Besides Cookie Month,
it’s Cyber Security Awareness Month

2017 NCSAM Poster Revised 9.25.17- 508 compliant copyI AM REMISS. I allowed September to come and go without wishing anyone a happy Chicken Month. As long as I’m catching up, and despite my failure to send out greeting cards, I also hope you had a great Oatmeal Month in January and a happy Pig Day in March. And then there was International Beer Day in August. How on earth I missed that one is beyond me. I mean, it even has its own online countdown clock.

In my defense, every month and nearly every day commemorates something, so it can be easy to lose track.

The current month of October commemorates a couple of serious matters. It is Breast Cancer Awareness Month, which, each year, organizations such as the Susan G. Komen Breast Cancer Awareness Foundation and the American Cancer Society do a good job of reminding us.

On a less serious note, it’s also Applejack Month, Cookie Month, Pizza Month, and, fittingly, Sarcasm Month. But here’s one I for sure don’t want to let slip by unnoticed:

October is National Cyber Security Awareness Month (NCSAM).

The United States officially launched NCSAM in October of 2004, with a proclamation signed by President Barack Obama:

Cyber threats pose one of the gravest national security dangers the United States faces … Our commitment to maintaining an open, secure, and reliable cyberspace ensures the Internet will remain an engine for economic growth and a platform for the free exchange of ideas  … This month, we resolve to work together to meet this global challenge … I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and training that will enhance our national security and resilience.

The Department of Homeland Security website dedicates a page to NCSAM that provides a wealth of materials on self-protection, arranged by audience and by topic. There’s also a Phishing Awareness poster (above, right), weekly themes, and an invitation to join the campaign. Per its own description, the page is …

… designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.

Though I encourage readers to check out the DHS NCSAM page, I tend to agree with author Dave Moore, who wrote in The Norman Transcript:

While things have improved over years past, if you are looking for information you can actually use to keep yourself, your family and your business safer, it’s hard for me to recommend the pooorly-organized Cyber Security Awareness Month section of the DHS website. While there is some good information there, it’s organized in such an oddball way as to drive away their potential audience.

Moore goes on to recommend a visit to the website:

… Logical in its layout and comprehensive in its approach, there’s something here for everyone. I suggest taking a look at the Cyber Security Awareness Resources Library page and checking out the Future of Internet Security and Privacy video. It is very timely, especially in light of the recently-revealed hacks at Equifax and Yahoo. The Stay Safe Online section is good, too, full of good advice; check out the very timely Responding to Identity Theft and Managing Your Privacy articles. If I could choose only one Cyber Security Awareness Month-themed website, it would be this one.

Not surprisingly, IBM and other companies dealing in cyber safety products are helping promote NCSAM as well. Good. Their profit motive in no way lessens NCSAM’s importance.

I have posted before about the importance, in the financial services industry, of educating clients on the basics of cyber security. (For starters, see here, here, here, and here.) With the U.S. government, other nations, and other organizations taking on the topic throughout October, this might be a good time to hop on board. Financial institutions that haven’t already launched a full-blown campaign might consider an e-letter directing readers to some of the links above. Short of that, it’s not too soon to begin planning for next year.

Posted in Uncategorized by Matt. No Comments

Oh what a tangled
(dark) web we weave

Dark web

The dark web has its dark side.

How the U.S. government helps cover the overhead of people trying to hack your bank

When you email or visit a website, your computer leaves behind a calling card in the form of its IP address. Short for “Internet Protocol,” the IP address helps devices locate and recognize each other, thus speeding communication.

People, too, can identify senders and visitors by an IP address. This can be rather inconvenient if you happen to be a cyber spy, assuming you don’t want the people you’re spying on to know that you’re spying on them, much less who you are or where your kids go to school.

So, the United States Navy set to work on a browser that would make it impossible to trace IP addresses. The result was the TOR browser, “TOR” being an acronym for The Onion Router.

I’d hoped its name derived from the news-satire site, but a little research revealed that the “Onion” part refers to multiple layers the browser employs to mask user identities. 

The Navy released TOR for general use in 2002. It soon became apparent that TOR, like any technology, can be used for good and not-so-good purposes.

On the good side, you can use TOR to reduce your chances of being hacked, frustrate any designs Big Brother may have on monitoring your online activity, or, if you’re writing a crime novel, research topics like, say, how to defeat a burglar alarm or get away with murder without fear of landing on a watch list.

On the not-so-good side, TOR enables and allows to flourish a secret online world known as the dark web, which happens to be a fairly safe environment for conducting illegal activities. It should come as no surprise that myriad criminals use it for exactly that purpose. Stolen identities with account numbers, healthcare information, firearms, drugs, fraud, and prostitution—and worse—are all freely traded on the dark web.

We’re not talking small potatoes here. There are flagrantly illegal dark web operations that have grown so large that they offer guarantees, publish user reviews, and maintain 24-hour help lines.

More reason to educate clients on the basics of online safety

For the financial services industry, stolen identities with account numbers is the tip of the dark iceberg. Writing for Verafin a little over a year ago, financial crimes research specialist Denise Hutchings reported that a wealth of personal information belonging to U.S. Bank clients—including “usernames, passwords, physical addresses, email addresses, phone numbers and bank account numbers”—had been made readily available to dark web shoppers.

Since digital payments are traceable to bank accounts, you might think that making a purchase over the dark web would immediately reveal your identity. Perhaps it would, were it not for cybercurrency, which, like the dark web, is largely untraceable. The recent advent of Bitcoin provided the final component that criminals needed to make the dark web safe and profitable for illicit purposes.

Given the extent of the dark web’s dark side, you might wonder why the Navy opened up TOR for general use in the first place. And, since the dark web does not fund itself with the likes of pay-per-click, ad revenues, and retargeting, you might wonder why, as reported in The Guardian, TOR receives about 60% of its funding from the U.S. State Department and Department of Defense.

To answer both questions, consider TOR’s original objective: To let cyber spies spy without fear of detection. If TOR were available only to U.S. government employees, it would be pretty obvious that anyone not leaving an IP address worked for the U.S. government. Cyber spies can pass for anyone only if you let anyone use TOR.

And anyone does. As of this writing, TOR has nearly 3 million users. I want to emphasize that not all TOR users are bad guys. It has its legitimate usesIts illicit uses, however, leave the U.S. government in an interesting predicament. It needs TOR to remain anonymous in order to keep undercover agents under cover; but the government doesn’t like enabling criminals, much less picking up most of their tab. So, the government asked TOR’s developers to create a secret way in, a request that was wisely refused. TOR works precisely because there is no secret way in; were one developed, it would sooner or later find its way to the wrong people.

Inevitably, businesses whose raison d’être is to crack the dark web are now flourishing.

Legit uses aside, it behooves financial institutions to beware the illegitimate ones. Warning clients about potential harm can make for good policy provided it doesn’t err on the side of sowing paranoia. It might also be a good idea to check for the TOR browser on company devices. It’s one thing to use TOR at home. Unless there’s a job-related need for anonymous activity, an employee who downloads TOR onto company property may be up to no good.


Posted in Uncategorized by Matt. No Comments

Digital is hot but don’t
close your branches yet

Read my new article in
The Financial Brand

Consumers approach their personal banking in many ways, using different channels for different types of transactions. The use of both basic and advanced digital banking channels is increasing, as customers become familiar with new technologies and capabilities.

Though branches still offer some value for consumers, comfort with using automation and non-traditional financial firms for banking transactions continues to gain traction. This change in consumer behavior requires attention from the banking community, especially those firms that hope that the movement to digital solutions will either slow or stop altogether. This isn’t going to happen.

In a survey fielded by Fiserv, it was found that most consumers are split on their preferred mode of interaction with their primary financial institution. While over half of consumers (click here to continue on The Financial Brand website)

Posted in Uncategorized by Matt. No Comments

Staying true to the brand
versus being stubborn


ANECDOTES ABOUND of companies that prosper by sticking to brand promises.* That’s great when brand promises are relevant. Sticking to promises no one gives a hoot about isn’t so much a show of brand integrity as a show of stubbornness. 

For a look at how clinging to “because that’s our brand” isn’t always a good thing, I invite you to travel back in time to 1983 Milan, Italy, when a fellow by the name of Howard Schultz happened into a coffee house and emerged with a cup of espresso and an epiphany. 

Never had Schultz had a coffee experience like that one. The intimate surroundings, the aroma, the barista’s expertise and showmanship, the dark, rich flavor of the espresso—all of these things fueled his imagination. He returned to the U.S. with a new vision for the company he’d recently bought into. No longer would Schultz be content with a company that only roasted and sold coffee beans. He was going to open coffee houses everywhere so his customers could bask in the same experience that overwhelmed him in Milan.

His partners were unmoved, so they parted ways. They would launch and make a success of Peet’s Coffee, with which you’re undoubtedly familiar. Remaining behind, Schultz set about raising capital in order to morph a one-location coffee roasting company, Starbucks, also with which you’re undoubtedly familiar, into a chain of Italian-style coffee houses.

From the get-go, Schultz showed an intrinsic understanding of brand substance. He was passionate about recreating in the U.S. the experience that had captured him in Milan. We do it the way the do it in Italy proved a great guiding principle for delivering a consistent, quality product in a consistent, pleasing setting.

But sometimes the flipside—If they don’t do it in Italy, neither will we—proved something of a millstone.

One instance of the flipside came in the form of refusing to accommodate a growing demand for nonfat lattes. For one thing, Schulz didn’t like how nonfat lattes tasted. For another and more important, no self-respecting Italian barista would serve a nonfat latte, so therefore neither would Starbucks. The issue mushroomed into one of the company’s most heated internal debates. What eventually brought Schultz to his senses was seeing, first-hand, a customer abandon Starbucks for a competitor rather than drink what Schultz thought she should drink. Americans, it seems, don’t always care how it’s done in Italy. And they for sure don’t care whether Schultz agrees with their taste.

Another instance of brand-as-millstone came courtesy of Schultz’s nose. Besides lattes, there was growing demand for sandwiches in coffee houses. Schultz would have none of it. When nostrils walked into Starbucks, he wanted them filled with the rich aroma of fresh-roasted coffee, not cold cuts. Besides—you guessed it—you wouldn’t smell cold cuts in an Italian coffee house, so therefore you won’t smell them at Starbucks, either. Once again, consumers followed their tastes instead of Schultz’s. Perhaps you’ve noticed: Now you can order sandwiches at Starbucks.

There’s a lesson in both anecdotes. Before rejecting a new idea or clinging to an old one, it’s wise to find out what the market cares about. “Because it’s our brand” makes for good guiding principles but lousy ironclad rules.

Sticking to brand values because they’re brand values can be mindlessly circular, tantamount to saying “We do things this way because this is the way we do things.” That’s not brand commitment. It’s stubbornness.

*As I have harped in this blog before, a brand is the experience you deliver. Things like a logo, look, and slogan are not the brand, but brand trappings. Their job is not to be the experience, but to symbolize it.


Posted in Uncategorized by Matt. No Comments

Silver lining behind
the Equifax hack



PERHAPS YOU HEARD: Equifax was hacked on September 7.

There are some who would reassure us by pointing out that 143 million accounts is less than half the number of MySpace accounts and less than one-third the number of Yahoo accounts that were hacked.

I have two reactions.

My first reaction is that would-be reassurers could do with a lesson in false equivalency. Greater numbers don’t necessarily make lesser ones okay; there were more hacked accounts than there are American households, so you should assume your data is compromised; and names, addresses, SSNs, credit card numbers, and driver’s license numbers are a good deal more than what bad guys typically obtain from social media accounts.

My second reaction is, MySpace is still around?

For financial institutions, the breach can be a bad thing with a silver lining. I can sum up the bad-thing part with three words: “Shaken consumer confidence.” The silver-lining part comes in the form of a marketing opportunity. Clients like being leveled with. They like information. And they like being empowered to keep themselves safe. Supplying useful information will do all of the above. Better still if your competitors remain silent, which I bet most will, for you will brand yourselves as the confident, trustworthy ones, the people with nothing to hide.

In short, the foolish thing to do in the wake of the Equifax breach is to be silent and hope clients didn’t hear about it. Trust me, they heard. The smart thing to do is to provide prompt, thorough information about what the breach entailed, how it happened, how clients can check for free to see if they have been compromised, and, most important, what they can do right now to protect themselves. (This piece from USA Today can provide you a good starting point.) If you have generous policies that protect clients, this is a great time to reiterate them. You should do so even if competitors offer similar protections, since your clients may not know they do.

This is not the time to send out impenetrable copy. I apologize if that came across as tactless. Here, let me try it again, this time with more tact:


Of course you have little choice but to let them review it—you would be unwise not to—but don’t let them rewrite or edit. Ask them to explain their concerns until you understand them well enough to repeat them back in plain, real-person English. You know you’re good to go when they roll their eyes and say, “Yes, that’s correct, but it doesn’t sound very professional.” Then put your best copywriter on it. Time’s a-wasting.

Posted in Uncategorized by Matt. No Comments