Is Private Customer Information Secure in Your Contact Center?

Cybercriminals are on the prowl, just waiting for some human to slip up and give them access to proprietary company data. As is usually the case, human beings—who are both emotional and non-automated—are the weakest link in the security chain. Do your employees have the training and tools to thwart invasive actions from criminals? Would they recognize, for example, an email ruse—one containing malware—from a hacker?

While increased IT spending on security has closed some doors to criminals, windows can be jimmied open—especially where humans are part of the defensive framework.

Even though 9 percent of IT budgets were allocated to security in 2016, up from 4 percent in 2014, according to the SANS Institute, cybercriminals will, no doubt, continue to get around the even-more-advanced protections supported by these investments.

Yet, with a renewed focus on security threats, contact center leaders can reduce the risk that “social engineering”—attacks that involve tricking people into breaking normal security procedures—will dupe their employees.

Primarily, companies must create a culture where security is a top priority for all staff. Not only will security improvements protect your business, they will protect your customers, thus enhancing the customer experience. Indeed, consumer research shows that customers are well-informed about security issues, and that as many as 70 percent of them are uncomfortable sharing sensitive information, especially over the phone.

Yet they still do it. Forward-thinking organizations, however, will take steps now to enhance their security protocol with technology—before consumers opt for other ways to make their purchases. Better security will help people feel more comfortable engaging in phone transactions, resulting in increased customer satisfaction … and increased spending.

Currently, organizations are not taking adequate steps to prevent negligent employee behavior. In fact, a study conducted by Experian Data Breach Resolution and Ponemon Institute, found that 60 percent of the 600 individuals polled—who work at companies with a data protection and privacy training program in place—don’t believe their employees are knowledgeable about security risks.

This means trouble, as the study also brought to light the fact that 55 percent of the companies surveyed have experienced a security incident caused by an employee.

Surprisingly, although employee-related security risks are the No. 1 concern for security professionals, according to Experian/Ponemon, only 35 percent of respondents said senior management makes it a priority. This indicates a gap between awareness and action.

To narrow the gap, consider taking the following steps:

• Move beyond simple employee education practices to mandatory security training that covers a complete roster of risks that lead to data breaches. Critical areas should include phishing and social engineering, mobile device security and cloud services safety.
• Provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues. Incentives can be financial and/or part of performance reviews.
• Develop and implement consequences for negligent behavior that causes a data breach.
• Vet technology solutions that allow customers to enter sensitive information via keypad, so employees don’t see the information. Credit card numbers are sent directly to processing and the contact center Communicator receives notification of approval.
• Ensure that, even if the human element is misled, measures—like simply leaving the data in some format unusable by criminals—are in place to prevent the looting of payment cards and personal information. For example, replace sensitive data with a unique and meaningless equivalent, known as a token, that has no exploitable value.

The best way that contact center leaders can combat employee susceptibility to social engineering is to acknowledge and prepare for the likelihood that staff can thwart protective security measures through negligence or malicious intent.