Is data breach moving out of reach in Contact Centers?

Organizations globally, recognize that superior customer service can both increase revenue and be a competitive differentiator for them in an increasingly competitive business environment. Contact center plays a big part in that effort for organizations across different verticals and sizes. Many of these organizations outsource their contact center operations in order to concentrate on their core business. Such third-party outsourcers are usually specialists in the area of contact center outsourcing. Still, many organizations prefer to maintain their contact center operations in-house, although they realize the benefits of outsourcing. Security of sensitive data shared with outsourcers is one of the key concerns for such organizations. Although risk of consumer’s personal information being compromised is not new, slew of incidences and the scale of its coming to light recently is enough to make consumers feel nervous about their personal data. The recent scam, exposed by the British media, of data sold by agents of outsourcing firms in India is an example.  In this Market Insight, we discuss the best practices followed by some of the best outsourcers globally: 

  

Factors behind data thefts: 

Data thefts could be due to internal or external factors. Corrupt contact center employees act as internal agents for data thefts. Agents who have access to confidential customer data and proprietary company information are often soft targets for crime syndicates. Data can be routed out through e-mails, entered into a mobile phone or a USB device or through software installed on the system (eg. Spyware, network sniffers). Information can then be sold to fraudsters and tele-marketing companies. 

External factors include hacking into the outsourcer’s database to retrieve vital customer information. A recent study has indicated that more than 90% of all data breaches in 2011 were a result of external agents, with more than 75% of those being a result of hacking.  The data breach incident at Global Payment Inc., a provider of Electronic Transaction Processing (ETP) services for Visa and MasterCard in 2012, is the most recent case of hacking or intrusion. The breach is said to have affected nearly 1.5 million cardholders in North America. Small contact centers with unguarded or easy access to records are prone to be affected the most. Such perpetration and eventual data compromise could also occur in large contact centers as witnessed in the Global Payment Inc case. In the wake of such incidents, it might help to look at certain best practices followed by some of the global leaders in outsourcing to bring in the best possible data security measures. 

 

Best Practices in leading outsourcing firms. 

In centers that follow best practices, misappropriation at agent level is quite rare. In these centers, security measures begin as early as at the hiring stage itself. Strict set of hiring standards are deployed and meticulous background checks and evaluations to determine integrity, honesty and trust-worthiness of the candidate are conducted. In the workstations, robust authentication systems are used to confirm the agents’ identities. This is to prevent impersonation and unauthorized system access. A good example of such a system is the ‘single sign-on voice authentication process’ used by one of the top outsourcers in the world. 

An important step in this process of providing security at the agent level is access control. Discretionary access control is implemented to make sure agents have access only to applications and databases that are specific to their work. Access logs are maintained to monitor activity in the database. Information such as identity of the agent accessing the database, how and why, is recorded. 

Rigorous physical and environmental security controls are imposed to reinforce caution in the contact center. Some of them are: 

§        Written security policies and building access procedures 

§        Badge sharing and piggyback entry is prohibited 

§        All visitors must be logged and admitted through reception 

§        24x7 onsite security guards 

§        Card-key, biometric, or similar entry locks 

§        ID-badge system for all employees and visitors 

§        Individual lockers/cabinets to enforce the clean desk policy 

§        Disabling USB ports 

§        Monitoring usage of mobile phones with camera in the workstations 

§        Video surveillance and motion sensors for entrances, interior doors, equipment cages, and critical equipment locations within the building 

Addressing issues of data theft due to external perpetration, also known as hacking into the system, is a lot trickier. This is achieved by state-of-the-art technology and systems such as firewalls and intrusion detection software (IDS). Multiple layers of firewall are aimed at preventing intrusion or delaying the entry into the network.  The IDS simultaneously detects intrusion and takes appropriate measures including sending out signals and even shutting down the system. Encryption of data and files, including voice encryption for sensitive customer data received over voice channels, is prescribed by the PCIDSS (Payment Card Industry Data Security Standard). Many outsourcers duly carry this out. This is seen as an effective method of securing data. 

Such systems are fortified through regular audits and security scans. They are performed to maintain compliance with industry information management standards and to identify application vulnerabilities. One such system is the Fraud Risk Assessment solution implemented by a global leader of contact center services. This four-phase security-enhancing program aims at identifying and quantifying business impacts of risks to mitigate fraud and data theft. 

 Many of the leading outsourcers accomplish all the aforementioned steps through a dedicated security team with Certified Information Systems Security Professional (CISSP) security analysts and Chartered Financial Analyst (CFA) Certified Fraud Examiners. The mission of this team is to adhere to strict security standards to protect the confidentiality, availability and integrity of client data. 

As stated earlier, centers with good security standards in place are best equipped to handle any data security issues and can assure best-in-class services to clients in a protected ambience. Many outsourcers have a long track record to vouch for this. 

 

The final word: 

The three stakeholders in the case of a data breach are: the outsourcers themselves, the clients or enterprises, and their end-customers. Although the outsourcer implements these security standards, companies that outsource share this responsibility. CRM partners should be chosen after exhaustive inspection of the facilities. Further, periodic audits are necessary to ensure the adherence to standards. 

Good news is that, more outsourcers are taking on this daunting challenge by implementing the right systems to preserve data security. Enterprises need to ensure that their customers are constantly assured that their data is in safe hands. This communication alone goes a long way in preventing users’ apprehension. 

The buzzword for data security in contact centers is: ‘Proactive’.  Outsourcers need to proactively implement measures, clients proactively prod the outsourcers to establish good systems and the end customers need to proactively seek awareness and information on how their data is being handled. 

Albeit a serious concern, data breach prevention is certainly not out of reach as outsourcers globally are steadily battling the issue with innovative technology and solutions.