Learn three ways to limit your risk
All areas of your organization are susceptible to external security threats such as advanced persistent threats (APT) or malware, which allow an unauthorized person or program to gain access to your network. They might even maintain that connection—undetected—for a long period of time.
But when it comes to internal threats, your brick and mortar contact centers are actually one of the riskiest areas of your enterprise. Why is this so?
Contact center employees have access to customer data
Given the job, these employees have direct access to customer information. They handle sensitive data such as credit card numbers, passwords, bank info, social security numbers, and health information. Having direct access inherently opens your business to risk.
Contact center employees are prone to high turnover
Most insider theft occurs as an employee leaves your organization. Contact centers are known to have high turnover—the average annual attrition rate for agents in U.S. contact centers is 30%. In other countries, this number is even higher: India has an 40% average annual attrition rate and the rate is 70% in the Philippines.
These high rates mean that a great number of employees are passing through your doors year after year, so you are constantly exposing your company to insider threat risk. What happens if employees take sensitive customer data with them when they leave?
Contact center employees are entry-level
Statistically, most of your contact center employees are entry-level workers. They don’t view their contact center jobs as a long-term career, therefore they don’t offer much loyalty to your company. Also, entry-level jobs typically offer low pay, making employees more tempted to sell customer information for a profit.Chances are your contact center employees are entry-level. They don’t view their contact center jobs as a long-term career, therefore they don’t have much loyalty to your company.
Last year, a Sacramento, Calif., woman pleaded guilty in a scheme against a call center where she’d worked. The call center serviced debit cards issued in connection with delivery of California unemployment benefits, according to an article in the Sacramento Bee. The woman and co-conspirators not only called in requesting to have benefits transferred, but also accessed the online accounts of beneficiaries to create fake messages about transferring funds into the fraudulent accounts.
Three ways you can limit your risk
1) Train agents for security compliance
The first step is to educate your agents and heighten their awareness about the need for security common sense. This training addresses some of the external threats. Your enterprise should have ongoing education programs about security and review common strategies fraudsters use to trick individuals into providing sensitive information.
One of your conditions for employment should be compliance with a set of security standards. The overall goal is to make security a part of everyday thinking. For instance, Liveops strongly recommends that agents configure computer systems in accordance with Microsoft’s recommendations as outlined on their Protect Your PC website.
These steps include:
- Enable and configure the Windows Update module to update automatically
- Enable windows standard firewall
- Install anti-virus software and configure it to automatically update
- Install adware software to protect from spyware, malware, etc.
2) Implement tight desktop and data security that is validated regularly
The easiest and most effective way to implement tight desktop and data security is to deploy a contact center technology ecosystem that has built-in security, data access controls, and monitoring.
Modern data protection controls must be data-centric rather than location-centric, protecting data no matter where it resides. Because Liveops agents operate from distributed locations, we carefully vet our vendors, conducting annual security, compliance and risk assessments.
3) Manage your distributed perimeter with a “need to know” policy and control data access
Companies must understand what data needs to be protected and create a data classification policy to classify data based on sensitivity. At a minimum, there are three levels of classification:
- Restricted: This is the most sensitive data that could cause great risk if compromised. Access is on a need to know basis only.
- Confidential: This is moderately sensitive data that would cause a moderate risk to your company if compromised. Access is internal to your company or the department that owns the data.
- Public: This is non-sensitive data that would cause little or no risk to your company if accessed. Access is loosely controlled.
Generally, the more tasks and functions your agents perform, the greater the access they need to your systems and data. The key to maintaining tight security is to limit access to data and applications on a “need to know” basis. For instance, if your agents need access to credit card data, only allow access to the last four digits.
Trust but verify
You need to face the reality that there is risk within your company. The answer isn’t to assume every employee is a criminal. You need to find a balance. Tight restrictions hinder productivity, frustrate employees, and will affect customer experience.
Focus on getting more visibility into employee activity, while also communicating clear guidelines and expectations for security compliance. If an employee deviates from the desired behavior and raises warning signs, jump into action to mitigate insider threat risk.