Making Contact Centers More Secure
Many years ago, when I was managing a credit card customer service contact center, one of our clients threatened to bomb our office. The agent who received the threat followed protocol and the issue was immediately brought to my attention, as the head of the department. I assessed the risk – per guidelines – and made the decision to keep everything going. My evaluation of the situation was based on many factors, most importantly the risk to my employees, which I determined to be non-existent, as I knew this caller and his frequent issues very well. (To put this into perspective, when the fire alarm went off a few weeks later due to a fire drill that we had not been notified of, we immediately emptied the contact center, as the risk was perceived to be very high.)
The world has changed a great deal since I ran that contact center, and so have the guidelines. Bomb threats and other types of warnings to a business/institution/government agency and its people happen too frequently. Organizations have established protocols, policies, and resources to assess risks, which include notifying a risk assessment team that makes the decision about how to handle the situation; this judgment is no longer left up to the department manager.
Contact Centers are Points of Vulnerability for Enterprises
A contact centers is fraught with risk, since its purpose is to invite the outside world in to interact with a company. It’s a natural point of vulnerability – its physical site(s), employees and customer data must be protected. Companies need to have plans in place to protect all customer-facing functions, as the risks are growing with each passing year.
There are many types of risks and attacks that contact centers face, including:
- Physical threats to people and property – bombs, shootings, ramming cars/trucks into buildings, etc.
- Human-engineered phishing attacks – hackers breaking in and stealing customer information
- Ransomware attacks – hackers breaking through a company’s security and freezing access to their systems and accounts unless a ransom is paid
- Phone-based attacks – a fraudster (or a group of people working together) calling repeatedly until they get the information they need to access specific customer accounts
- Attacks through the self-service solution – a fraudster accessing a specific customer’s account via a website, interactive voice response (IVR) system, intelligent virtual agent (IVA), or other self-service solution
- Compromised employees – having an employee who is either a fraudster or is paid to collect and share customer information with a thief
- Many more
Establish a Security Framework
Contact centers need to establish a security framework that minimizes the risk of fraud, as there is no known way to eliminate it completely. It should go without saying that this begins with the contact center’s underlying network architecture. Today, especially with the increase in work-from-anywhere staffing models (for agents and other contact center personnel), the recommended approach is based on a Zero Trust configuration. Zero Trust requires continuous authentication of all network devices and users and limits network access to the least privileged level.
Contact centers can also apply a Zero Trust approach to customer authentication, which takes 2-factor verification a step further. It means that customers who were verified in a self-service solution must be “re-verified” if they transfer to a live agent. Or if a customer is transferred from one agent who verified them, they must go through the verification process again when they speak to a second agent. (The customer will be put through a 2-factor verification during the first contact with a self-service solution or live agent and only a single-factor authentication for the second contact.) This process reduces fraud risk and losses but will likely frustrate and annoy legitimate customers because of having to be verified multiple times when transferred between devices and agents. Therefore, this approach should be applied only when necessary for certain types of sensitive transactions.
Making a Contact Center Secure
I’m sorry to say that there is no perfect way to protect a contact center, its employees, or customer data. Fraudsters who are intent on getting information will keep at it until they find a “weak link” in the system. Companies need to put in place systems, guidelines, and policies to minimize the risks and encourage their agents to report potentially fraudulent activities, without upsetting customers. Contact center agents need to perform their primary job – delivering a great customer experience – but must do so with “both eyes open” in today’s world.