Navigating the landscape of customer interactions is a delicate balancing act that requires constant calibration between security and operability (or usability, if speaking from a customer’s perspective). While prioritizing convenience over security may streamline customer transactions, it can elevate risk for both parties. Conversely, heavy-handed security measures reduce risk but quickly erode the customer’s patience, pushing them to pursue a smoother experience elsewhere.
Increasingly frequent and sophisticated cyberattacks make this tightrope walk even more difficult. A secure customer transaction should be more like a trip to a favorite brick-and-mortar store and less like navigating the array of security checks at an airport.
The challenge is that there is no one right balance between security and smooth customer experience that applies across all organizations and all scenarios. However, some core principles provide valuable guidance for enhancing security while maintaining customer satisfaction.
In the fable, Goldilocks wants porridge that is neither too cold nor too hot. Similarly, customers expect to see a certain level of security, but not too much. If no basic security measures are visible, they are unlikely to do business with the organization. This is especially true for verticals like finance and healthcare, where people need to trust the institution with their money and sensitive data.
However, organizations can take security measures too far. What if a bank required customers to answer a series of security questions for each transaction, regardless of whether the customer is trying to withdraw a large sum or simply view their balance? This security control would likely be viewed as overly invasive and entice customers to find a “friendlier” bank that they still felt safe at.
All security measures should be assessed from the customer’s perspective. For instance, suppose you are considering a policy that prevents users from pasting in their password when logging into your customer web portal. While this measure might thwart some types of cyberattacks, it also makes it much harder for customers to use a password management app. As a result, some of them might use shorter and simpler passwords, which are more susceptible to brute-force attacks. This customer-oriented analysis reveals that the proposed policy could do more to undermine security than to strengthen it.
More broadly, before implementing a security measure, identify the business process you are attempting to secure and think through how the proposed change would impact it. Is it a good idea to require multifactor authentication (MFA) whenever a customer wants to access your online shop? On one hand, this policy provides an additional layer of security for the credit card details and personal information tied to the account. On the other hand, some customers might find it too annoying to always have to provide a second authentication factor in addition to their credentials. One way to navigate these competing concerns might be to require MFA only in risky circumstances, such as when the customer is using a new device or requesting a sensitive transaction like a large withdrawal.
Educating employees about security threats and the organization’s mitigating controls is an effective way to reduce resistance to following processes that are inconvenient. Indeed, security awareness training is one of the top three IT priorities for organizations, according to a 2023 Netwrix report.
Providing customers with similar insight is equally valuable. When customers don’t fully understand why security measures are in place, they are likely to see them as onerous and objectionable. Communicating the purpose and value of these controls can shift their perspective from annoyance to appreciation for the additional protection. For example, if you require cardholders to verify any unusually large purchase, explain how this mechanism works and why it’s important. If you require MFA when a user attempts to log on from a geographical location outside of their norm, include a short note in the MFA request explaining that this type of unusual activity can be a sign of account compromise.
When it comes to customer interactions, organizations need to put guardrails in place to reduce security risks and inspire confidence — and they also need to ensure that customers perceive their journey as friendly and frictionless. To strike the right balance, remember that customers want to see a certain level of security, keep the customer perspective in mind when considering new security measures, and communicate to customers the purpose of the controls that you put in place. Following these principles will help you build a mutually beneficial relationship marked by trust and safety.
Recent Articles By Author