The secret ingredient of end user security

Cyber attacks are so commonplace these days that it helps to have your end users on your side. You can achieve this by treating them like human beings and clearly communicating the dangers to them.

A few days ago I received an email from my bank aimed at improving end user security.

The email used clear and simple language to explain that they’d soon be introducing a new device verification process to keep my account secure.

This, it turns out, was in response to a phishing attempt that had affected some users. Bad actors were using the bank’s name as a keyword in an ad campaign in the hope that people would click on the link in that ad. Those who did were then taken to a fraudulent page where their credentials were stolen.        

At the end of the email were some tips to keep my account secure, including a personal favorite of ours here at Licel: 

Be constantly vigilant. 

While it wasn’t the first email like this that I’d come across - most banks are trying to educate their end users in some way - this one felt particularly effective. 

The tone was just right. The bank didn’t hide the day-to-day dangers end users like me face. Instead they respected that I’d be able to absorb the information and take the appropriate action. 

What I liked best, though, was that the bank didn’t communicate in a robotic way.

Speaking to your end user like a human being rather than a robot might sound like an obvious piece of advice to give. But it’s amazing how often jargon-laden, robot-friendly language is employed. 

It’s as if somewhere along the road toward developing an application - with all the little stresses that pop up - the end user can get forgotten. They can become something of an afterthought. A member of the supporting cast instead of the protagonist. 

And this minor role is then reflected in the communications they receive.    

The irony here is that it should be pretty easy for all of us to empathize with end users given that we’re all end users ourselves. 

You might have had that feeling yourself in the pit of your stomach when, in a moment of distraction, you click on a link that you thought was genuine. Perhaps you’ve experienced the growing anxiety that comes from knowing deep down that the UI in your mobile banking app looked ever so slightly different today compared to how it normally looks.

These are important feelings to remember during the development process and beyond because they act as reminders that you’re not designing an app for a robot. You’re designing an app for an emotional human being. Someone who might use your app after a fight with her boyfriend, after a difficult conversation with her boss, or simply at the same time as she tries to complete today’s Wordle.

In a lot of classic adventure books and movies - think Star Wars or Lord of the Rings - we follow the protagonist along a now familiar path.

At the start of the story they’re living a fairly ordinary life. Then, something or someone calls them to begin a journey. They often meet a mentor character who explains the true meaning of the quest and helps them to be better prepared for the challenges and temptations they’ll encounter along the way. Then, when everything seems to be going well, our protagonist suffers an enormous setback. This results in a transformation in their mindset and a renewed determination to see the mission through to the end, however traumatic it may be. Finally, they return home triumphant to the adulation of those who might earlier have doubted them. 

This format is often referred to as the hero’s journey. 

It’s still a winning formula for adventure books and movies to this day. But it’s also taught in marketing and business classes as a way of seeing your customer (or end user). 

When you’ve created something, be it a product, service, or application, the temptation is to see your company as the hero of the story. But actually the hero should be the person who benefits from what you’ve created. 

The role you should play in this story isn’t Luke Skywalker or Frodo Baggins. 

It’s Yoda or Gandalf.

The role of the mentor character in these classic tales is to equip the protagonist with all the knowledge and skills they’ll need to fulfil their quest. 

They don’t sugarcoat the journey the protagonist is about to set out on. They’re quite open and speak simply and clearly (well, not quite as clearly in Yoda’s case!) about the perils that await them.

This is the best strategy for you to employ when it comes to communicating with your end users to improve their security. 

There’s sometimes a reluctance for businesses to even mention cyber attacks to their end users. Almost as if the act of doing so might reflect badly on them for admitting that an attack is even a possibility. But this way of thinking is flawed. The modern consumer appreciates honesty and openness from the businesses they choose to buy - or download apps - from. 

At the start of this article I used the example of an email my bank sent to me in which they were totally honest about attacks designed to trick customers like me. They even admitted that attackers had managed to access some end users’ accounts to commit fraud and that they were currently in touch with those customers.

I doubt I’m alone in feeling more trusting of the bank after reading than I was before. 

End user education is powerful because, done right, it can empower end users. It can make them feel like allies in the wider battle to stop cybercrime.

So, what kind of things should you teach your end users?

The email I received is a great example of the type of comms you can share with end users to make their experience with your app more secure. 

It’s also a good idea to be clear with them about the ways in which you’ll get in touch. The last few years have seen a big spike in the number of successful phishing attacks. The covid pandemic was a particularly fruitful time for bad actors as they were able to exploit wider anxieties people felt as well as a reliance people had on authoritative voices. 

But phishing attacks haven’t gone away. If anything, social engineering is getting even more sophisticated. 

You can help your end users to avoid falling victim simply by making them aware of the ways you would never contact them. In the milliseconds it takes for someone to open a bogus text message and click on a link, your helpful email might pop into their mind and make them think twice and question the validity of the message.      

You can also educate your end users about how your app works and the type of personally-identifiable information it processes. Not to mention security best practices they should be aware of while using the app.

OWASP has a helpful guide of the ways you should manage sensitive user data which is definitely worth referencing. Because as we’ve said a few times on this site, educating your end user can appear quite hollow if you don’t also work hard to protect your application. One of OWASP’s MASVS requirements - MSTG-STORAGE-12 - states that mobile apps must be transparent about the user data they collect and share, without exceptions. 

The key word here is transparent. Your end users value and increasingly expect transparency. They’re generally much more knowledgeable about privacy issues these days. And that means they’re more likely to want to know how their data is being used.

This reality helps to explain why Google has invested so much time in educating developers to be clear about how they handle user data.    

Yet from our experience, this is still an area developers are likely to overlook on the journey toward verifying their app for security issues.

Technology evolves so quickly these days that most of the time we barely even notice. But sometimes it can all feel a bit too much. The constant churn of information flying across screens and demanding our attention is the ideal environment for bad actors who set out to trick us. 

After all, human beings haven’t changed all that much in millenia. Our brains are pretty much the same as those of our ancient ancestors. And yet ours are expected to process about a thousand times as much information on a daily basis. It’s little wonder, then, that we occasionally make the odd mistake and click on something we shouldn’t.  

But this reality is rarely recognized or talked about.  

Having empathy for your end users is absolutely essential if you want to set your company apart from your competitors. By acknowledging the strangeness of the world we live in, you can show your end users that you care. And by doing so you can build trust with them. 

Remember, your end users already know that there are dangers lurking in the shadows. What they’re waiting for is somebody to shine a light to keep them safe.