Unveiling the 6 Hidden Threats to Your Customer Experience
It’s so easy for a promising relationship to turn sour. Imagine your business has just finished negotiating terms with a new customer. All that’s left is a routine review and approval process, and the contract will be ready to sign by the end of the week—or so you thought. Instead, a leaked image of the contract surfaces out of nowhere on a social media site, exposing sensitive data about both companies. The customer is embarrassed and furious, and so is the sales team. Your company’s reputation takes a hit as competitors tee off on your lapse. Meanwhile, you’ve got just four days to report the leak to the SEC to avoid a compliance violation—and you’re still trying to figure out exactly what went wrong.
Conversations about customer experience tend to focus on things like speed, convenience, personalization and ease of use. These are all critical factors, of course, but on a fundamental level, it’s hard to think of a worse experience than having your sensitive business information compromised. From a simple error by a careless employee to a cyberattack or fraud scheme by a bad actor, there are all too many ways for a hidden threat to trigger a customer experience blowup.
With CIOs playing a growing role in customer experience, it’s critical for IT and security leaders to plug gaps that can put valuable customer data and proprietary information at risk. That includes ensuring that contracts, term sheets, memorandums of understanding (MOU), nondisclosure agreements (NDAs) and other documents remain secure and controlled from beginning to end of the customer agreement journey.
Read on to learn about six hidden threats that can put your customer experience at risk—and what you can do about them.
1. Document sprawl
From business systems, shared folders and local hard drives to BYOD laptops and mobile devices, documents are everywhere these days. The more places employees have to store things, the harder it becomes to maintain control and prevent security gaps. It’s also more likely that employees will take nonsecure shortcuts to move documents around or make them accessible in different ways. It’s no surprise that data leakage is by far the top IT concern around BYOD.
In the example at the start of this blog, a member of the negotiating team used his personal smartphone to take a photo of the contract and email it to his personal account for future reference—but an autofill error misdirected it to a mischievous acquaintance outside the company. It’s a silly mistake to have such serious consequences, but that’s the kind of risk that comes with a Wild West document environment.
What you can do: As with any security issue, employee training is critical. People need to understand the consequences of careless document handling and how to avoid them. And as with any security issue, employee training alone isn’t enough. To build guardrails into your agreement processes, take a centralized approach to management and security, and automate the way documents are classified and stored. To avoid nonsecure workarounds, make sure people have convenient IT-approved ways to access the documents they need.
2. Human error
It’s worth calling out the kind of human error mentioned above as its own distinct category of risk. In fact, 74 percent of breaches involve the human element. Misdirected sharing is a classic pitfall for data security, as people attach the wrong files to emails, address emailed files to the wrong recipients (or reply-all by mistake), misconfigure access rights for shared folders and so on.
What you can do: Review your processes, policies, and procedures around document sharing to identify potential weak points. For sensitive documents like agreements, email sharing should be out of the question. It’s not enough to make a rule; employees need to be given an alternative that’s at least as convenient and simple to use. Document workflows should incorporate secure sharing platforms with built-in access controls to ensure that files can’t go astray, and that unauthorized users never gain access to documents they shouldn’t see.
It’s a golden age for fraudsters. Digital fraud has surged 80 percent from pre-pandemic levels—including a 122 percent jump in the U.S.—and more than half of all organizations were hit by fraud in the past two years. As customer demand for omni-channel experiences makes remote signing more common, organizations have to make sure their methods for authentication, account opening, customer onboarding and other identity-centric processes don’t offer new vectors for exploitation. How can you be sure that the right person is signing your agreement when they’re across town or on the other side of the world?
What you can do: As you address the threat of fraud, it’s important to balance security with customer experience. Identify verification needs to be as fast and seamless as possible and tailored to the level of risk of the transaction itself. An ID verification tool can enable measures from lower-level checks like SMS access codes or knowledge-based questions to higher-level checks like uploading a photo ID or European eID credential. At the highest level, liveness detection offers protection against 3D masks, deepfakes and other advanced fraud tactics.
4. Third-party risks
All the security measures in the world can’t help your business if your vendors aren’t following best practices. With over two-thirds of businesses, including 78 percent of enterprises, planning to accelerate their use of external services, third-party risk is a critical priority. How much do you know about the security policies of your providers for agreement storage and tools like CRM, BI, and document redlining? Do they rely on outdated systems? Are they in compliance with the latest standards for safe data handling?
What you can do: You can’t control what happens outside your own organization, but you can identify and mitigate the risk you’re accepting there. First, review your third-party processes to make sure you’re fully aware of how your agreements flow through external systems and which vendors are involved. Next, review the certifications held by these companies to make sure they comply with standards like ISO 27001:2013, SOC 1 and SOC 2, Payment Card Industry Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program, as well as regulations like the FTC Safeguards Rule. Conduct similar reviews as part of your due diligence process before onboarding a new solution provider.
5. Insider threats
Not every internal threat is a malicious one. In many cases, employees simply make mistakes in the way they access or handle sensitive information, or they fall for a phishing attack that allows an attacker into your environment. On the other hand, bad actors can be found in any organization, using their familiarity and credentials to wreak havoc. Taken together, insider threat incidents have risen 44 percent over the past two years, with costs per incident up more than a third to $15.38 million.
What you can do: Phishing is already a key focus for employee cybersecurity training, as it should be. It’s also important to educate your customers to make sure they don’t fall for phishing attacks using spoofed addresses from your own domain. More broadly, zero trust principles such as least privilege access, continuous authentication and authorization, and end-to-end visibility and monitoring can help you detect anomalous or suspect behavior in real time and move quickly to limit its impact whether it originates inside or outside your organization.
6. Outdated compliance
As regulations proliferate from the FTC, industry groups, and jurisdictions around the world, the risk of a compliance lapse is a constant threat. That’s especially true when agreements inadvertently include outdated verbiage that builds risk into an ongoing relationship. Even when the error is caught—hopefully by you or the customer, not a regulator—fixing it requires reopening a process that was supposed to be final, frustrating the customer and creating a poor impression of your own team.
What you can do: It’s easy to overlook compliance risk when you’ve focusing on the more substantive elements of an agreement. That makes it all the more important to have tight review processes in place. AI-powered tools can automatically identify and highlight key language on compliance as well as other terms to ensure that reviewers don’t miss anything important hiding in the details.
Build risk management into your agreement lifecycle
With so many potential threats against the data in your agreements, it takes a holistic approach to ensure a customer experience that ensures security without sacrificing speed and convenience. DocuSign solutions can help you streamline and automate processes throughout your agreement lifecycle while providing the visibility and control to help prevent data leaks and breaches.
DocuSign integrations and APIs ease fragmentation and enable centralized management. Advanced workflows reduce human error, increase control, and eliminate the temptation for employees to find their own non-secure shortcuts. ID verification capabilities counter fraud with fast, convenient ways to prove that documents signers are who they say they are. AI and analytics reduce risk with automated analysis of contract language. MFA, SSO and access management controls keep your entire DocuSign environment secure. Built on enterprise-grade certifications and standards as detailed at the DocuSign Trust Center, all DocuSign solutions meet the highest industry and government benchmarks for security and data protection.
The best customer experience is one that’s as secure as it is convenient. To learn more about addressing the hidden threats in your customer experience, check out our eBook, 12 Questions to Evaluate the Security of Your Digital Agreements.