Ron Daly, President/CEO
Virtual StrongBox, Inc.

Now that the Justice Department has found other means to crack open contents of the iPhone at the center of U.S. Government v. Apple, the pressure is off the company to breach its own security. At least it was. After saying would drop the case, the Justice Department filed a letter April 8 with the U.S. District Court in Northern California, stating it needs Apple to mine data from another iPhone – this time for a drug-trafficking case.

This issue is far from over. We’re likely to see it played out in Congress and the courts for years to come with the feds seeking the public’s goodwill on one side, while technology powerhouses like Cisco, Google, Amazon, Facebook and Evernote file a steady flow of amicus briefs on the other.

A tough issue

Apple and its fellow tech believe they have a responsibility to their customers, who expect them to protect their personally identifiable information – just as we do in the financial industry. At the same time, the government thinks it needs access to consumers’ devices to protect the public. Some will say Apple is being stubborn and proprietary; others feel the government’s intrusion on citizens’ privacy would set a dangerous precedent.

Having spent a considerable time as CFO for a financial institution that serve government employees, I’m empathetic to the role data can play in stopping the bad guys. But as the CEO of Virtual StrongBox, Inc., a company dedicated to protecting clients’ sensitive files, I understand the tech industry’s need to safeguard consumers’ privacy, with Apple demonstrating it cares about its customers.

Customer experience vs. enterprise security

This issue has caused me to reflect on a related concern: the balance between security and customer experience. Some IT security experts say you can’t have both. And, given the onslaught of online frauds, breaches and ransomware, security is arguably an enterprise’s No. 1 goal. But with consumers’ demand for mobile banking to meet the standards of other easy-to-use apps, will tighter security kill the customer experience?

Financial institutions of all sizes are feeling the competitive pressure to focus on exceptional customer experience in their digital channels. But those efforts will fail if security procedures keep customers from completing simple transactions. It’s irritating not to have easy access to your bank account when you can buy merchandise from Amazon with a single click or make Southwest Airline reservations in less than 5 minutes.

In their article, “Adapting to digital consumer decision journeys in banking,” McKinsey & Company principals David Edelman and Edwin Van Bommel noted that “with the endless choices consumers have for researching and buying new products and services, all at their fingertips 24/7, digital channels no longer just represent ‘a cheaper way’ for banks to interact with customers. They are now critical for executing promotions, stimulating sales, and growing market share.”

The fact is, as more people use their mobile devices to pay for a haircut or order groceries, the more they feel it should be just as easy to make a bank transaction. Penny Crosman, editor at large for American Banker put it this way: “What customers get frustrated with is if we lock them out of their online banking because they’re using their cousin’s computer on Christmas break, so they’ve logged in from a different state, on a different computer, with a different IP address.”

And while Crosman acknowledges that those same customers aren’t eager to accept responsibility for bank losses, clunky bank apps that require multiple passcodes or tokens makes them “crabby.”

Banks often feel they’re squeezed in the middle because cyber thieves are becoming cagier, more prolific and increasingly diversified in their attacks, while regulators are pressuring them to step up their online security requirements. And customers expect their private information to remain just that: private. Taken together, you can’t be expected to deliver a good experience, right? Uh … no.

Eileen Taylor, IBM’s Senior Product Marketing Manager for its Security Services division’s web fraud portfolio (Trusteer), says, “In the era of the consumer, it’s more important than ever to not impact the

[digital] customer experience. Blocking fraud from entering the system is the most effective means of preventing it. If fraud is never initiated, customers will not be inconvenienced by blocked transactions” or other measures.

Moreover, Taylor says a successful security solution should provide an effective, nonintrusive and integrated layer of protection for customers across both the online and mobile channels. “This needs to be easy to implement and operate, require minimal operational support and be adaptable to the evolving threat landscape,” she said. Microsoft has equipped Windows 10 for the PC/tablet with biometric capabilities built into the operating system, and Apple’s fingerprint recognition option is gaining popularity with mobile users – many of whom have begun complaining that their banking app doesn’t support TouchID.

Having and eating our cake

While financial institutions need to make sure their customers’ information is protected in the era of high cybercrime, they don’t have to compromise service. With the right strategy and technology partner, a growing number of banks are finding balance where security and customer experience intersect.

At Virtual StrongBox we believe offering a simple but robust sign-on process, strengthening security behind the scenes, and providing practical education (for both customers and employees) can ensure superior customer service and superior security.

Here are a few recommendations:

  • Simplify sign-on – Make it easier for customers to use your services by providing multifactor authentication and integrating single sign-on (SSO). This convenient process lessens customer frustration and speeds up their ability to perform banking tasks. Be sure they know it’s available and how to activate it.
  • Keep sensitive company information secure. JP Morgan was victimized by hackers who obtained a list of apps and programs on its computers, which they cross-checked with known weaknesses and found an entry point into the bank’s systems. And internal security flaws tripped up Auburn University, where the personal information of hundreds of thousands of current and prospective Auburn students was exposed through internal gaps.
  • Create an ongoing fraud awareness program for employees and customers. Last year’s 2015 Carabank case resulted from employees unwittingly opening normal-looking but unfamiliar email attachments that contained malware. Educate employees and customers on topics such as how to spot phony URLs, choose and safeguard passwords, and stay alert to suspicious emails.
  • Engage a firm with proven data-security expertise – Many breaches and other cybercrimes can be eliminated by choosing a qualified security partner. Vitual StrongBox’s patented encryption technology for enterprises and customers includes end-to-end protection from loading documents to file exchange and storage, as well as the ability to select and view documents on digital devices.