Lessons I Would Suggest Financial Services Industry Members Take to Heart and Practice:
- Please, please, please make sure your staff is properly trained to recognize and report security issues from customers. “I don’t know…” is completely unacceptable. You hopefully provide your employees with security awareness and training for the sake of your customers.
- Understand that your customers have no attention span. If a web page doesn’t load instantly, they move on. And so it is with security reporting: you must make it easy or they won’t bother at all. How many people, or what percentage of them do you think would be as unrelenting as with my attempt to report a potential incident?
- I wholeheartedly and respectfully suggest that banks can afford to provide live human interaction 24/7. They should also budget for providing a live human a ‘step up’ from customer service – people who know how to take a real security report, ask the right questions, estimate the potential risk to the organization or customer, and know how to effectively escalate the issue. In fact, all financial institutions should openly encourage such reporting by their customers!
- Whatever new methods you choose to improve security reporting and escalation – exercise it on a regular basis. Otherwise, how do you know it’s really working?
- Industry leaders, FS-ISAC and others with a vested interest: Let me encourage you to explore an industry-wide standard or Best Practices procedures for customers to report security incidents. In the age of APTs and wide-spread incidents, customers can often presage bigger events. Make your external customers as much a part of your Human Firewall and overall security program as you do your internal customers.
- Let me further encourage that a highly trained and centralized security reporting service (of the utmost discretion) could be of immense shared value to financial concerns… but perhaps, more importantly, to their customers. Does it make sense for the average consumer to have to learn to navigate the labyrinthine process that each individual company institutes?
Perhaps we need to add a Red Button to every customer service desk. If and when a customer says a few magic words, like ‘data breach’, ‘security incident’ or ‘hackers broke into your bank…,’ the customer service rep should push the Red Button to initiate instant escalation to a trained and qualified team of humans. When the fraud department doesn’t even know what to do, the only available word is ‘broken’. To make it absolutely clear, I am not bemoaning any aspect of Chase’s security. My wife and I are not flipped out about the data breach or this event. The IT will occasionally hit the fan. IT happens! It’s how you deal with it that matters.
Epilogue: Once the Chase security department got into gear, they did go all out. Kudos to their professionalism. They examined who ‘touched’ my physical and electronic identity. Then I received another credit card someone had set up; back to my small bank to resolve that. Chase coordinated with their partners to see if there was a potential third-party leak. The investigators did their job admirably well and kept me in the loop. Thanks, Chase! We all now believe it was probably just an isolated incident, not a mass breach. Good for Chase. I have seen no other hints at ID Theft. Good for Winn. Chase set up a monitoring service for my family. Good for Chase.
My sole point: it should me far easier to get the attention of any bank’s security and investigations department than it was for me. Data breaches and Identity Theft are a worldwide epidemic that affect us all to the tune of billions of dollars every year.
Shouldn’t we, as security professionals, respond as such?
Looking forward to your thoughts!