How Banks Can Drive Revenue and Security Awareness with Internal Security Operations


The Cybersecurity Risk of Banking Customers

Bank customers are increasingly falling prey to social engineering attacks that lead to identity theft and economic loss. Customers often lack the knowledge to protect themselves against cyber threats, including phishing and vishing. Even though banks often compensate victims of attacks by compensating stolen amounts up to a certain limit, the experience can discourage customers from using the bank in future.

Based on a study conducted in 2022, financial services firms lose four dollars for every dollar of fraud. The associated costs include regulatory fines and remediation, loss of revenue, investigation costs and recovery expenses. Estimates claim that 41% of all cyber-attacks use phishing to gain initial access. Hence, aware and alert customers can help prevent many cyber-attacks.

While bank employees and vendors may be required to go through mandatory information security awareness trainings, banks have no control over the cybersecurity awareness of their customers. Periodic awareness emails and SMSs may not be sufficient to educate customers – and they struggle to differentiate between valid contact attempts by the bank and phishing attempts by scammers. Banks need to rethink how to impart security awareness and protect its customers from falling prey to phishing attacks.

The impact of a lost identity and personal and financial details can be significant. While a bank and its customers might assume that the repercussions of an incident are limited to one-time economic losses, this is not always the case. Post-attack, leaked identities and customer data can remain present on the dark net, leaving it vulnerable to synthetic ID frauds. Instead of immediately using stolen identities or credit card records, hackers leverage a combination of fictitious and real information, commonly from social media accounts, to create synthetic IDs that are used to draw credit. Hackers may build up good credit records with stolen identities over months or even years, seeking to maximize the credit they can secure, and then ultimately cease repayment or just vanish. As per a report by the U.S. Federal Reserve, synthetic ID frauds cost U.S. banks $6 billion in 2016 and by a more recent report by the U.S. Federal Reserve up to $20 billion in 2020.

Evolving cyber threats make it imperative for banks to invest in technology upgrades, but even so, its people, especially its customers, may fall prey to phishing attacks. What can banks do to enhance the awareness of its customers?

Security Solutions Banks Can Offer Its Customers

Financial institutions and fintech companies are using threat intelligence and customer identity and access management (CIAM) to stay abreast of the latest cyber threats and actors. CIAM enables organizations to control and manage customers access to business applications and deliver a great customer experience. Banks should consider three solutions:

  1. Gamified security awareness. Banks implement a security operations center (SOC) to monitor and analyze traffic on network, servers, etc. The bank should use the threat intelligence capabilities of the SOC to educate customers about ever-evolving cyber threats. This can include information about the bank’s current technology and communications (e.g. how to identity a tampered ATM?). Banks should explore multiple communication channels to increase customer engagement. Emails about security do not always work. Gamification techniques have proven to increase engagement and enhance knowledge absorption. Consider offering customers the chance to accumulate points as an incentive to obtain better lending terms or earn points for a loyalty program.
  2. Threat Intelligence for customers. Banks should consider offering customers the opportunity to opt into a program that scans dark web marketplaces and other unprotected sites for stolen identities or other personal and financial information. Most customers are not aware if their identities or records are on the dark web, and they lack the skills to access the dark web to check for themselves. Banks could additionally review the records or data uploaded on the dark web to check if their customers’ information has been leaked, and provide information on the product or service from which the leak took place and appropriate actions a customer can take such as blocking services, changing passwords, etc. A central CIAM solution can help ensure the right data is made available to the right identity. This kind of offering is already being offered by some email providers like Google, which inform their customers about leaked passwords.
  3. Verification of customers’ communication. Ensuring customer security requires banks to be available to its customers when they need immediate support. For example, a customer may receive an email that looks legitimate, but the customer is not convinced of its authenticity and needs immediate guidance. Banks should consider offering customers a way to verify the legitimacy of a communication. This could be in the form of a mailbox on the bank’s website, app or through an upload / scan function. This capability could also enable banks to share attack details with other customers and stakeholders to continuously deliver up-to-date security awareness.

Turning Effective Cybersecurity Into a Revenue Driver

As cyber-attacks increase across financial services, banks are investing in technology upgrades and building their own SOCs. An SOC should offer smart protection of a banks’ network, servers, endpoints and other assets and also possess threat intelligence capabilities. Threat intelligence is already widely used by financial service firms for internal security. Banks should integrate their threat intelligence capabilities into their SOC, their CIAM and their customer services, so they can extend the existing threat intelligence solutions to offer add-on services, if even in a freemium model. Offering gamification-based awareness programs and immediate response on potential phishing communications as a complimentary service with all banking products and services can be effective. The gains of improved customer awareness will likely offset the costs. For more sophisticated services, such as scanning the dark web for up-to-date information on personal data and identity leaks, a monthly subscription fee may be suitable.

Customer Protection as a Service

For banks and financial services enterprises, “Customer protection as a Service’’ can create new revenue streams and contribute to the prevention of revenue loss due to a security breach at the customers’ end. Banks can move the internal security function, which is traditionally a cost center, into a business driver and provide a strong competitive advantage.

ISG helps banks and financial services firms build and implement strategies to protect their customers and turn cybersecurity into a revenue driver.