The fine line between security best practices and annoying your customers

annoying security
Image credit: Lisa S. /

We spend a lot of time talking about cyber security, hacking and malware here at Disruptive.Asia. And so we should – it is one of the issues of our age.

Generally we do it from the “something must be done about it, where is everyone” point of view.

It is interesting to see the other side of the coin. The fact that companies can put in place draconian measures has to be balanced with customers being put off by too much security, too many password changes and a return to a grey and institutionalized past.

Last week, I took a break from Scotland and went to Tenerife for a week. During my time there, I posted pictures on Facebook of me having a great time in the sun (#annoying) and Facebook encouraged me to ‘check in’ every time I looked at my timeline. I apologize for being a Facebook user, having been rude about them on a daily basis for the last two years, but it is a good platform for us old people to keep in touch with old friends that are real friends from long ago.

On my return to Scotland, I checked Facebook and I had a message that said my account had been temporarily locked, and that I should “click continue to find out why”. Apparently someone from Smolensk had tried to access my account three hours earlier. It even gave me the IP address of the person who had tried. It then asked, “Was this you? If yes, click here, if no click here”. I clicked “no”. It then invited me to reset my password.

As my thumb hovered over the “enter current password” line, I stopped.

If someone could access my account from Smolensk (or anywhere, really), could said person put up a fake Facebook page that conned me into giving them my current, and then new, passwords? It looked genuine, but one thing we know about hackers nowadays is that they are clever people and they con a lot of people.

I went onto Facebook’s FAQ section using another device, and found, well, not a lot about this particular scenario. There was plenty about extremism, money laundering, grooming and other unsavory activities, but nothing about this.

After a while, I decided to risk it, and it turned out to be genuine, and that someone from Smolensk had indeed tried to hack my account, and Facebook had stopped them.

So now I can, again, while away the evenings looking at pictures of old friends’ babies playing with the cat, other friends children riding their ponies and who knows what.

Facebook is, of course, not the only company juggling this dilemma. I received a “Your bill is available to view” email from British Gas, who – for some reason – provide my electricity. It looked OK, except there was a surprisingly large gap at the bottom of the email, and there seemed to be a lot of links to ‘my account’, all in bold, as if compelling me to click. I left it unopened and consigned it to cyber heaven (or is it hell?).

BT is the same, and I would imagine that Libby Barr, the Director of Customer Service, must live in fear of someone being hacked using one of the many spoof emails from BT that are ‘signed’ by her.

Some companies do have good ideas, though. I like the email from PayPal (who can do no wrong at the moment) that says I will never receive an email from them that does not include my whole name. So, whenever I get an invitation to check my account from PayPal that just says “Dear A” I consign it to cyber heaven without a thought.

I am also becoming better educated, knowing that no company will actually ask me for my password. I know that if I do think something is suspicious, I go to the real site via another browser and see if we can find ‘the offer’ or the ‘suspicious activity’ via alternative routes.

All in all, while we pontificate about security, we must spare a thought for companies that are trying to find the balance between security and irritation. It is not easy.

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.