Mobile security perceptions don’t approach reality. And that’s a problem.

In general, security vendors love consumer surveys where consumers say that they would never, ever, ever do business with a retailer or a bank with poor security practices. But consumers have historically been terrible predictors of their own behavior, and they also tend to tell retailers and banks what they want to hear, rather than the truth.

And the truth, based on the public financial filings of plenty of companies that have suffered public data breaches, is that consumers — partially thanks to zero liability programs from the payment card companies — tend to not change retailers or banks when such data breaches happen. Why? Quite a few reasons. First, zero liability sees to it that they don’t lose any money (it actually limits losses to $50, but almost no business enforces that, and they tend to simply eat all of the consumer losses). If consumers lost large amounts of money from breached retailers or banks, yes, they’d flee, but that doesn’t happen.

Then you have the reality that consumers often don’t read about these breaches and, even if they do, they tend to not care. If a store is offering a product or service that they want and the price is good, they are not going to abandon that retailer because of a data breach nine months ago that didn’t end up impacting the consumer. As for the consumer lying to a survey, that’s simply a case of sending the message they want to send. Those consumers want the retailers/banks to protect their money, so they’ll gleefully check off the box that says “I’ll abandon a retailer that doesn’t have great security” because, well, why not? It doesn’t obligate them to do anything.

I bring this up because of a pair of surveys that hit my desk this week. Identity vendor Ekata reported that “91 percent will not use a platform again if they are a victim of fraud.” Not true. Assuming the survey is accurate, it merely means that the overwhelming majority of consumers will say this when filling out a survey, not that they will indeed abandon that platform. That’s vendor wishful thinking.

Tip for any CISO/CSO or IT leaders who are being pitched by a security vendor that makes a claim that consumers will abandon retailers or banks (payment card processors and card brands are a different case): Ask the sales rep to name any publicly held retailer or bank that has been breached and then suffered a statistically significant number of customer departures. Then hit the SEC database, look up that business’s quarterly filings and see if it reported any breach-related losses. You won’t find any. It’s an argument that works in surveys but not in the real world.

Part of this is because of departure friction. The simple truth is that it’s a hassle to change banks — and the more services the consumer uses, the harder it is to leave — and a pain to switch retailers (because the customer most probably likes the merchandise and the pricing and convenience or else wouldn’t be a repeat, longtime customer). I make an exception for Visa and Mastercard because there is little to no friction switching from one to the other. And major processors lose money when breached because it’s other businesses — not consumers — that abandon them.

Copyright © 2019 IDG Communications, Inc.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *