Protect customer data with contact center security

Why contact center security is so important.

With alarming headlines about massive data breaches dominating media on a nearly daily basis, customers’ growing concern for data security is understandable. Plus, contact centers in particular are targets – they’re essentially clearing houses for data, and bad actors know this. This also means that the front-line workers of the contact center – the agents – could make or break their center’s security through their daily behavior at work and their vigilance to keep data safe from attacks like social engineering threats.

At the same time, companies are sometimes worried about the high cost of implementing a security program. Many organizations cannot afford to hire a Chief Security Officer (CSO), especially considering all of the expenses that go along with creating such a role.  However, the pros often outweigh the cons, as data breaches create catastrophic issues for businesses.

An annual study, the Cost of a Data Breach Report, uncovered that the average total cost of a data breach in 2021 increased by nearly 10% compared to 2020, to $4.24 million–the highest ever recorded. A data breach not only means high costs for a business but also a decrease in trust and loss of reputation.

Businesses must also consider the ramifications of failing an audit because they didn’t achieve compliance requirements. Fines can cause monetary loss, and if the failure becomes publicized, it can have dire consequences for your brand.

In addition, securing your customer’s sensitive data is simply the right thing to do. When your business chooses to protect customer data, you contribute to making the virtual world a safer place for users everywhere. It’s not only an issue of business growth and success but ethics too. And if a contact center is hit with a data breach, the loss of brand value could be the worst price to pay. In today’s day and age, customers can quickly take their business elsewhere as soon as they lose trust in you.

When considering contact center security, there are regulations to consider, depending on your business’s industry and which types of information pass through your contact centers on a daily basis. This can both include policies and procedures on what call center agents should not do or say, along with requirements of what they must say to their customers in order to properly inform them (such as in the case of solicitation):

HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) prevents sensitive patient health information from being disclosed without the patient’s consent or knowledge. Because of HIPAA, businesses need to be vigilant in understanding exactly where their customers’ private health information (PHI) goes and how it gets stored.

PCI-DSS.

The Payment Card Industry Data Security Standard (PCI-DSS) focuses on protecting payment data, such as credit and debit card transactions, against data theft and fraud. Any contact center that processes payment methods is required to follow PCI-DSS compliance.

Many businesses earn a PCI certification to keep their customer data secure. This certification is earned by implementing security best practices such as firewalls, encryption, and anti-virus software.

GDPR.

The General Data Protection Regulation (GDPR) is a relatively new privacy and security law established by the European Union in 2018. GDPR must be followed by any businesses that interact with customers who live in the EU. It covers security requirements such as:

• Documenting how data is collected and where it goes.
• Handling data securely with best practices such as authentication, encryption, and internal training.
• Gaining consent from users, in order to process their data.
• Proving compliance with metrics.

Where threats to call center security come from.

Threats to call center security can be internal or external. Internal threats come from call center agent errors or disgruntled employees, while external threats come from unknown malicious actors targeting your organization.

When call center agents are negligent in security controls, such as managing access or protecting their own level of user privileges, they become internal threats. When an organization fails to set up safeguards against attacks such as malware, it’s especially vulnerable to external threats. While it is difficult to defend against a disgruntled employee, following the “rule of least privilege” and monitoring agent activity will at least mitigate the effects.

Personally identifiable information.

It’s vitally important for contact center administrators to protect their customer’s personally identifiable information (PII) against both internal and external threats. PII can be found in several places across a contact center’s operations since it is used in a lot of practical ways, such as verifying caller credentials, gaining context for a customer’s inquiries, and generally giving better customer service.

A few examples of PII that are used by contact centers on a regular basis include:

• Usernames and passwords.
• Account numbers, social security numbers.
• Emails and sent messages.
• Online purchase histories.
• Data entered into online forms.
• Mailing addresses, phone numbers, and other contact methods.
• Financial or medical details.

If any of these types of PII are used or stored incorrectly, a business can break regulatory compliance and face fines or—even worse—become vulnerable to data breaches.

Internal threats to data security.

Internal threats usually originate from call center agent errors. When a contact center agent fails to protect their computer workstations, falls prey to phishing attempts, or misuses data in some way, they expose the whole organization to security threats. Disgruntled agents can sabotage an organization by acting deliberately to steal or redirect information.

To prevent internal threats, call center agents need training and monitoring. Resources like gamified training solutions, security mentoring programs, and employee knowledge bases are all out there. Implementing these options will equip and educate your team against accidentally becoming internal threats. Monitoring can be done by reviewing agent call logs for activities that seem out of place.

Remote contact center teams bring a whole other dimension to security issues. Working from home can mean supervisors are no longer present to help mitigate risk by observing agents or being physically close. It also means that security processes and technologies intended for in-office teams will no longer be relevant in a remote environment. Remote work environments need solutions and processes that help supervisors monitor agents and enforce policies. For example, a voice biometrics system can authenticate your agents’ identities remotely without adding extra steps to their daily operations.

External threats to data security.

Many data security threats come from deliberate efforts to break into your systems. Malicious users take advantage of security gaps such as insecure access points, unencrypted data, weak passwords, and insufficient security protocols to collect sensitive data. Once attackers gain access to customer data, the potential for damage skyrockets. Ransomware attacks, data leaks, distribution on the black market, and more are all possible once an attacker finds their way into your system.

How to increase contact center security.

Secure cloud-based solution.

A cloud-based solution is a great way to tighten up your contact center security. A cloud environment makes it easier to make security architecture changes and stay up-to-date with compliance requirements.

Multi-factor authentication.

Multi-factor authentication (MFA) helps to minimize threats as well. MFA asks for employees to verify their identities with more than just a username and password, making it harder for attackers to crack the code and reach your organization’s sensitive data. Multi-factor authentication with voice biometrics is especially considered an industry best practice.

Data encryption.

Encryption enhances your security by transforming sensitive data into ciphertext. This encrypted data can only be decoded with a unique decryption key. Because of this, even if an attacker managed to steal your customers’ sensitive information, they wouldn’t be able to use this encrypted data in any way.

System and network security protocols.

Many of these protocols help to authenticate users and monitor connections between your systems. These protocols also help to secure your data by controlling where it goes within your systems and networks. In addition, for better visibility into operational risk and compliance, contact centers can use APIs to feed data into various systems across their tech stack, including SIEM (security information and event management) systems.

Final thoughts on contact center security.

Contact centers play a critical role in dealing with customers’ sensitive data. Many customers reach out to these agents with concerns and questions about their finances, health, and other sensitive matters. Plus, threats can come from multiple areas — not only from systemic errors but through agent-based attacks like social engineering. Because of this, it’s essential for contact centers to put up strong security measures to protect your contact center operations, monitor agent behavior, prevent bad actors from tricking your employees, and so much more.

Talkdesk offers a better way to unlock the promise and potential of great customer experience and gives contact center leaders solutions for intelligent risk and compliance management.  We bring the best of artificial intelligence and central dashboarding to contact center teams, making them more secure and more efficient. We work to uphold the latest compliance requirements and security standards. Our suite of products also prioritizes making the lives of agents easier, along with implementing security measures throughout the operations of your contact center.

To find out more, download our ebook, “A guide to security and compliance at Talkdesk“.