A step-by-step plan to optimising data security in the contact centre

Hacked business systems, phishing emails, personal customer data becoming public... they’re reported in the media almost daily. It feels as though data security is becoming more and more of a problem. And that indeed turns out to be the case. According to a report by Interpol¹⁾, cyber threats have increased enormously as a result of the COVID-19 pandemic, and it is expected that businesses – and therefore their customers – will increasingly be affected by this.

The contact centre is particularly vulnerable in this regard, as that’s where a lot of sensitive information is located. Customer names, telephone numbers, social security numbers, payment information… they’re not always (only) stored in a CRM system in the cloud, but also, for example, on employees' computers and company servers. As a result, potential data leaks can cause major security risks. In this blog you can read what the risks are and how they can be limited as much as possible.

_{1) Interpol – Cybercrime: COVID-19 Impact (August 2020)}

Customer trust

We all know that customer loyalty is by no means a given. Even if the customer is satisfied with a product or service, it does not necessarily mean that they will choose the same company again next time. So your aim should always be to positively surprise your customer. However, the quality of what you deliver is no longer relevant the moment you lose your customer’s trust, e.g. due to a data breach that causes their personal data to be exposed.

It is therefore not only the financial consequences of a data breach (including ransom payments and the costs related to downtime, data loss and system recovery) that can have a huge impact. It is your company’s reputation and the trust of its customers that ultimately matters the most. Customers are simply not very forgiving when it comes to a violation of their privacy. According to a study²⁾ by Gemalto, the world leader in digital security, 70% of consumers would no longer do business with a company following a data breach.

The fact that data breaches are becoming more common and more widely reported in the media means that customers are more aware than ever that data security is no longer a given. They are increasingly taking this into account when choosing a company or organisation. According to ZD Net³⁾, 84% of consumers are more loyal to companies with strict data security.

_{2) VansonBourne (on behalf of Gemalto) – Data Breaches and Customer Loyalty Report 2018}

_{3) ZDNet: Top 8 trends shaping digital transformation in 2021}

Regulations

Since the introduction of the GDPR regulations, the importance of data security has become even more visible. What data is stored, and where? For whom is this accessible? What is being done to ensure its safekeeping? We previously wrote a blog about the importance of data security in the contact centre, especially about the security of a cloud solution.

EU regulations are now also being drawn up regarding mandatory cyber security. The new rules will not only apply to vital companies and institutions such as banks, hospitals, healthcare institutions and utility companies. Other companies with an annual turnover of (at least) 10 million euros and a minimum of fifty employees will soon be required to check their IT systems for vulnerabilities, perform risk analyses, improve their security and make daily backups.

People make the difference

Customer interaction still (largely) relies on human work. It’s the people make the difference after all! Although this is obviously a good thing, at the same time it is precisely that human aspect that can make contact centres vulnerable to data breaches. Because you can't program people. They can – consciously or unconsciously – act carelessly, be bribed or even threatened.

Another risk is the fact that many contact centres still experience a high rate of employee turnover. On the one hand, it means dealing with inexperienced employees who are more likely to fall prey to fraudulent calls, and may not always be aware of the security risks. On the other hand, high turnover means that employee engagement is usually limited, which unfortunately can make people more susceptible to fraud.

The risks

The risks of data leaks are of course not only determined by the human aspect. Technology also entails vulnerabilities. Below are the most common risks contact centres are exposed to:

Denial-of-Service (DoS) attacks

In other words, the "shutdown" of the contact centre by bombarding it with a huge number of calls at once. The reason? Typically, the hackers' aim is to distract the target from another hacking attack, or to demand payment of "ransom" in exchange for ending the attack.

Storage of call recordings and transcripts

Contact centres store recordings and transcripts on servers for training purposes as well as to comply with legal and regulatory requirements, but these servers can be targeted by hackers to gain access to sensitive customer information.

Vulnerable IVRs

This is especially risky if customers are required to leave sensitive information that can be used for identity theft.

Social engineering

This includes fraudulent calls designed to manipulate or mislead employees into accessing accounts, transferring funds or obtaining personal information.

Sale of call recordings or other sensitive data by customer contact employees

This is a potential risk, especially in contact centres with high staff turnover and those where huge numbers of contact centre employees are hired in a short period of time.

Due to the urgent need for new customer contact centres since the outbreak of the COVID-19 pandemic, for example for tracing purposes, vaccination and test appointments, these risks and vulnerabilities have become even more visible.

Tips for better data security

Hackers are opportunistic and they’re becoming smarter and more organised. Fortunately, there are all kinds of security measures that you can take to protect the contact centre against attacks, such as:

Securing endpoints

What matters is that you minimise the chance of errors and fraud by contact centre employees, for example through double identity authentication, VPN encryption, the use of virtual desktops, and the decommissioning of local data storage. In addition, you can limit the risk of data exposure by only allowing contact centre employees to work via a wired connection, and by only allowing network access during working hours.

Compliance with data security standards and regulations

This of course applies to the organisation you work for, but also to the parties that your contact centre depends on, such as suppliers and consultants. Guidelines on the process-based protection of personal and company data against hackers and intrusion are covered by – among others – the ISO-27001 standard and the SOC 2 (Service Organization Control) security standard.

IVR security and customer authentication

Opt for multiple layers of authentication to reduce the risk of identity fraud. Solely relying on the phone number that a call is placed from, or the caller's name or customer number, simply carries to much risk.

Encryption

File, data, and call encryption help keep digital information confidential. In some cases, it is also possible to have sensitive information filtered out automatically before it is stored.

Secure storage of call recordings

During interactions with contact centres, customers share personal information that needs to be protected. While certain tools automatically interrupt the conversation when confidential information is shared, the recordings should also be stored on extra-secure servers.

Company culture

As no single security method is enough to keep fraudsters out, it's important to make sure the contact centre has a layered defence system in place. This way, even if a hacker breaks through one or two layers, it becomes increasingly difficult to bypass the entire security system.

Apart from the technical measures that you can take, data protection must of course be part of the company culture right down to the deepest layers of the organisation, and employees must be regularly trained on the risks and consequences. In addition, it is extremely important to aim for maximum employee engagement. We recently wrote a blog about this. The greater the level of engagement, the smaller the chance that employees will purposefully misuse the customer data they have access to.

Do you have questions about the security of customer data in your contact centre? Let us know! Our experts not only know the ins and outs of the various contact centre solutions, but they also have a lot of experience with data security customisations.