Protecting Customer Accounts: The Defining Domain of Digital CISOs

Jun 08, 2022
IT LeadershipSecurity

As technology evolves, CISOs face expanding challenges and responsibilities around customer and employee data protection and user experience. Achieve all your digital demands – with the right authentication solution.

Credit: sarayut

Chief Information Security Officers (CISOs) and other cybersecurity leaders have long struggled to protect corporate systems against both internal and external threats. They still must contend with cybercriminals who seek to compromise organizations via ransomware, data theft and fraud.

Often, much of their focus is on locking down and protecting employee accounts. Many of these accounts have elevated privileges to access corporate assets or development and production environments for customer-facing systems. The problem is hackers can enter these accounts with stolen or cracked credentials, and with the right privileges, they can quickly achieve their objectives. But it’s not just employee accounts they target. Customer accounts are equally vulnerable because credential theft is so easy.

Security is essential to the customer experience

Increasingly, CISOs face a different set of challenges when it comes to protecting customer accounts. These are the accounts that customers use to access a company’s digital apps and websites. Customers transact with the company (and sometimes each other), shop around, learn and get support via these accounts. Sometimes the online experience is the company’s product. Digital is not just a differentiator for many companies; it’s the entire business.

Consumers increasingly demand security from their online services. According to Experian’s 2021 Global Identity and Fraud Report, 55% of consumers say security is the most important aspect of their online experience. In other words, the CISO is responsible for one of the most important elements of a good customer experience. At the same time, organizations have little or no control over the devices, apps, channels and browsers customers use.

CISOs are increasingly expected to address consumer concerns as their businesses digitize the customer experience. A major focus will be on securing customer accounts, which are constantly targeted by thieves for account takeover and fraud.

The challenges of securing customer accounts

In many ways, protecting customer accounts is more challenging than protecting those for employees. Key differences that CISOs must overcome include:

  • Security training: CISOs can implement security awareness education for employees and contractors, training them on common threats and security best practices. The same is not true of an organization’s customers.

  • Enforcement authority: CISOs can enforce security policies and best practices internally. Security policies that harm the customer experience can result in lost sales and customer churn.

  • Authentication options: Internally, CISOs have a range of strong authentication options, including smartcards and tokens. Customer authentication options are limited by the technology that customers have at hand.

  • Device security: Employees can be required to use sanctioned devices with corporate anti-malware solutions installed. CISOs cannot mandate which devices or software that customers use, and attempts to do so may result in fewer customers.

CISOs’ security responsibilities are expanding, and securing the customer can be much harder than securing the employee. At the same time, threats to customer accounts are dramatically rising. In fact, account takeover attacks skyrocketed by 307% between April 2019 and June 2021.

Achieving both usability and security

Customers and their accounts must be protected using methods that are both easy to use and secure. Until now, this has been difficult to achieve. Most of the time, better security means adding more friction, not less. However, as customer identity and access management (CIAM) continues to evolve, more user-friendly solutions are being introduced.

One of those solutions is passwordless customer authentication using Fast Identity Online (FIDO) standards. FIDO-based passwordless is often used for employee authentication.

However, it is also well suited to customer or consumer use cases. FIDO-based passwordless authentication, when done right, is impervious to phishing, smishing, and man-in-the-middle attacks.

Passwordless authentication is also easier to use than passwords and clumsy OTPs. FIDO-based passwordless is multifactor authentication that’s as simple as looking at your phone or scanning your fingerprint.

The bottom line: authentication expectations are changing, and customers want the ability to log in without usernames and passwords. That means zero passwords anywhere and without knowledge-based credentials ever showing up in the process.

But it shouldn’t end there. A complete passwordless solution must offer a full spectrum of login options that work for everyone, including those who are not able or ready to use biometrics.

Magic links or time-based one-time passcodes (TOPTs) are passwordless methods that also eliminate your greatest risk: customer passwords.

Let Transmit Security show you what it means to be truly passwordless with BindID.