While most organizations think through the direct risk of cyber threats to their business via cyber attacks, known vulnerabilities, and security flaws, not many organizations recognize the risk posed by their customers.

There are (typically) two different types of customers:

1. Commercial Customers (B2B) – other businesses doing business with your organization.
2. Consumers (B2C) – individuals who utilize your online-based products and services.

Customers Have Less Security

More often than not, businesses (particularly those in regulated industries) have stronger cybersecurity controls in place than customers. Think about your customers – commercial or consumer – and ask yourself who has stronger cybersecurity controls? If you’re not the winner of that debate, it may be time for some cybersecurity assistance.

In many cases, the poor cybersecurity practices of your customers can lead to a compromise by a malicious attacker. A customer compromise can lead the malicious attacker to steal valuable information. In most cases, the customer compromise value proposition is email access, account access, or customer funds through financial institution(s).

In any case, the malicious attacker has the customer’s information and can set the customer up for a cooperate account takeover (CATO) scenario. CATO comes in many forms, but the two most popular include draining customer bank accounts, redirecting funds to unauthorized payees, or business email compromise (BEC) attacks that steal money and further the attacker’s agenda. Customer compromise is very difficult to combat and can often lead to reputational and monetary damage to your business.

Cover the Basics

An organization with a strong security culture goes beyond internal employees and talks about cybersecurity threats with its customers as well. Educating customers about the dangers of cyber threats helps build a stronger relationship with the customer. Stronger customers also benefit the business. A stronger customer will reduce the risk of their information becoming compromised or used maliciously against your business.

Your customers can benefit from the same security awareness topics shared internally, including:

• Phishing and social engineering – Educate customers on the different types of social engineering attacks and what controls can be added to mitigate the risk of an attack. Stressing the dangers of phishing emails and how the organization can defend against phishing is another key point to cover.
• Physical security – Educate customers about physical security threats and best practices.
• Access controls, including passwords – Educate customers on the importance of strong authentication mechanisms. Stress the importance of length vs. complexity when it comes to passwords and encourage the implementation of multi-factor authentication (MFA) whenever possible.
• Remote access security – Educate customers on the importance of securing remote workers through the use of VPNs, wireless network best practices, quality anti-malware programs, etc.
• Use of encryption – Educate customers on the importance of data encryption.
• Mobile device security – Educate customers about security controls for mobile devices, including strong passwords, biometric authentication, encryption, anti-malware programs, and Wi-Fi connectivity.
• Malware awareness – Educate customers about defending against malicious software.
• Importance of anti-virus and firewalls – Stress the importance of firewalls and the use of malicious program detection programs.
• Security awareness – Stress the importance of ongoing security awareness training and staying up-to-date about modern attacks.
• Incident response plans – Stress the importance of corporate customers building a plan to fail well (an incident response plan) in the event they are compromised.

How to Train Your Customers

Using multiple delivery channels to provide training and education can help ensure your customers see it throughout the year. Delivery channels can include:

• Your business website (your own content, your policies for handling information or disclosing cyber incidents, cybersecurity news or articles, or links to other cybersecurity training)
• Post cybersecurity resources or news on your social
  media channels
• Include cybersecurity resources with physical statements
  or invoices
• Provide cybersecurity resources, control suggestions, or self-audits at the time of account opening
• Conduct periodic audits of security controls at a
  customer’s location

Actually Talk to Your Customers

One of the most popular and effective methods of training is to invite your customers to a virtual or in-person lunch-and-learn.

Getting out in front of your customers and talking about the importance of cybersecurity is a win/win/win:

1. You are helping to create stronger customers that are more resistant to cyber attacks, benefiting both you and your customer.
2. You show your customers they are more than just a number. You’re strengthening relationships and demonstrating care about their well-being.
3. You have an opportunity to show off new products/services or new features, as well as potentially increase the adoption of existing products or services.

Talking about cybersecurity also offers a chance for your customers to see how your organization is protecting their information. In today’s market, where cybersecurity is becoming a deciding factor for consumers presented with many options, being open and transparent about cybersecurity can instill customer confidence and draw in new customers.

Here are some additional considerations to keep in mind:

• Invite the community.
• Host several sessions to cover the most people possible. Consider recording the session for those unable to attend and/or to use for content later.
• Choose a platform (if virtual) that is easily accessible by your customers, user-friendly, and secure.
• Pair up with your chamber of commerce, a civic organization, or an academic institution.
• If you’re not confident talking about cybersecurity yourself, bring in a cybersecurity expert to speak on your behalf.