Securing Your Digital Future: Cyber Trust As Competitive Advantage

Justin Somaini and Dan Wellers

The accepted wisdom in the cybersecurity field today is that there are two types of companies in the world: those that know they’ve been hacked, and those that don’t.

No enterprise is immune from cyber threats, and the list of big, scary data breaches continues to grow. The vast majority of companies in Europe (92 percent) have been hacked in the last five years, according to a recent survey by specialty insurer Lloyd’s of London. The average total cost of a breach is $4 million, according to a 2016 study by the Ponemon Institute.

Yet, categorized as risk to avoid rather than opportunity to pursue, cybersecurity has never been a terribly sexy topic in the C-suite. It’s an added expense—and one that slows down efforts to leap ahead technologically. The significant attention it receives tends to be of the negative variety when things go horribly wrong. Even as companies have embarked on their digital transformation efforts, security has remained an afterthought—tacked on after a big new investment in advanced analytics, cognitive systems, or Internet of Things (IoT) technology. Very soon, however, that reactive approach will seem antiquated.

A coming mind shift

Spending on IT security has been increasing in the last two years, even as overall technology budgets have been decreasing, according to 2016 report by the SANS Institute. But it’s not just a lift in spending that’s called for, but also shift in thinking.

In today’s age of rapidly developing transformational technologies, keeping on top of emerging security and privacy threats is more challenging—and more critical—than ever before. As companies collaborate with a wider network of partners and meet new demands for 24/7 operations and greater transparency with customers, cyber security risks multiply. The scope, scale, and impact of cyber attacks will grow in concert with increasing digitization:

  • 4.2 billion records were exposed in more than 4,000 known data breaches in 2016, according to Risk Based Security.
  • Cyber insurance premiums could increase tenfold to $20 billion annually by 2025, according to Marsh & McLellan.
  • The cost of data breaches will reach $2.1 trillion globally by 2019—nearly four times the estimated cost of breaches in 2015, according to Juniper Research.
  • Cyber attacks could cost the world up to $90 trillion in net economic benefit by 2030 if cyber security doesn’t keep pace with growing interconnectedness, according to a study published by the Atlantic Council and the Zurich Insurance Group
  • Cyber risk is expanding beyond the virtual world to the physical one. Hackers used highly destructive malware to bring down three Ukranian power distribution companies in 2016, for example, cutting power to 80,000 people.
  • The expanding universe of Internet of Things devices is particularly vulnerable to exploitation as companies may not update them after installation and many devices are not able to receive security update patches, according to AIG. In fact, an IoT hack took down Amazon, Twitter, Netflix, and other major sites in October 2016.
  • Connected devices pose particular concern in healthcare, an industry that already faces 340 percent more cyberattacks than the average industry and that fails to monitor 75 percent of hospital network traffic, according to a report from Raytheon and WebSense Security Labs.
  • Cyberattacks are one of the top ten global risks of highest concern for the next decade, right alongside such threats as water and food crises, natural catastrophes, social instability, and national governance failures, according to the World Economic Forum.

Just a third of companies today are sufficiently prepared to prevent a worst-case attack, according to Oliver Wyman and only a quarter currently treat cyber risk as a significant corporate risk. But as cyber risk expands and the attacks result not only in financial and reputational damage but also in physical destruction, danger, or loss of life, trust will become a competitive advantage. Therefore, those companies and organizations that want to dominate their markets will approach security as a strategic investment, proactively embedding cybersecurity strategy into business strategy.

As companies continue their digital transformations, they need to adopt more flexible and ubiquitous cyber defense measures to meet the more extreme threats they will face. Failing to do so risks unanticipated costs, operational shutdowns, reputational damage, and legal consequences.

A zero-trust approach

Unfortunately, there is no off-the-shelf solution to manage the entirety of a company’s cyber risk. As companies continue to introduce more digital innovations, they must continuously adopt and adapt cyber security measures commensurate with the growing threats they’ll face.

In a global economy, security can only be as good as the regulations, compliance, and enforcement in the countries where an organization operates—and those vary wildly around the world. What’s more, even when a company’s leaders take a more proactive approach to investing in cyber security protection and response, its partners and suppliers may not. Nearly 80 percent of companies fail to assess their customers and suppliers for cyber risk, according to a survey by Marsh & McLellan. And hackers certainly will be proactive about finding the weakest link in a value chain. Meanwhile, as enterprises adopt a growing legion of internet-connected devices and sensors, cyber security risk will be distributed even more widely.

Organizations must evolve from the attitude that perimeter security, achievable by firewalls or anti-virus protection, is enough. As interconnectivity and interdependency increases so too will the adoption of zero-trust networks. The zero-trust approach questions the assumption that a company can be made safe and sound within the confines of its own “secure” corporate network. Instead, a zero-trust approach places controls around data assets themselves and creates increased visibility into how they are used across a digital business ecosystem.

A new approach for a networked world

But, as SAP CEO Bill McDermott wrote to customers in 2016, “Information security is a journey without a destination. The security threat in the enterprise is relentless and multiplying, and the attackers are getting more sophisticated.” A zero-trust network is not enough. When the question is not if, but when, a significant breach will occur, how a company manages this inevitability becomes critical.

The key is to develop a robust approach to measuring, controlling, and responding to cyber risk. We recommend a three-pronged strategy to manage the threats in the expanding enterprise ecosystem:

  1. Prevent. This aspect of cyber security strategy remains as important as ever, and companies must evolve their preventative strategies, from their security policies and educational approaches to the actual access controls they put in place.
  1. Detect. In an evolving cyber threat environment, there is no foolproof prevention approach. Selecting and deploying appropriate intrusion detection systems for the timely detection and notification of compromises is critical.
  1. React. Detection is useless without a response. Companies that approach cyber security as a competitive advantage will put incident response plans in place in much the same way they would plan for recovery from a natural disaster.

Building trust, not walls

The Great Wall of China may have succeeded as an exercise in power or a feat of construction. But as a security strategy, it was a failure. Similarly a cyber security strategy focused on building strong enough borders around the company will fail. It’s impossible to keep all the bad guys out.

As more of a company’s data and its business processes become distributed, it’s cyber security strategy must become much more far-reaching. The good news is that even as digital technologies increase cyber security risk, they can also help mitigate it. Many cloud providers for example, are taking a more robust approach to security strategy that their customers might. New technologies like machine learning and big data analytics can strengthen security protections. Of course, the hackers can—and will—take advantage of these powerful technological advancements as well. Cyber risk experts will tell you the dark web is teeming with attack tools that enable hackers to take advantage of outdated security approaches and corporate vulnerabilities. They’ve been quick to take advantage of new automation tools in order to carry out more sophisticated and layered attacks on corporate and state assets.

Companies who embrace trust and security as competitive advantages will build security into their digital ecosystems at each layer:

  • Secure Products: Incorporating security into all applications, ensuring the protection of content and transactions.
  • Secure Operations: Investing in hardened systems, security patch management, security monitoring, end-to-end incident handling, and a comprehensive cloud operations security framework.
  • Secure Company: Creating a security-educated and aware workforce, end-to-end physical security of assets, and a comprehensive business continuity framework.

Forward-looking companies will follow these principles not only within their own organizations but expect them from their network of partners, supplier, and customers. The hackers of today and the future aren’t working alone and neither should the companies they’re targeting.

The risk of full-blown cyber catastrophes is real. The WEF has warned that large-scale cyber attacks could cause significant economic damage, geopolitical tensions, or widespread loss of trust in the Internet.

A report from the Atlantic Council and Zurich Insurance Group found as soon as 2018, there could be damage from massive cyber attacks equivalent to 1.5 percent of global GDP that is “certain to drastically increase risks and drag down net profits for companies that are most exposed to cyber-attacks..” The worst case scenario could result in a state of perpetual cyber crime and cyber warfare, increasingly vulnerable critical infrastructure, and losses of $90 trillion globally, according to the report.

A collaborative network approach will be critical to combatting such a persistent global threat with implications not just for corporate and personal data, but strategy, supply chains, products, and physical operations. Trust will be the most important currency in the digital future—one that companies will have to earn and work diligently to keep.

Read the executive brief The Future of Cybersecurity: Trust as Competitive Advantage.


Comments

Justin Somaini

About Justin Somaini

Justin Somaini heads the Global Security unit at SAP. With more than 17 years of information security experience, he is responsible for SAP’s overall security strategy, ensuring that SAP and our customers have a consistent and convenient security experience. In his role Justin develops, implements, and manages SAP’s overall policies, standards, and guidelines as well as ongoing SAP security initiatives to meet the emerging international IT and cyber security environments and data protection and privacy laws worldwide. Before joining SAP in 2015, Justin was Chief Trust Officer at Box, the world's leading enterprise software platform for content collaboration. Prior to Box, Justin held the role of Chief Information Security Officer (CISO) at Yahoo!, driving security planning and operations for the company. Prior to Yahoo!, he was CISO of Symantec. Justin holds a Bachelor's of Science degree in Management Information Systems from Drexel University, Philadelphia.

About Dan Wellers

Dan Wellers is founder and leader of Digital Futures at SAP, a strategic insights and thought leadership discipline that explores how digital technologies drive exponential change in business and society.

GRC: The Cornerstone Of High-Performing Finance

Joan Warner

CFOs today must think strategically. They must innovate. And they must work side-by-side with their fellow executives to keep their organization thriving in the face of new digital competition.

Yet despite this ever-expanding mandate, one responsibility remains a sacred trust for the finance function: a major stake in governance, risk, and compliance (GRC). Although the size of that stake varies by industry and company, more than two-thirds of finance executives consider optimizing risk and compliance management a top business goal, according to new research from Oxford Economic and SAP. In fact, 97% of the 1,500 finance executives we surveyed said finance has strong decision-making authority over risk monitoring and assessment at their company, and 93% said the same about ensuring compliance and enforcing policies.

It makes eminent sense that risk management should be foundational to finance. After all, what’s the point of investing resources to grow a business if at any moment an adverse event – whether internal or external – could wipe out your balance sheet or market cap? The CFOs we interviewed confirmed that when they report to the board of directors, GRC often takes center stage. “Enterprise risk management is first and foremost in their minds,” says Brian Stief, CFO of multinational Johnson Controls.

Finance leaders view risks more clearly

For this reason, a strong relationship between the finance function and GRC is a criterion for what we call “Finance Leadership” – a set of six finance practices that boost performance across the enterprise. For example, we found that finance leaders were almost twice as likely as non-leaders to report rising market share over the past year, and much less likely to struggle with cost control. It’s no coincidence that more than half of finance leaders described risk and compliance management at their organization as “very effective,” compared with only 38% of non-leaders. These companies encourage collaboration between their finance and GRC functions by ensuring that they can easily share standardized data and reporting, and that their business systems are integrated so they can communicate with each other.

Finance leaders also appear to have a clearer understanding of an increasingly widespread risk: cybercrime. As global ransomware attacks proliferate and data hacks threaten organizations of all types, cyber-risk management becomes a critical defense. Yet alarmingly, only 56% of our survey respondents named cybersecurity a top business risk facing their company in the next two years – suggesting a potential risk-management blind spot. Among finance leaders, awareness of cyber risk climbs significantly: Two-thirds cite it as a top risk to watch over the next two years.

To read the full study and learn about other ways finance leaders stay ahead of the pack, please click here.

Comments

Joan Warner

About Joan Warner

Joan Warner is managing editor and senior analyst for Financial Services at Oxford Economics. Joanie joined Oxford in February 2016 from The Financial Times, where she managed subsidiary publications covering the wealth management industry and corporate governance. Prior to that, she covered international finance and European business for BusinessWeek magazine, where she worked for nearly 20 years. Joanie was also a contributing editor at Institutional Investor and has written and edited reports for Morgan Stanley, McKinsey, PwC, and former hedge fund FrontPoint Partners. She holds an MA in Comparative Literature and a BA in Classics, both from Harvard University.

Another Global Ransomware Attack Highlights The Need For Comprehensive Cybersecurity

Lane Leskela

Here we go again! In the aftermath of the WannaCry ransomware attack in May, on June 27, a “copycat” entity identified as Petya/Not Petya perpetrated a ransomware-style worm that exploited the known Microsoft Windows vulnerabilities EternalBlue and DoublePulsar. The EternalBlue exploit is generally believed to have been developed by the U.S. National Security Agency (NSA) and was also used by the WannaCry ransomware. As with WannaCry, this attack also affected computer systems worldwide, quickly spreading to at least 60 countries. Several large businesses, transportation networks, public utilities, and government agencies in Europe and the United States were hit.

This attack was initially focused in Ukraine and Russia. ATMs at the National Bank of Ukraine were disabled across the country, and systems used to monitor radiation at the former Chernobyl nuclear power facility were interrupted. Rosneft, the largest oil company in Russia, was also attacked. Petya/NotPetya spread like WannaCry, hitting one of the world’s largest container shipping companies, Copenhagen-based A.P. Moller-Maersk, as well as WPP in London, one of the world’s largest advertising agencies, and entities in Spain and France.

Like WannaCry, Petya/NotPetya encrypted hard drives, and the message from the attackers demanded a ransom of $300 to be paid in the form of Bitcoin. The message read, “If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Differences between WannaCry and Petya/NotPetya

Petya/NotPetya was more sophisticated than the WannaCry worm in its scope, resistance to neutralization, and range of targets. This attack spread rapidly within organizations using common IT administration tools, which are not recognized as malware by typical security defenses. The Petya/NotPetya worm appeared to have hit a third-party software vendor. Such approaches, which have historically involved targeted intrusions, now appear to have spread to the large-scale global malware attack spectrum.

Unlike WannaCry, unfortunately, there is apparently no “kill switch” embedded in Petya/NotPetya. Thus, the potential to recover lost data by paying the requested ransom is clearly in doubt. The low amount of the initial ransom (which falls in the WannaCry ransom request range) and the attackers’ inability to be contacted has caused confusion over the origin and purpose of the attack. It is still not clear whether state actors or freelance blackmailers (or a combination of both) are responsible. The fact remains that the only known method for retrieving the data encrypted by Petya/NotPetya is from a backup copy.

To date, most ransomware has been able to avoid detection because these strains are zero-day exploits unknown to signature-based antivirus software. Their creators research antivirus solutions to uncover the weaknesses they can exploit to avoid discovery. Ransomware distributors generally encrypt their software to help shield it from detection.

Recommendations for broader cybersecurity protections

Obsolete versions of Microsoft Windows continue to reveal their vulnerability to these attacks. Clearly, your organization should already have or should now be taking steps to update your Windows operating systems. If you cannot eliminate outdated, unpatched Windows systems, we recommend segmenting your networks to reduce the available attack surface.

Petya/NotPetya spread within organizations using the administrative tools Windows Management Instrumentation Command-line (WMIC) and PsExec. The exploitation of these and other common IT admin tools by attackers allows malware to move undetected within networks. Their use in a widespread, automated global attack is a fresh approach. This fact underscores the urgency of implementing threat detection and response solutions and leveraging trained cybersecurity staff and experienced partners to help identify and contain the Petya/NotPetya type of attack.

In addition, frequent backups and comprehensive system recovery plans will help sustain business continuity. Critical data and programs should be backed up in a manner that will enable rapid recovery, given the expectation that we’ll continue to see new forms and unknown sources of cyber attacks. This holds true across the spectrum of cyber attacks and intrusion threats.

Your organization should continue to focus on the imminent security risks posed by third parties, review risk-management processes, and institute necessary controls that will help mitigate potential damage. To this end, the secure operations map can be a powerful tool to manage a comprehensive approach to cybersecurity.

We now face a globally interconnected digital environment that is subject to the threat of sudden and costly cyber attacks from highly sophisticated organizations. SAP’s comprehensive GRC and security solutions portfolio offers powerful tools for encryption, threat definition, identification, analysis, and protection in SAP and non-SAP systems.

For more on this topic, read Improving Security in the Aftermath of the World’s Largest Ransomware Attack and The Secret to Avoiding Hacks that Can Wipe Out Your Business.

Comments

Lane Leskela

About Lane Leskela

Lane Leskela is Global Business Development Principal, Governance, Risk, Compliance and Security at SAP.

Primed: Prompting Customers to Buy

Volker Hildebrand, Sam Yen, and Fawn Fitter

When it comes to buying things—even big-ticket items—the way we make decisions makes no sense. One person makes an impulsive offer on a house because of the way the light comes in through the kitchen windows. Another gleefully drives a high-end sports car off the lot even though it will probably never approach the limits it was designed to push.

We can (and usually do) rationalize these decisions after the fact by talking about needing more closet space or wanting to out-accelerate an 18-wheeler as we merge onto the highway, but years of study have arrived at a clear conclusion:

When it comes to the customer experience, human beings are fundamentally irrational.

In the brick-and-mortar past, companies could leverage that irrationality in time-tested ways. They relied heavily on physical context, such as an inviting retail space, to make products and services as psychologically appealing as possible. They used well-trained salespeople and employees to maximize positive interactions and rescue negative ones. They carefully sequenced customer experiences, such as having a captain’s dinner on the final night of a cruise, to play on our hard-wired craving to end experiences on a high note.

Today, though, customer interactions are increasingly moving online. Fortune reports that on 2016’s Black Friday, the day after Thanksgiving that is so crucial to holiday retail results, 108.5 million Americans shopped online, while only 99.1 million visited brick-and-mortar stores. The 9.4% gap between the two was a dramatic change from just one year prior, when on- and offline Black Friday shopping were more or less equal.

When people browse in a store for a few minutes, an astute salesperson can read the telltale signs that they’re losing interest and heading for the exit. The salesperson can then intervene, answering questions and closing the sale.

Replicating that in a digital environment isn’t as easy, however. Despite all the investments companies have made to counteract e-shopping cart abandonment, they lack the data that would let them anticipate when a shopper is on the verge of opting out of a transaction, and the actions they take to lure someone back afterwards can easily come across as less helpful than intrusive.

In a digital environment, companies need to figure out how to use Big Data analysis and digital design to compensate for the absence of persuasive human communication and physical sights, sounds, and sensations. What’s more, a 2014 Gartner survey found that 89% of marketers expected customer experience to be their primary differentiator by 2016, and we’re already well into 2017.

As transactions continue to shift toward the digital and omnichannel, companies need to figure out new ways to gently push customers along the customer journey—and to do so without frustrating, offending, or otherwise alienating them.

The quest to understand online customers better in order to influence them more effectively is built on a decades-old foundation: behavioral psychology, the study of the connections between what people believe and what they actually do. All of marketing and advertising is based on changing people’s thoughts in order to influence their actions. However, it wasn’t until 2001 that a now-famous article in the Harvard Business Review formally introduced the idea of applying behavioral psychology to customer service in particular.

The article’s authors, Richard B. Chase and Sriram Dasu, respectively a professor and assistant professor at the University of Southern California’s Marshall School of Business, describe how companies could apply fundamental tenets of behavioral psychology research to “optimize those extraordinarily important moments when the company touches its customers—for better and for worse.” Their five main points were simple but have proven effective across multiple industries:

  1. Finish strong. People evaluate experiences after the fact based on their high points and their endings, so the way a transaction ends is more important than how it begins.
  2. Front-load the negatives. To ensure a strong positive finish, get bad experiences out of the way early.
  3. Spread out the positives. Break up the pleasurable experiences into segments so they seem to last longer.
  4. Provide choices. People don’t like to be shoved toward an outcome; they prefer to feel in control. Giving them options within the boundaries of your ability to deliver builds their commitment.
  5. Be consistent. People like routine and predictability.

For example, McKinsey cites a major health insurance company that experimented with this framework in 2009 as part of its health management program. A test group of patients received regular coaching phone calls from nurses to help them meet health goals.

The front-loaded negative was inherent: the patients knew they had health problems that needed ongoing intervention, such as weight control or consistent use of medication. Nurses called each patient on a frequent, regular schedule to check their progress (consistency and spread-out positives), suggested next steps to keep them on track (choices), and cheered on their improvements (a strong finish).

McKinsey reports the patients in the test group were more satisfied with the health management program by seven percentage points, more satisfied with the insurance company by eight percentage points, and more likely to say the program motivated them to change their behavior by five percentage points.

The nurses who worked with the test group also reported increased job satisfaction. And these improvements all appeared in the first two weeks of the pilot program, without significantly affecting the company’s costs or tweaking key metrics, like the number and length of the calls.

Indeed, an ongoing body of research shows that positive reinforcements and indirect suggestions influence our decisions better and more subtly than blatant demands. This concept hit popular culture in 2008 with the bestselling book Nudge.

Written by University of Chicago economics professor Richard H. Thaler and Harvard Law School professor Cass R. Sunstein, Nudge first explains this principle, then explores it as a way to help people make decisions in their best interests, such as encouraging people to eat healthier by displaying fruits and vegetables at eye level or combatting credit card debt by placing a prominent notice on every credit card statement informing cardholders how much more they’ll spend over a year if they make only the minimum payment.

Whether they’re altruistic or commercial, nudges work because our decision-making is irrational in a predictable way. The question is how to apply that awareness to the digital economy.

In its early days, digital marketing assumed that online shopping would be purely rational, a tool that customers would use to help them zero in on the best product at the best price. The assumption was logical, but customer behavior remained irrational.

Our society is overloaded with information and short on time, says Brad Berens, Senior Fellow at the Center for the Digital Future at the University of Southern California, Annenberg, so it’s no surprise that the speed of the digital economy exacerbates our desire to make a fast decision rather than a perfect one, as well as increasing our tendency to make choices based on impulse rather than logic.

Buyers want what they want, but they don’t necessarily understand or care why they want it. They just want to get it and move on, with minimal friction, to the next thing. “Most of our decisions aren’t very important, and we only have so much time to interrogate and analyze them,” Berens points out.

But limited time and mental capacity for decision-making is only half the issue. The other half is that while our brains are both logical and emotional, the emotional side—also known as the limbic system or, more casually, the primitive lizard brain—is far older and more developed. It’s strong enough to override logic and drive our decisions, leaving rational thought to, well, rationalize our choices after the fact.

This is as true in the B2B realm as it is for consumers. The business purchasing process, governed as it is by requests for proposals, structured procurement processes, and permission gating, is designed to ensure that the people with spending authority make the most sensible deals possible. However, research shows that even in this supposedly rational process, the relationship with the seller is still more influential than product quality in driving customer commitment and loyalty.

Baba Shiv, a professor of marketing at Stanford University’s Graduate School of Business, studies how the emotional brain shapes decisions and experiences. In a popular TED Talk, he says that people in the process of making decisions fall into one of two mindsets: Type 1, which is stressed and wants to feel comforted and safe, and Type 2, which is bored or eager and wants to explore and take action.

People can move between these two mindsets, he says, but in both cases, the emotional brain is in control. Influencing it means first delivering a message that soothes or motivates, depending on the mindset the person happens to be in at the moment and only then presenting the logical argument to help rationalize the action.

In the digital economy, working with those tendencies means designing digital experiences with the full awareness that people will not evaluate them objectively, says Ravi Dhar, director of the Center for Customer Insights at the Yale School of Management. Since any experience’s greatest subjective impact in retrospect depends on what happens at the beginning, the end, and the peaks in between, companies need to design digital experiences to optimize those moments—to rationally design experiences for limited rationality.

This often involves making multiple small changes in the way options are presented well before the final nudge into making a purchase. A paper that Dhar co-authored for McKinsey offers the example of a media company that puts most of its content behind a paywall but offers free access to a limited number of articles a month as an incentive to drive subscriptions.

Many nonsubscribers reached their limit of free articles in the morning, but they were least likely to respond to a subscription offer generated by the paywall at that hour, because they were reading just before rushing out the door for the day. When the company delayed offers until later in the day, when readers were less distracted, successful subscription conversions increased.

Pre-selecting default options for necessary choices is another way companies can design digital experiences to follow customers’ preference for the path of least resistance. “We know from a decade of research that…defaults are a de facto nudge,” Dhar says.

For example, many online retailers set a default shipping option because customers have to choose a way to receive their packages and are more likely to passively allow the default option than actively choose another one. Similarly, he says, customers are more likely to enroll in a program when the default choice is set to accept it rather than to opt out.

Another intriguing possibility lies in the way customers react differently to on-screen information based on how that information is presented. Even minor tweaks can have a disproportionate impact on the choices people make, as explained in depth by University of California, Los Angeles, behavioral economist Shlomo Benartzi in his 2015 book, The Smarter Screen.

A few of the conclusions Benartzi reached: items at the center of a laptop screen draw more attention than those at the edges. Those on the upper left of a screen split into quadrants attract more attention than those on the lower left. And intriguingly, demographics are important variables.

Benartzi cites research showing that people over 40 prefer more visually complicated, text-heavy screens than younger people, who are drawn to saturated colors and large images. Women like screens that use a lot of different colors, including pastels, while men prefer primary colors on a grey or white background. People in Malaysia like lots of color; people in Germany don’t.

This suggests companies need to design their online experiences very differently for middle-aged women than they do for teenage boys. And, as Benartzi writes, “it’s easy to imagine a future in which each Internet user has his or her own ‘aesthetic algorithm,’ customizing the appearance of every site they see.”

Applying behavioral psychology to the digital experience in more sophisticated ways will require additional formal research into recommendation algorithms, predictions, and other applications of customer data science, says Jim Guszcza, PhD, chief U.S. data scientist for Deloitte Consulting.

In fact, given customers’ tendency to make the fastest decisions, Guszcza believes that in some cases, companies may want to consider making choice environments more difficult to navigate— a process he calls “disfluencing”—in high-stakes situations, like making an important medical decision or an irreversible big-ticket purchase. Choosing a harder-to-read font and a layout that requires more time to navigate forces customers to work harder to process the information, sending a subtle signal that it deserves their close attention.

That said, a company can’t apply behavioral psychology to deliver a digital experience if customers don’t engage with its site or mobile app in the first place. Addressing this often means making the process as convenient as possible, itself a behavioral nudge.

A digital solution that’s easy to use and search, offers a variety of choices pre-screened for relevance, and provides a friction-free transaction process is the equivalent of putting a product at eye level—and that applies far beyond retail. Consider the Global Entry program, which streamlines border crossings into the U.S. for pre-approved international travelers. Members can skip long passport control lines in favor of scanning their passports and answering a few questions at a touchscreen kiosk. To date, 1.8 million people have decided this convenience far outweighs the slow pace of approvals.

The basics of influencing irrational customers are essentially the same whether they’re taking place in a store or on a screen. A business still needs to know who its customers are, understand their needs and motivations, and give them a reason to buy.

And despite the accelerating shift to digital commerce, we still live in a physical world. “There’s no divide between old-style analog retail and new-style digital retail,” Berens says. “Increasingly, the two are overlapping. One of the things we’ve seen for years is that people go into a store with their phones, shop for a better price, and buy online. Or vice versa: they shop online and then go to a store to negotiate for a better deal.”

Still, digital increases the number of touchpoints from which the business can gather, cluster, and filter more types of data to make great suggestions that delight and surprise customers. That’s why the hottest word in marketing today is omnichannel. Bringing behavioral psychology to bear on the right person in the right place in the right way at the right time requires companies to design customer experiences that bridge multiple channels, on- and offline.

Amazon, for example, is known for its friction-free online purchasing. The company’s pilot store in Seattle has no lines or checkout counters, extending the brand experience into the physical world in a way that aligns with what customers already expect of it, Dhar says.

Omnichannel helps counter some people’s tendency to believe their purchasing decision isn’t truly well informed unless they can see, touch, hear, and in some cases taste and smell a product. Until we have ubiquitous access to virtual reality systems with full haptic feedback, the best way to address these concerns is by providing personalized, timely, relevant information and feedback in the moment through whatever channel is appropriate. That could be an automated call center that answers frequently asked questions, a video that shows a product from every angle, or a demonstration wizard built into the product. Any of these channels could also suggest the customer visit the nearest store to receive help from a human.

The omnichannel approach gives businesses plenty of opportunities to apply subtle nudges across physical and digital channels. For example, a supermarket chain could use store-club card data to push personalized offers to customers’ smartphones while they shop. “If the data tells them that your goal is to feed a family while balancing nutrition and cost, they could send you an e-coupon offering a discount on a brand of breakfast cereal that tastes like what you usually buy but contains half the sugar,” Guszcza says.

Similarly, a car insurance company could provide periodic feedback to policyholders through an app or even the digital screens in their cars, he suggests. “Getting a warning that you’re more aggressive than 90% of comparable drivers and three tips to avoid risk and lower your rates would not only incentivize the driver to be more careful for financial reasons but reduce claims and make the road safer for everyone.”

Digital channels can also show shoppers what similar people or organizations are buying, let them solicit feedback from colleagues or friends, and read reviews from other people who have made the same purchases. This leverages one of the most familiar forms of behavioral psychology—reinforcement from peers—and reassures buyers with Shiv’s Type 1 mindset that they’re making a choice that meets their needs or encourages those with the Type 2 mindset to move forward with the purchase. The rational mind only has to ask at the end of the process “Am I getting the best deal?” And as Guszcza points out, “If you can create solutions that use behavioral design and digital technology to turn my personal data into insight to reach my goals, you’ve increased the value of your engagement with me so much that I might even be willing to pay you more.”

Many transactions take place through corporate procurement systems that allow a company to leverage not just its own purchasing patterns but all the data in a marketplace specifically designed to facilitate enterprise purchasing. Machine learning can leverage this vast database of information to provide the necessary nudge to optimize purchasing patterns, when to buy, how best to negotiate, and more. To some extent, this is an attempt to eliminate psychology and make choices more rational.

B2B spending is tied into financial systems and processes, logistics systems, transportation systems, and other operational requirements in a way no consumer spending can be. A B2B decision is less about making a purchase that satisfies a desire than it is about making a purchase that keeps the company functioning.

That said, the decision still isn’t entirely rational, Berens says. When organizations have to choose among vendors offering relatively similar products and services, they generally opt for the vendor whose salespeople they like the best.

This means B2B companies have to make sure they meet or exceed parity with competitors on product quality, pricing, and time to delivery to satisfy all the rational requirements of the decision process. Only then can they bring behavioral psychology to bear by delivering consistently superior customer service, starting as soon as the customer hits their app or website and spreading out positive interactions all the way through post-purchase support. Finishing strong with a satisfied customer reinforces the relationship with a business customer just as much as it does with a consumer.

The best nudges make the customer relationship easy and enjoyable by providing experiences that are effortless and fun to choose, on- or offline, Dhar says. What sets the digital nudge apart in accommodating irrational customers is its ability to turn data about them and their journey into more effective, personalized persuasion even in the absence of the human touch.

Yet the subtle art of influencing customers isn’t just about making a sale, and it certainly shouldn’t be about persuading people to act against their own best interests, as Nudge co-author Thaler reminds audiences by exhorting them to “nudge for good.”

Guszcza, who talks about influencing people to make the choices they would make if only they had unlimited rationality, says companies that leverage behavioral psychology in their digital experiences should do so with an eye to creating positive impact for the customer, the company, and, where appropriate, the society.

In keeping with that ethos, any customer experience designed along behavioral lines has to include the option of letting the customer make a different choice, such as presenting a confirmation screen at the end of the purchase process with the cold, hard numbers and letting them opt out of the transaction altogether.

“A nudge is directing people in a certain direction,” Dhar says. “But for an ethical vendor, the only right direction to nudge is the right direction as judged by the customers themselves.” D!

Read more thought provoking articles in the latest issue of the Digitalist Magazine, Executive Quarterly.


About the Authors:

Volker Hildebrand is Global Vice President for SAP Hybris solutions.

Sam Yen is Chief Design Officer and Managing Director at SAP.

Fawn Fitter is a freelance writer specializing in business and technology.

Comments

Tags:

How Artificial Intelligence Will Transform Tomorrow’s Digital Supply Chain

Alina Gross

Artificial intelligence (AI) may sound futuristic, but it’s a real-life breakthrough that exists in the present. Anyone who interacts with an online search engine, shops on Amazon, owns a self-parking car, or talks to voice-powered personal assistants like Siri or Alexa is using AI.

AI is a field of computer science in which a machine is equipped with the ability to mimic the cognitive functions of a human. An AI machine can make decisions or predictions based on its past experiences, or it can respond to entirely new scenarios. When given a goal, not only does it attempt to achieve its objective, it continuously tries to improve upon its past performance.

Revolutionizing the digital supply chain

Within five years, 50% of manufacturing supply chains will be robotically and digitally controlled and able to provide direct-to-consumer and home shipments, according to IDC Manufacturing Insights. Additionally, 47% of supply chain leaders believe AI is disruptive and important with respect to supply chain strategies, per a 2016 SCM World survey. With that in mind, 85% of organizations have already adopted or will adopt AI technology into their supply chains within one year, according to a 2016 Accenture report.

Supply chains need AI to aggregate their mass amounts of data. In the supply chain, AI can analyze large data sets and recommend customer service and operations improvements while supporting better working capital management. As corporate systems become more interconnected, providing access to a wider breadth of supply chain data, the opportunity to leverage AI increases.

Let’s look at the potential benefits of using AI to link transportation data with order data:

A logistics enterprise ensures the delivery of a product within two days. With AI, the carrier can view past performances from shipping a similar product on a specific day, using a particular route, which reveals there’s a 25% chance the order will arrive in four days, not two. This information supplies customer service and supply chain professionals with proactive alerts of potential fulfillment challenges.

To take this a step further, AI could also compare historical shipping data to the customer’s requested delivery date to provide recommendations on whether this particular carrier’s performance meets requirements, or if you need to consider a different logistics enterprise that is 15% more expensive, but 25% more likely to deliver the product on time.

Step by step to a more efficient supply chain with AI

There are many opportunities to use AI throughout the supply chain, from buying raw materials/components and converting them into finished products to selling and delivering items to customers. Supply chains can also use AI to end repetitive manual tasks and begin automating processes. This can enable companies to reallocate time and resources to their core business, and other high-value, judgment-based jobs, by using AI for low-value, high-frequency activities.

In an AI-driven selling platform, chatbots can manage many of the sales, customer service, and operations tasks traditionally handled by humans, including interacting with buyers, taking orders, and passing those orders through the supply chain. In warehouse operations, AI-capable robotics and sensors can enable organizations to enhance stacking and retrieval, order picking, stock-level management, and re-ordering processes.

Amazon is currently combining automation with human labor to increase productivity by using robots that can glide quickly across the floor to rearrange items on shelves into neatly organized rows, or alert human workers when they need to stack the shelves with new products or retrieve goods for packaging. And Logistics company DHL is using AI and automation to create self-sufficient forklifts that understand what products need to be moved, where they need to be moved, and when they need to be moved.

Supply chain companies see a path forward with AI

Leveraging AI is an important next step for supply chain companies looking to lower costs and improve productivity. It can enable your organization to spend less time on repetitive processes, such as planning, monitoring, and coordinating, and focus more on innovation and growth.

AI still needs careful monitoring, however, as well as experienced and knowledgeable logistics and operations professionals to ensure it’s being used to its maximum potential.

For more on how AI and advanced tech can help boost your business, see Next-Gen Technology Separates Digital Leaders From The Rest.

Comments

Alina Gross

About Alina Gross

Alina Gross is currently pursuing her BA in international business at Heilbronn University. She plans on deepening her knowledge by adding an MA in international marketing. During her six-month, full-time internship at SAP, she has focused on marketing and project management topics within the field of supply chain, especially around event management and social media.