Very few things can damage a company’s reputation as does a security breach, compromising sensitive data. Customers trust that contact centers have all the necessary procedures, technology and screening methodologies in place to protect their vital private information. Even so, fraudsters are constantly developing their own strategies to hack systems and mine for data. And, the perpetrators aren’t always from the outside, making it necessary to start from within when assessing an organization’s security protocols.
Contact centers can and should be proactive when ensuring customer data is secure; here are ten steps that can help get management started:
- Assess Current Procedures
Contact center managers need to take a look at what current procedures are in place to manage and protect data. What are the exposures to risk and are there any security gaps? Contributing factors to inside theft include:
- The type of data being handled and processed
- Staff members who should not have access to sensitive data
- Inefficient screening, training and supervision
- A high frequency of staff turnover
- Non-compliance with guidelines and regulations such as HIPAA
Henry St. Andre, Director of Trust at inContact, a provider of contact center software and cloud-based solutions, recommended that organizations bring in a third-party auditing firm who will assess the company’s current data security program and issue an extensive report specifying the findings. “This is an important tool that customers can receive, as it will signify that the contact center is taking data security seriously.”
- Increase Security
“The best security is always layered security, and this principle holds true when securing the telephony channel. Voice biometrics can capture “bad guy” or fraudster voices and put them on a blacklist that can be used for future voice comparisons and verifications of individual callers.” Advised Avivah Litan, a Vice President and Analyst at Gartner in an article she wrote for Forbes, “This technology has been successfully used by law enforcement and intelligence agencies for a few years, including in recently disclosed surveillance activities undertaken by US intelligence agencies. However, voices can be distorted or synthesized, making it harder to identify a fraudster, which is why a layered strategy that also uses phone printing works best for fraud prevention.”
In addition to voice biometrics, customer data should be encrypted immediately when it is entered into the database. This will help to block hackers and unauthorized users. Another method of making data inaccessible is through tokenization, which is most often used in credit card processing and is defined by the PCI Council as “a process by which the primary account number (PAN) is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value.”
Anti-phishing software can also be installed to secure email communication and block criminals from sending out fraudulent emails under a legitimate company’s name. However, before implementing any such processes, regulations should be consulted for compliance.
- Leverage Personnel
“Our clients in the financial services sector report that up to 30 percent of fraud perpetrated against customer accounts is cross-channel. For example, many times fraudsters start by socially engineering call center agents to give away or change sensitive information, which the fraudsters use during follow-up online transactions to steal money out of customer accounts,” wrote Litan. She expounded on the fact that criminals will identify and target the most gullible agents in order to achieve their goals.
In any data intense and sensitive environment such as the contact center, extra diligence should be taken to ensure the right staff members have access to such data and have the ability to identify possible criminal activity.
To that end, management should:
- Establish stringent hiring procedures to include background checks, screening tests and an extensive training period
- Allow access only to highly screened and qualified individuals
- Implement strong identification authentication and verification procedures
- Monitor staff activity
- Immediately revoke access to the company’s network upon termination of employment
- Comply with Payment Card Industry Data Security Standard(PCI-DSS)
Any company that stores, processes or transmits credit card data should consider complying with the PCI-DSS, “a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI Data Security Standard is comprised of 12 general requirements designed to: Build and maintain a secure network; Protect cardholder data; Ensure the maintenance of vulnerability management programs; Implement strong access control measures; regularly monitor and test networks; and ensure the maintenance of information security policies.”
St. Andre advised that a vendor will be providing a good assurance instrument to its clients if it can prove that it is in compliance with PCI’s standards of controls.
Doing so has many benefits, chief among them is:
- Confirmation that systems are secure
- An improved reputation and customer confidence
- Prevention of security breaches and data theft
- Shore-up Defenses
Make sure that firewalls are the most current and effective, especially if employees are logging on from remote locations and if a broadband internet connection is used as both scenarios increase system vulnerability.
- Block access to non-company specific social media portals and internet usage. Such access can aid in employee theft of sensitive information.
- Monitor and track the inbound and outbound flow of data transfer to be alerted when an anomaly occurs.
- Request regular updates and patches from software vendors.
“Our model is contact routing – a call, email or a chat. We provide services like a web access to a database. When the customer calls in and accesses service through IVR, we validate just enough information to route the account to,” said St. Andre. This way the customer maintains control over the secure information, and the vendor verifies that it is a real customer and determines how to route the call. “The customer controls the data and we control services and routing. Minimize the data footprint and maximize customer control over data,” he advised.
- Run Drills
Data theft is a reality but contact centers don’t have to be caught unprepared. On the contrary, it is their duty and responsibility to protect customer information. Coordinated drills and simulated attacks should be held at least once a quarter. This exercise will help managers understand where the center is vulnerable, and enable them to take corrective measures.
- Build a Strong Architecture
Having a sound disaster recovery and backup systems in place is integral to not only continuing operations, but also to protecting loss of data. Even though backups are usually done at the end of each day, contact centers should consider running a simultaneous backup system so that data is constantly saved and safeguarded. This will prevent losing any data at any time, and also avoid the need to dedicate time to restoring systems which causes further downtime and potential loss. St. Andre also recommended using data centers in geographically diverse areas, New York and Los Angeles, for example, that are replicated in architecture and have a built in redundancy. “Build depth and resiliency, right up to the application that will withstand faults,” he advised.
- Move to the Cloud
“Companies everywhere are challenged to keep up with technology and keep their skill set updated,” said St. Andre, “when you bring an experienced cloud provider on board you get an entire tech team, and typically if you buy an on premises system you always have to update, chasing technology advancements, maintaining staff, keep on the leading edge – a lot of that can be transferred to the cloud provider.” This can include data security measures.
“The Cloud Security Alliance provides best practices on security in the cloud – it is a great resource for customers and providers to keep on top of where the industry going,” St. Andre advised.
- If a Breach Occurs
- Be proactive and notify clients immediately that their personal data may have been compromised. Also alert credit bureaus and other related authorities.
- Immediately secure compromised systems in order to prevent further data loss.
- Attack types should be categorized and treated separately and forensic evidence should be safeguarded for review.
- Hire professionals in the area of data theft to diagnose the occurrence.
10.Evaluate and Update
Just like most business processes, data security is not a static procedure. Policies and procedures must be constantly evaluated for efficiency and updated with the most recent methodologies of fraud detection if they are to be effective.
This article was originally published by NSAM sister publication Customer Experience Report.