methods to gain it.

As such, learning how to identify the signs of a potential scam is of paramount importance. Cybercriminals use these strategies because they work exceedingly well on the unaware and exposing their “playbook” deprives them of their power. A couple of the most common include:

• Phishing Sending fraudulent messages to employees to secure sensitive data. Often, phishers will pose as a company contact, an external business looking to connect, or even a purveyor of personal, sensitive services, such as a healthcare provider. These messages are often crafted to instill a sense of urgency and ask your employee to click on a link and input sensitive information. By the time most realize something’s wrong, it’s almost always too late.
• Ransomware: Ransomware often masquerades as legitimate company software and is usually paired with a phishing attempt. When the employee downloads any type of malware program without checking with their superiors first, the cybercriminal essentially gains control over company systems immediately. Ransomware has been a particularly effective strategy in the financial services sector, with over 64% of institutions having been attacked this way.
• Formjacking: An attack where a link to a legitimate website is redirected to a scammer’s form. The employee believes they’re filling out information for a legitimate service, only to have their identity (and perhaps customer information) stolen.

These strategies are effective because cybercriminals can use them with a variety of approaches. They can pose as tech support, credit repair agencies, disaster relief organizations, or even family members. In the age of omnichannel digital service, anything is possible; and so training your employees to be vigilant fraud-detectors is key.

Data Security Best Practices: A Brief Rundown

Now that we’ve defined the threat, how should financial services institutions proceed to become foolproof against data breaches?

The first step is to educate yourself (and your employees) on personal financial data rights and regulations. Data storage and usage regulations may vary from state to state and are constantly evolving, but they typically offer a solid baseline for your cybersecurity initiative.

The second step is mandatory training. Employees are your first line of defense against cyber breaches, and a lack of vigilance on their part can allow cybercriminals access to company systems. As a rule of thumb, your employees should be trained to recognize and avoid anything that resembles a cyberattack, as no response is the best response. Teaching them to follow data storage best practices will keep employees from accidentally compromising sensitive customer information as well.

You can also employ additional layers of defense, such as company-provided antivirus software, limiting software access to company devices only, or enlisting managed IT services. Employees are human and therefore imperfect, and these measures can help prevent breaches or even respond to them if they should occur.

Finally, have a well-defined process in place in case a breach does occur. When a cybercriminal does break through your employees’ defenses, following a breach response process can help mitigate the amount of damage they’re able to do. Breach response processes typically involve taking back access from cyber criminals, analyzing vulnerabilities to prevent repeat offenses, and communicating with the public and law enforcement.

Following these steps will help you insulate your organization as much as possible from cyber threats and empower you to recover quickly if a breach does occur.

Conclusion: Keep it Secret, Keep it Safe

In a McKinsey survey, 87% of customers report that they will not do business with an organization that won’t take steps to keep their data safe. For banks, cyberattacks do more than attack their bottom line; they attack their very ethos. If customers can’t trust your organization to keep their records secure, they’ll go elsewhere.

There’s always some risk inherent to doing business in the digital world and cyberattacks are now so prevalent that most organizations can expect to be targeted at one point or another. But take measures to keep customers’ information safe, and you can position yourself as an organization that consumers can truly, wholly trust.

The post Payment Security in the Digital Age: Strategies to Safeguard Customer Transactions appeared first on PaymentsJournal.

At the onset of the pandemic, when companies rapidly moved their IT systems to the cloud, many took shortcuts that made these efforts less secure. In response, IT providers have designed new security systems to complement the distributed IT model.

Secure Access Service Edge (SASE) is a new IT framework that enables cloud-hosted networking and security-as-a-service for any IT connectivity. A recent Lumen white paper discusses the details of SASE and explores how the IT framework makes it easier to access resources, improve security, and increase network speed.

Distributed Systems Are Easier to Hack

The recent shift to a more distributed IT model has been driven by many factors, including the increasing availability and affordability of cloud computing services, the rise of remote work, the potential cost savings, and the scalability of distributed systems.

But the distributed IT model comes with a cost: heightened security concerns.

Since the start of the pandemic, ransomware attacks have increased by nearly 500%.

“The average payment to unlock corporate resources climbed an astounding 78% to $541,010,” the white paper states. “With a prosecution rate of just 0.05%, cybercriminals have little incentive to rein in their activity as the risk-reward is overwhelmingly in their favor.”

A large part of this is due to the rapid movement toward distributed IT models. When the pandemic hit, many banks had to quickly figure out how to let their employees work from home. In many cases, they made this happen without any major problems. However, some companies took shortcuts and used simple solutions such as VPNs, or let their employees use their own devices. This left the network even less secure and made it easier for hackers to attack bank branches.

Securing bank branches is an urgent challenge. The average enterprise has more than 400 applications deployed, all of which need to be monitored. According to Lumen, organizations leverage an average of 45 cybersecurity-related tools on their networks today. More than half of IT experts say they’re not quite sure how well these tools work.

Bank branches deploy new technologies all the time yet often don’t have the IT necessary to manage the security on all of them. As a result, many institutions are turning to third parties to manage their general IT and security needs via the SASE paradigm.

Secure Access Service Edge (SASE)—A Better Framework

SASE is a new way of setting up computer networks that makes them secure and easier to manage, especially when more people are working remotely and using different devices. SASE combines various tools and services into one cloud-based system. This makes it easier for bank IT teams to keep everything secure while also making it easier for workers to connect to the network and use the needed resources.

SASE combines several security and network functions into one, with three main features:

1. It’s built for the cloud, which makes it faster and more flexible. SASE uses a software-defined perimeter that supports all types of devices and optimizes the quality of service so every application gets the right amount of bandwidth.
2. It enforces security policies based on the identity of the user, the device used, and the sensitivity of the resource accessed. Even if users are connecting from different locations or devices, they get the same level of security.
3. It has centralized management, which makes it easier for IT teams to set policies and monitor network traffic. It also reduces complexity and cost because IT teams have to deal with fewer vendors and less hardware. Additionally, SASE provides advanced capabilities, including behavior analytics and continuous risk assessments to spot threats that would otherwise be missed.

The Lumen Platform is one example of a system that is designed to work with SASE. It provides a high-performance network that can be adapted to fit the needs of different businesses, making it easier to improve security and manage the network.

Lumen has a large, well-connected network that serves customers in more than 60 countries, with a focus on providing fast and reliable hybrid cloud connectivity and edge computing. What’s more, the Lumen Platform—a cloud-based network and security experience—is designed to simplify network management and enable secure any-to-any connectivity. The platform features integrated, cloud-native architecture, expansive threat intelligence, and flexible management options. By leveraging SASE attributes, the Lumen Platform helps financial institutions achieve their desired business outcomes by providing a high-performance, deeply managed service experience.

Key Takeaways

IT organizations today are engrossed in keeping their applications and data safe from cyber threats. With new threats appearing all the time and a more complex IT environment, it’s increasingly difficult to manage security effectively. Many companies have hundreds of applications running on different platforms, unmanaged devices, and other vulnerabilities that can be exploited by attackers. To make matters worse, most companies use many different security tools but are not sure how well they actually work. This is especially challenging for financial institutions, which have a distributed business model and need to secure new technologies deployed in branches without adding an unreasonable burden on their IT staff.

To combat this, banks can turn to third-party cloud services and security providers that use the SASE architecture. This will help them keep abreast of the more challenging security environment that comes with decentralized IT and provide security for new applications as they are deployed.

The post Security-as-a-Service Secures <br>Distributed IT Models appeared first on PaymentsJournal.

According to the UK government’s annual “Cyber Security Breaches Survey 2023,” smaller businesses are less proactive in identifying cyber threats compared to a year prior. Considering the current economic climate in the UK, senior managers at the helm of smaller organizations are perceiving cyber security as less of a priority. As a result, there’s less logging and monitoring of breaches or attacks.

Cyber Security: Key Findings

The percentage of micro businesses saying that cyber security is a high priority has decreased from 80% in 2022 to 68% in 2023. What the data reflects is that cyber security has experienced a sudden descent due to external factors, such as economic uncertainty and inflation.

According to the government’s guidance, most cyber threats are simple in nature and only require small businesses to implement “cyber hygiene measures.” This can include restricted admin rights and network firewalls, cloud back-ups, passwords, and updated malware protection. Both small businesses and charities currently employ a wide range of these anti-fraud tools.

However, in the last three rounds of this survey, it was discovered that certain areas of cyber hygiene measures have experienced a drop in use. The use of network firewalls is expected to fall from 78% in 2021 to 66% in 2023. The restriction of admin rights is also expected to decline from 75% in 2021 to 67% this year. And the use of password policies will likely decrease from 79% in 2021 to 70% in 2023.

These findings are troubling as poor cyber hygiene can lead to significant consequences: data compromise, security incidences, and data loss.

More Vulnerability to Hackers than Ever

According to the study, 66% of small businesses were lacking board members or trustees to oversee cybersecurity in their organizations. The evolving business environment, as well as the move towards remote work, further complicates the ability to identify a cyber security attack.

John Davis, Director UK & Ireland at SANS Institute EMEA, the largest provider of cyber security education in the world said that “businesses are battling enormous pressures in today’s climate, amid inflation and supply chain issues.”

“Hackers are looking to exploit this. Their attacks are more prevalent, more sophisticated and harder to detect,” he added.

Most small businesses lack an IT team and therefore Davis suggests moving operations to the cloud as it contains robust security.

The post UK Small Businesses Are Prioritizing Cyber Security Less appeared first on PaymentsJournal.

In an effort to fortify its cybersecurity, Mastercard has acquired Baffin Bay Networks, a Swedish cloud-based cybersecurity company. As reported by Yahoo Finance, the security firm brings a cloud-based Threat Protection Platform that goes against cyber threats in multiple layers. It also offers a Web Application Platform that detects vulnerabilities and initiates protection automatically.  

A Robust Alliance for Mastercard

Mastercard has strategically chosen to not only stop attacks, but to also reduce the exposure of risk throughout the ecosystem. It will combine its current solutions into one cyber service and make it available to its customers worldwide.  

Via Baffin’s Threat Protection service, customers will benefit from a robust protection against attackers. 

“We see trust as central to securing the future of our digital world,” said Ajay Bhalla, president of Cyber and Intelligence at Mastercard in a press release. “The addition of Baffin Bay Network’s instantaneous, predictive and cloud-based AI technology to our existing analytical capabilities will deliver a leading, singular cyber solution. This will enable us to provide our customers across the world with faster, smarter and more effective protection from cyber risk.” 

Joakim Sundberg, founder and chief technology officer at Baffin Bay Networks, added, “Our cloud-based Threat Protection service provides a simple and effective way to safeguard against application and network-level attacks. Our two companies share this vision: to provide our customers with security and trust. We are thrilled to join the Mastercard family to expand our impact across the globe.” 

Cyberattacks: An Ongoing Nemesis 

Organizations and businesses around the world are not immune to cyberattacks. Increased technological innovation has brought about solutions to improve processes. At the same time, these advancements have also seen more sophistication in the modes of attack by fraudsters. And the amount of damage is staggering. A report by Statista found that the cost of global cybercrime is expected to escalate from $8.44 trillion in 2022 to $23.84 trillion by 2027.  

Many businesses are fully aware of these threats, yet few have the right solutions in place to prevent, detect, or to mitigate fraud. Whether they have legacy systems, lack sufficient capital to invest in the latest fraud solutions, or the acceptance of the cost of doing business, not enough is being done to address this troubling issue.  

Without properly addressing fraud, businesses run into the added risk of, not only losing money, but losing their reputation, and putting the customers’ sensitive information at risk. 

The Bottom Line 

Every industry sector has its own share of battles when it comes to cybersecurity. The underlining factor for consumers to continue to do business with an organization is trust. Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research delves deeper into the issue of trust for consumers in this report, particularly when it comes to cybersecurity within the banking industry.  

The post Mastercard Amps Up Cybersecurity with its Latest Acquisition appeared first on PaymentsJournal.

With cybercrimes reaching unprecedented levels and impacting businesses in every industry, consumers are naturally wary of providing personal information online. Financial institutions continually rank among the most trusted organizations with which consumers do business, but FIs can quickly lose their coveted ground if their customers or members lose cyber-trust due to lack of privacy protections and transparency.

Javelin Strategy & Research’s “Cyber-Trust in Banking Scorecard,” which ranked 21 U.S. FIs on consumer privacy, cybersecurity empowerment, and cybersecurity education, finds that FIs that focus on focusing on privacy, empowerment and education for customers and members are the best situated to cultivate trustworthiness and long-term relationships.

Cyber-Trust Defined

What is cyber-trust and why is it important that financial institutions nurture this among their members and customers?

“The relationship between a consumer and the organization that they are doing repeated business with is contingent on trust,” said Suzanne Sando, senior analyst of Fraud & Security at Javelin. “You’re not going to go back and continue to do business with a company that you don’t feel takes you seriously or takes your privacy and your general livelihood seriously. Looking through the lens of financial institutions, they are arguably one of the most trusted organizations, which I think is why building and maintaining what we call cyber-trust is so important for FIs.”

“The impetus for this Cyber-Trust in Banking Scorecard was for us to get a feel for how much our financial institutions in the U.S. are focusing on empowering consumers from a cybersecurity perspective,” said Tracy Kitten, director of Fraud & Security at Javelin. “What’s interesting and ironic about it is that right after our report published, we saw so many institutions putting into motion some of the recommendations that we listed in the report.”

This comes as Congress continues to come down on FIs have responded positively, as they have made changes in the right direction.

How Consumers Define Cyber-Trust

The scorecard revealed how consumers’ trust in their FIs determines consumers’ willingness to surrender personal data. However, the FI must still handle consumers’ personal data responsibly.

“Consumers who trust their primary financial institution are more comfortable than those who don’t trust their FI with cybersecurity-relevant data being collected by their FI,” said Sando. “So, for a further example, of consumers who trust their FI, 62% are comfortable with their financial institution collecting PII (personally identifiable information) versus just 30% of consumers who don’t trust their FI. When that relevant data is being collected, if a consumer trusts their FI and they know what’s happening with that data, they’re OK with it.”

“The important takeaway here is that FIs can interpret this as a level of cyber-trust, but that doesn’t mean that they can just go crazy with collecting customer data,” Sando added. “Only things that are absolutely necessary for business should be collected. You don’t want to abuse that trust because consumers are going to react if they feel like their FI is overstepping their bounds. And that trust is destroyed in an instant when privacy expectations aren’t met. The main point here is that transparency matters.”

Cybersecurity has taken on many forms, including biometrics authentication, and consumers are willing to share physical and behavioral biometrics data to ensure stronger cybersecurity. They are not as closed-minded or fearful as FIs tend to think.

“If a consumer knows that tracking their behaviors and using biometric authentication is going to enhance security, they’re more than willing to share that information and have that information be used about themselves or about their physical being,” said Kitten. “And that’s just something that financial institutions historically have not been super transparent about.”

In fact, consumers are much more cyber-aware these days and are not scared off if FIs use the word “cybersecurity,” Kitten added.

“They want to be educated, they want to be talked to,” said Kitten. “We shouldn’t treat them like children who don’t understand anything about cybersecurity. I think it is one of the bigger takeaways.”

Knowledge about cybersecurity empowers consumers to make more informed decisions about protecting their security, forming a powerful alliance with their Fis against fraud.

“The more a consumer knows, the more they’re going to trust their FI because they have a better understanding of what is out there that’s threatening their privacy, it’s threatening their accounts, their own security,” said Sando. “And that’s why I think when we did the scorecard, that’s the strong foundation of having that protection for your accounts, for your identity, for the fact that you need to have the knowledge to better detect and report scams.”

The bottom line is that the education of consumers eradicates any fear involved in taking the necessary cybersecurity measures.

How FIs Can Bridge the Gap between Service and Cyber-Trust

FIs have an enormous wealth of resources and educational materials at their disposal that are not being leveraged to their fullest potential; consequently, consumers remain in the dark about cybersecurity protection. This can potentially place the cybersecurity of both the FI and the consumer in jeopardy.

“It’s in a financial institution’s best interest to provide comprehensive educational materials from cybersecurity to fraud, scams,” Sando said. “When educational material is actually used by consumers, the vast majority say it’s useful, which is great. But the problem is, many FIs don’t have it organized in a way that is convenient for the consumer. If you look at FIs that use external search functions within their online website search, you’re pulling in a lot of results that maybe aren’t necessary. Relevancy and usefulness are incredibly important for a consumer to find real use from these educational materials.”

Presentation of materials in all formats is important in order to engage with all consumers. Audio and video content will be highly useful, as it is an easily consumable content. It takes more time and effort to sit down and read educational materials.

Kitten added that educational materials should be, “easy to find.”  

“If you have all of the educational materials buried deep into the website where no one can find them, they’re not doing anyone any good,” she said. “And we don’t want to have to download a lot of white papers and read them. When I’m working, I find it very easy just to put on a podcast in the background. I like to do the same thing with webinars. I can still check my email, but I’m also able to multitask and it’s just a more engaging way to interact and educate.”

Another highly engaging way to interact with consumers is by using gamification techniques.

“One of the other things that we looked at in the scorecard were interactive fraud and cyber assessments,” said Sando. “And only 14% of FIs were actually making use of gamification through an interactive assessment. They’re arguably one of the best ways to engage consumers because we are naturally curious about our own aptitude. Gamifying this education gives consumers a chance to benchmark their own fraud and security proficiencies. They can get a better sense of ‘where am I at? what do I need to do better?’ It’s not that cybersecurity is scary. It doesn’t have to be.”

Gamification uses both competition and rewards to enhance both learning and engagement.

Kitten added, “And also, it’s a little bit more fun, right? When you make it a game, if you make it a self-assessment, you’re posing questions that consumers might not even think about. They may not think about social media use or how often they’re changing their passwords. If they’re reusing passwords, do they use a password manager? All these things are questions that the FI could be posing in a self-assessment that would help.”

This will ensure that both the FI and the consumer can benefit from having extra layers of security.

FIs should also remember to speak to their consumers in a language that consumers comprehend. Industry jargon should not be used to communicate critical information to customers.

“When an FI has a privacy policy that’s comprehensive, it’s easy to understand, easy to read, in language that we can all take in and understand what’s going on, that is fostering a sense of trust because the consumer understands what is happening with their data, their privacy, and anything that goes along with it,” Sando said. “I think that transparency when it comes to data collection and marketing is also really important to establishing trust. When you disclose the data collection or your tracking practices, it leads to that sense of cyber-trust and -security among consumers because they feel like they have more of a sense of control over what’s going on with their data and that sense of autonomy right there, which leads to independence and a greater sense of satisfaction, which of course leads to cyber-trust.”

“Legalese has to go away, Kitten added. “These privacy policies have to be written in ways that the layperson will understand,” she said. “That’s one of the big things that some institutions are doing a better job than others, but all of them have room for improvement.”

So, what are the implications or consequences for FIs that fail to maintain cyber-trust among their customers?

“I think one last point here in terms of consumer privacy is just the implications of a breach of trust,” said Sando. “If a business is considered untrustworthy and betrays the trust of a consumer, the impact is not that substantial because the consumer probably didn’t have a lot of faith with them to begin with. They weren’t doing a ton of business with this, with this company anyway. But if an FI violates that cyber-trust, that impact of a breach of trust is so much more significant because the consumer had a greater level of trust to begin with. If you want to reduce the risk of attrition, reduce the risk of even just a consumer, maybe taking some of their services away from their FI and finding other sources for this business, you really have to focus on consumer privacy and fostering that sense of trust just within their own data and their own security.”

Cultivating Cyber-Trust

The key takeaway from this report is that FIs must do all they can to reveal to their customers their intentions for collecting their personal information. They must also continue to make cybersecurity education a priority by making it both relevant and accessible to all.

“Be transparent,” Sando said. “Transparency about everything from your privacy policy rights, to the data collection, to how you know you’re using targeted marketing, educational materials, security features that are accessible and easily found for all consumers. Everything has to be made aware to a consumer if you want to foster cyber-trust.”

“Institutions really need to lean into this role of being an educator,” said Kitten. “They’re trusted. They’re deemed to be much more secure than many other industries and businesses. So take advantage of that. Consumers are going to look to institutions for education, for support — take advantage of it and use it to just continually build on the trust that’s already there.”

“Prioritizing education, expanding your topic coverage, making use of all content formats. You want to maximize consumer engagement because anything that gives a consumer a better sense of independence and a better sense of control over their financial wellness as a whole is just going to lead to a greater long-lasting partnership.”

The post FIs That Prioritize Cyber-Trust Have Much to Gain appeared first on PaymentsJournal.