By Stephen Ritter | Chief Technology Officer
Best practices from the enterprise
In an enterprise environment, much of the work that protects us from online fraudsters intent on stealing our corporate or customer data goes on in the background. While, as company leaders, we receive frequent briefings and have serious, in-depth conversations with our security teams, we know and trust there are multi-layered security protocols in place to monitor the health of our internal security ecosystem and help protect our company from attacks.
However, there is an entry point that today’s sophisticated online criminals can exploit to bypass our enterprise security systems and cause significant damage to both our company and customers. They can walk in through our virtual front door disguised as our own valued customers.
While we carefully build our enterprise systems to protect the company from as many threats as possible, the security systems we use for customer interactions may be haphazard, often limited to initial efforts to confirm a potential customer’s identity when he or she initially opens an account. That’s no longer enough.
Consider the online life of a customer – even one of your own. Without thinking much about it, as they leapfrog from site to site they give away a startling amount of information about their personality, habits and lifestyle. Too often they readily disclose where they live, where they work, how they spend their money and, in some new apps, even the time, place and people to whom they give money. And unfortunately, just by using the information customers provide online, fraudsters can easily construct a convincing portrait of that person, one so realistic that they can use it to highjack the person’s identity and even gain access to their online accounts.
It’s happening more and more. That’s why one of the questions I now hear often from companies is how they can manage consumer identities with the same level of security they use to confirm employee identities in the enterprise. The good news: it’s possible.
Finding the right balance
Of course, different tools will be required. In the workforce world, employees will change their passwords whenever they are told, no matter how frustrating, because they have no choice. If they lose their access to enterprise systems, they can’t do their job.
It’s obviously different on the customer side. If someone starts to sign up online for a new account and it becomes too difficult, they will drop. If they call a call center, but are asked too many questions or have to sit on hold for too long, they will drop. Every time someone drops before a transaction is completed, that’s a missed revenue opportunity or, in the case of an existing customer with a problem, potential reputational damage, which also can have a significant cost. If customers are asked to jump through too many hoops or an enterprise security system creates more friction than the average person will handle – and today that level is extremely low – they will take their business elsewhere.
The key, therefore, is to craft a consumer identity access system that incorporates the best enterprise-level protocols combined with the latest biometric technology and behavioral science research. Such a system offers protection for both the customer and company in ways that maintain customer loyalty and trust.
Applying the right security at the right time
As someone with more than 30 years of cybersecurity experience, I have watched the need for online protection explode and evolve. Over that time, we have moved from rudimentary logon protocols to more secure multi-factor authentication. But we’re now facing even more sophisticated levels of fraudulent behavior. We need to flex to and integrate more advanced technologies to remain just as secure. And we need to extend it throughout all corners of our operations.
The goal is to seek the best balance between protecting our customers and adding so much friction to the system that we drive them away. The good news is that there are best practices we can employ.
Today, many customer ID verification systems stop at the front door. We verify that new customers are who they say they are and that’s the end of it. However, once a new customer is on board, how do you know over time that the person you approved for an account is the same person you are currently doing business with? How do you know that your customer’s identity or persona has not been stolen? A common criminal tactic is to co-opt a legitimate customer’s identity and use it, through increasingly sophisticated tactics, to scam and defraud businesses that think they are still dealing with the original account owner.
The most effective way to prevent that level of sophisticated fraud and achieve the goal of security for both a company and its customers is a system of continuous authentication. Using ID verification technology, biometrics and behavioral science, a customer can provide passive identity confirmation each time they log on to their account.
Using observed behaviors – from the device they use to log on to the time of day they typically access their account and more – customers’ usage patterns can confirm their identity and that they are a live person, not a bot or fake posing as a customer. No one has to ask them for a password or ID. Their identity is authenticated by their behaviors, voice and “liveness” detection. Systems like these provide a positive customer experience and a higher level of security.
With a full customer identity verification system that includes continuous authentication, we no longer have to sacrifice user satisfaction to gain greater online protection. This increased level of security can’t come a moment too soon.