Password Hygiene and the Disrupted Customer Experience
Recap from the October 16th, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
There’s no getting around the fact that most people see updating passwords as annoying and bothersome. So what happens when password updates and the online customer experience merge? In the most recent Cloud Security Tip, Steve Prentice posed an interesting question: “When companies in retail or enterprise remind their online visitors to change their passwords, are they doing them a favor — or causing them grief?” In most cases it seems like it is more bothersome for online visitors to have to change their passwords — and being forced to do so could negatively impact their customer experience.
In commerce, the customer experience is the product of an interaction between an organization and a customer over the duration of their relationship. It’s crucial for businesses to keep their online visitors happy — as it often means the difference between organizational success and failure. But this presents a dilemma: keep them happy, or keep them safe?
Customer Data Responsibility
If the password security measures jeopardize a sale or transaction, the cost of proactive security (at least for the short term) often seems like too great a price to pay.
But this whole topic ultimately boils down to who is responsible for security. Should a merchant website place the burden of personal security back on the customer? And if so, how would this protect the merchant’s own property? Most agree that this is not the best direction to go in, because it leaves the merchant open to loss, and in most cases, the company will be blamed for data breaches regardless of the customer being responsible. While the blame may lie solely at the customers feet, your angry customers won’t see it that way. More than likely, your company will bear the brunt of any backlash.
And it’s obvious from the avalanche of data breaches of recent years that stored data of any sort becomes a permanent liability. Unlike a straight-up robbery, lost data remains a commodity forever, because data becomes more useful the more it is used. Once processed, data almost always reveals deeper applications.
Customer Experience Solution
The solution really boils down to the question posed above: keep them happy, or keep them safe? Most (if not all) will agree that keeping page visitors, clients, and customers data safe should be the top priority. Every person visiting your website should have to create strong passwords, and they should be prompted to change their passwords regularly.
It would also be wise for companies to implement 2-factor authentication whenever possible. 2FA means that two separate identifiers are required to gain access to a particular account. These identifiers are broken into what the employee knows, and what they have — such as knowing their password, and having a cell-phone that can receive an SMS verification code to input. The improved security that comes with 2FA means that attackers are less likely to gain access to sensitive data.
Another option is encouraging visitors to use password managers. Password managers offer the unique benefit of hashing and encrypting personal data so that it doesn’t exist in full form at either end — much like tokenization technology being used in point of sale transactions so that no data is kept static.
At the end of the day, it’s just like Steve said: “Customers will go where they feel safest AND where they feel they are getting the best deal.” So definitely do what you can to keep your customers happy — but not at the expense of their data security, or yours.