Human-centered design to combat cyber threats

COVID-19 isn’t the only virus we have to worry about.

7 min readJul 23, 2020

Lately, it seems like COVID-19 is the only virus in existence. Yet, the COVID-19 era has caused more people to spend time and money online, creating a perfect environment for digital viruses to spread.

300% increase in reported cyber crimes. Online threats and phishing attempts are 6x higher. 148% increase in ransomware — Design vectors created by macrovector. Data Source from Amount, FBI.

Cyber security threats are almost like their own virus. You can’t quite see them, but you know they are lingering in your surroundings.

Maybe you notice some symptoms:

New programs that were not installed appear.
The computer slows down.
Strange pop-up ads appear on the screen.
You lose control of your mouse or keyboard.

If you experience any of these symptoms, you’ve caught a cyber virus and need to seek immediate attention. Your personal or financial information may have been compromised.

Digital Opportunity Leads to Digital Threats

Fintech , Banking, and Payments

“For every action there is an equal and opposite reaction.”
— Isaac Newton

According to Adam Hughes, the CEO of Amount, Cybersecurity crimes are crimes of opportunity. The same digital shift which is making it easier to start a start-up is making it easier for data breaches to occur.

Banking

Action

Companies have been scrambling to get set up online.

The expansion of banks into the digital realm is a long time coming. Coming from someone who worked at a big, traditional bank for almost two years, I can tell you banks are among the most resistant to change. Before COVID-19, most banks did not have the capability to bring all of their workforce and processes online. But they had to do it, and quickly. They took on third party fintech companies (such as Amount and AWS) to help set up resilient systems. While this is a big, positive, step for the industry, it also left it vulnerable to many threats.

Reaction

Hackers are capitalizing on the workforce’s online shift to try and hack systems while they are new and weak.

Before COVID-19, only 29% of the workforce was able to work from home. Much of banking is built on rigid, legacy systems which are not cloud-based. This makes it much more difficult to transition to a work from home system. With such a rapid shit to remote work, bad actors are capitalizing on the vulnerabilities and security gaps that are present with remote work. According to Amias Gerety, Partner of QED Investors, When banks and fintechs move urgently to roll out PPP (paycheck protection programs) loans and business continuity, they increase the cybersecurity threat surface area and risk creating micro-tears. Hackers that used to impersonate individuals asking for loans, have now been impersonating small businesses asking for small PPP (paycheck protection programs) loans.

The typical American financial services firm is attacked nearly 1 billion times per year. Financial services firms fall victim to cybersecurity attacks 300x more frequently than businesses in any other industry.

Payments

Action

Transactions are moving away from a cash based system.

As businesses move online and 99% of the population isolates at home, e-commerce and e-payments have skyrocketed. Even many businesses that remained open have moved to a “cash-free” model, given the connotation that money is “dirty” and covered with germs. Curbside pick-up and local delivery, where you pay in advance on a mobile or desktop application, is another trend that has reduced the need for cash payments.

Fintechs that provide cash-free payment services, such as Paypal and Square, were among the benefactors of this trend. Paypal added 7.4 million net new active accounts in April of this year, a 135% increase from the same time last year. Square reported that in March, Cash App added its largest number of net-new transacting active customers, benefiting from significant shifts in consumer behavior.

Reaction

Hackers are targeting cash apps.

Once again, this has provided a new arena for hackers to attack. The more comfortable people become using and transferring money online, the more likely they are to interact with a hacker without even knowing it. An example of a recent Paypal hack that has been occuring went like this.

“I just sold something online and need to get paid, but something is wrong with my PayPal. Can you help me out? They’ll send you the money on PayPal, then you can send it to my bank account.” — Hacker

Hacker‘s strategy to getting the victim’s money, hacking into a facebook and asking the victim’s friend to send money. — Source: CyberNews

An interesting trend here is that a lot of these hackers are turning to social media accounts, which are easier to hack than a financial account. If a hacker impersonates a friend or public figure, they are able to act as a wolf in sheep’s clothing and get your trust. This was also the case in the recent Bitcoin incident.

BitCoin Twitter Hack

Hackers are getting smarter and quieter, and the centralization of social media is allowing the potential to scale attacks. A recent example is the July 15th high-profile Bitcoin incident where the Twitters of Barack Obama, Joe Biden, Elon Musk, Kim Kardashian, and Apple were hacked to post bitcoin scam links.

Obama’s hacked tweet stating he will double your bitcoin if you send it to him. — Source: Twitter

Later Wednesday evening, Twitter announced that it had detected “what we believe to be a coordinated attack by people who successfully targeted some of our employees with access to internal systems and tools.”

Although you think people wouldn’t fall for something like this, they do. In the case of finance, many act with their feelings and not with logic, distracted by a false promise to obtain wealth quickly. A total of $123,000 worth of BTC was sent in approximately 400 total transactions.

Luckily, there is good news. Coinbase and other cryptocurrency exchanges were able to stop 1,000 customers from sending around $280,000 bitcoin to the hackers by blacklisting the hackers’ wallet address. This helps explain why this amount was so small for such a large cyber attack.

This successful intervention shows there are ways to protect ourselves from cyber criminals.

What Can Be Done

Bring in the UX Designer

Humans are not machines — they make mistakes. In fact, the biggest cybersecurity risk for US companies is employee negligence.

30% regularly update passwords. 14% encrypt online communication. 47% breaches caused by human error. — Sources: PWC, CNBC, McKinsey

Where there is human error, there is opportunity for UX.

Why are employees so reluctant to comply with security measures? It’s not that they are stupid, but that security measures are not generally designed for the user experience. In fact, tight security requirements often lend to a worse user experience:

Blocking certain websites the employee enjoys or even needs for work, resulting in a restricted feeling.
Constantly being locked out of accounts preemptively and having to go through time-consuming authentication processes.
Having to lug around “hard tokens”, locks, or other security equipment.

What’s worse is that all of these things may result in the employee feeling a sense of resentment towards the employer. They may think things like:

“They don’t care about me. They treat me like I’m a machine. This is too much to keep track of!”
“I work so hard for them but they won’t let me have any fun on Twitter or Youtube for 10 minutes. What’s the big deal?”

Resentful employers are even less likely to comply with security measures, as they are willing to risk their company’s security. This is why the user experience is vital to cybersecurity. The strongest, most resilient cybersecurity system is only fully working when employees comply with it.

It is in fact a paradox to remove the user experience from cyber security.

Here are some guidelines for cybersecurity UX design that may help combat this problem.

Take extra measures to improve the user experience where it has been compromised for the sake of security. Where secure measures have been put into place that are detrimental to the user experience, make sure to make up for it. Don’t stop after “secure” until the user is fully on board.
Communicate the issue or process to the employee in simple, friendly words. Cybersecurity is a very technical area, and is often communicated to employees in complex ways. Keep in mind employees are also dealing with cognitive fatigue from their primary job responsibilities, and tend to put cybersecurity tasks on the back-burner.
Ask for employee feedback and take it seriously. When dealing with paying customers, companies are willing to listen to their needs and make improvements. The same approach should be taken with employees, as they are also vital stakeholders. Cyber breaches could be a big cost to the company, so this is actually in the company’s best interest.
Build a resilient cybersecurity system and train employees on it — in the begining. Once a rigid system is in place, it is very difficult to refactor it for cybersecurity. Similarly, the longer an employee has been at a company, the more they are resistant to change. If cybersecurity is part of upfront expectations, the less likely you are to run into problems later.

Hindsight is, like the year, 2020. All we can do is learn from these changing threats and continue to adapt. The good news is, we are not helpless — there is much we can do.

But it’s about time user experience gets a seat at the table.

Thank you for reading. For more design rambles and thoughts, follow @alexandragrows on Twitter. Or check out her website, here.