The Equifax breach has brought security into the spotlight again. As human-centered user advocates, we have a mandate to think not about allaying the fears our users have now, but about reinforcing and supporting good habits and choices when people have forgotten about Equifax.
Equifax, one of three major credit bureaus trusted to measure the creditworthiness of American consumers, had been hacked. Something like half of all consumers in the U.S. are affected. Equifax’s CEO Richard Smith is out. Elizabeth Warren is proposing new legislation. Consumers are putting freezes on their credit, and consumer lending demand is down. Surely, a failure this big and this public will finally create a watershed and companies will fix the problem, right?
Not likely. Industry is not going to fix the problem – there’s no carrot, and the stick is not big enough. Fines will be paid by insurance. Also remember there is a whole industry built around devising—and selling—products and services to combat and recover from identity theft. According to the 2017 State of Privacy and Security Awareness Report, 70% of employees lack understanding of security practices, putting their firms’ customers at risk – and that’s after years of mandatory – often legislated – training. One thing’s for sure—it’s not going to stop with Equifax.
The only real “skin in the game” belongs to consumers. Unfortunately, consumers have short memories and security threats are chronic, not acute. After a security breach, there are no flattened buildings or flooded streets. Essentially, nothing happens right away. The real effects are delayed and spread out, a fraudulent loan opened here, an account take-over there. The consumer economy won’t burn down, but it will be weakened as trust in digital security continues to suffer the effects for years and perhaps decades.
As a result, the immediate actions consumers take to protect themselves are ultimately undone by time. Credit freezes get lifted. “Free” credit monitoring agreements expire (or are cancelled when the fees kick in). Already, people are taking this in stride: “It’s just another data breach, these happen all the time.” When there is no clear event of mass identity theft and fraud (and there won’t be) people will go back to old habits, and that’s when the real harm will be done.
Human behavior is hard to change, but it is easy to reinforce, and even easier to leverage. In their book Nudge, Cass Sunstein and Richard Thaler discuss how to make the right choice also the easiest choice. As experience designers, it’s up to us to provide those nudges and to turn users’ natural tendencies to their advantage.
Alerts and notifications should be automatic, not “opt-in.” Multi-factor authentication should be standard, not extra. Whenever possible, the more secure choice should be the default.
Password authentication can only be so effective. As designers, we need to devise ways to employ more effective means without adding burden to users. Biometrics, context-based authentication (such as location or time of day, etc.) and device-based security can be implemented invisibly.
As our understanding of the threats and customer behavior patterns grows, we need to evolve what represents “good practices.” Take password complexity—password restrictions designed to make passwords “complex” have been shown to create more frustration than actual security, especially when they cause users to turn to workarounds. Knowing this, we continue to see them used on countless sites.
Security is a constant concern, not a need that rises and falls with perceived threat level. Experiences must leverage the right time and manner to make the “nudges” that keep users safe. Onboarding, registration, and account opening flows are not the only opportunities. The entire customer journey includes coachable and teachable moments.
It is up to product and experience designers to make protecting your security easier than neglecting it. The old idea that security and experience are at odds needs to go away. The goal is to elevate both so that a good experience is convenient, usable, enjoyable—and secure.