Consumers have become savvier about cyber-risk and are demanding companies they deal with to diligently protect their online identities. But the same consumers are also increasingly edgy. They prefer digital channels that offer simple, fast and seamless authentication processes. They are frustrated by the sheer difficulty of managing dozens of insanely complex passwords, some of which have to be changed every 30 or 90 days. They hate being locked out of their accounts after only three failed login attempts, and having to go through ridiculous steps to unlock the same account.
At the same time, it feels the bad guys are still outpacing the good ones, stealing millions of customer identities and dumping them on the dark web every year.
For many customers, excessive layers of security are not empowering—rather, they are simply overwhelming. Forward looking businesses realize that obsessively focusing on security with little consideration on the consequent customer friction and irritation is deeply misguided, and can have lasting business implications.
Here are three reasons why disproportionate security is neither good for the business nor its customers:
- NIST asserts that bombarding users with security messages leads to security fatigue, exposing online users to risk and costs businesses money in lost customers. The majority of NIST’s 2016 survey respondents vented their frustrations on having to remember up to 30 usernames and passwords, being locked out of their accounts after typing the wrong password and a constant barrage of gloomy cyber security breach headlines. These results are disturbing, albeit not surprising – excessive security degrades digital experience and ultimately expose customers to increased risk.
- Online security requires both the organisation and the customer to play their part. Often, hackers have stolen millions of unencrypted passwords and dumped them on the dark web. These incidents raise an important question: why give the customer the burden to maintain super-complex passwords, such as 6_3*%K&#^**Pclet!~~PxWx-281X, yet store them in clear text on the back end system. Such arrangements push responsibility to customers and give them false sense of security. Besides, it’s been proved that password complexity doesn’t mitigate against other threats, such as key logging malware or social engineering. Thus, narrowly stressing on password complexity, without taking holistic view of threats can still leave customers significantly exposed. While this may sound intuitive, several data breaches prove that this is still not obvious to many organisations.
- In 2016 McKinsey published a compelling paper which quantified the costs of authentication related customer inconveniences. The results insights were startling. The consulting firm sighted the hassle of authentication as a key reason customers turn away from digital services. On the other hand, when consumers find the authentication process easy, they use digital services 10 to 20 percent more than customers who are frustrated by authentication. McKinsey also asserted that more than any other aspect of a customer’s journey, failing to authenticate drives down customer satisfaction and overall brand perceptions. “It is also the highest-volume customer journey by far and often the number-one pain point for customers”, McKinsey stated.
Solving this enduring puzzle requires organisations to rethink how they can strike the right balance between simplicity and robust security. Here are some considerations:
- Security professionals have long advocated for adopting layered security models. This conventional approach had merit, but times have changed. Businesses should do away with needless security controls, such as frequently forcing users to change their passwords. Password expiry rules, according a Microsoft research, don’t appear to deliver the intended security benefit, despite their usability burden. They also generate a significant proportion of call centre enquiries, costing businesses millions to administer, yet achieving very little.
- NIST took the lead in 2016 when it discouraged password complexity rules, as well as needless password expiry. Rather, NIST encouraged organisations to reactively force password changes, for example, after a suspected breach. Such unconventional guidance, coming from one of the most regarded cyber security frameworks, is quite heartening.
- Be flexible and allow customers to opt into security features, based on their appetite for risk. For example, you can allow customers to receive 2-factor verification codes via emails, mobile app or mobile phones – based on their preferences. This allows customers to transact when travelling abroad or after changing mobile numbers. Amazon.com, the online retailing giant, is a vivid example. It allows customers to set up two-step verification, a feature that adds an extra layer of security by asking you to enter a unique security code in addition to your password on computers and devices that you haven’t designated as trusted.
- Obviously, not all online accounts have the same security requirements. Online banking clearly requires strong passwords and 2-factor authentication, while a Twitter account for a politician or celebrity equally demands robust protection.
- Focus on the behavioral aspects of cyber security. Equip customers with knowledge to outwit phishing threats, a major avenue for cyber criminals to steal passwords.
- Use advanced analytics to enforce risk based authentication. For example, an online banking system may require additional verification steps if a customer is logging from an unusual or high risk location.
If history is any guide, companies will keep ramping up their security controls to keep up with the rapidly evolving cyber threat landscape. But doing so requires caution – poorly considered security solutions may further complicate customer digital experience and ultimately cut into a business’ bottom line. Organisations that focus on simplifying customer’s digital experiences whilst diligently protecting their customer information will rise above the din.
Phil is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the Amazon best selling author of The Five Anchors of Cyber Leadership, a practical cyber strategy book for senior business leaders. 2017 winner of ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS Audit, control and security.