Security is front of mind for a lot of organizations these days, especially due to the 400% increase in cyberattacks since the pandemic started. Notable and alarming attacks include those on the federal government by nation-state threat actors using widely used third-party tools as vehicles for intrusion. Your contact center is no exception: it’s facing standard cyber security threats, such as DDoS attacks, but also seeing an increase in attacks targeting customers’ personal data. If you’re using a cloud-based contact center managed and maintained in a data center, these threats can increase. Even more so if you are outsourcing contact center agents, increasing points of access and areas of liability.
One of the biggest mistakes an organization can make is to not have the same security controls or posture in place for their contact center or CCaaS as they do for other applications. Contact centers have sensitive data needing protection, just like a CRM/ERP system or a database. With that in mind, organizations should take a defense-in-depth approach, incorporating important and necessary key elements for contact center or CCaaS environment:
Proper physical controls – Most modern data centers are ISO/IEC 27001-certified, which means specific physical security components must be in place. But if they are not, these physical controls should be implemented:
- A physical security policy on an organizational level. All staff and outsourced workers have to acknowledge the importance of the policy and follow it
- Adequate CCTV camera in all secure areas, creating few or no blind spots, along with adequate video retention
- Single point of entry to secure areas and additional physical access restrictions for private racks and servers
- Physical access control systems with anti-tailgating/anti-pass-back turnstile gate permitting only one person to pass through after authentication
- Documented policy and procedures for lost or stolen employee badge/FOB/keycard
If leveraging a CCaaS solution, the managed service provider would be responsible for maintaining this and providing documentation detailing what physical controls are in place.
Proper technical controls – Network systems or resources in the contact center need to be secured by next-gen firewalls, intrusion prevention and detection systems, access management and other technical controls. Some more advanced controls that should also be considered are: adaptive multi-factor authentication, zero-trust network access, physical security as a service (PSaaS), and universal endpoint management (UEM).
Proper administrative controls – Further expanding on detailed security policies, there should be policies and controls around how to handle sensitive information. There should be instructions created on labeling private information as “confidential” within the contact center or CCaaS application.
Proper endpoint protection – It is mandatory to secure all endpoints utilizing a soft phone or contact center / UCaaS application – and it requires more than installing endpoint detection and response / antivirus / advanced malware protection. According to the SANS Institute, endpoint detection and response solutions only detect 26% of initial attack vectors and with the high volume of EDR system notifications, 54% of security professionals ignore alerts that should be investigated. Cross layer protection and gain greater visibility through extended detection and response (XDR) tools.
No amount of contact center technology will guarantee that your company is in full PCI compliance, since the scope of compliance goes beyond the contact center to ensure no sensitive financial data is made available to inappropriate or malicious parties. Limiting access by agents and securely storing call center records helps keep data protected and mitigates PCI concerns.
One way to accomplish this is to create an interface that agents can transfer callers to in order to take the customer’s payment data, process it, and then transfer the caller back to the agent once the transaction is complete. If this can be done by an independent outsourced agent, it is best so that data is never stored with the customer, only shared with the financial institution facilitating the payment.
This is preferred over having the caller share their information with your customer, and then your customer is involved in the direct handling of sensitive data. This also prevents agents from writing down sensitive information and other employees – including IT admins – having access to log files showing private financial information.
The data that is being stored and transmitted should always be encrypted – an important layer of security. This makes it more difficult for sensitive data to be viewed without the encryption keys, further demonstrating the business’ commitment to keeping customer data protected. The best practice is to avoid storing or transmitting sensitive customer data if possible; if you must store it, try to set for short durations and then permanently purge it or find a way to move another secure location for long-term archival. It is important for a business to evaluate if data needs to be stored – do they need to keep the customer’s social security number on file or can they instantly purge sensitive data?
Many businesses have a CRM integration capturing this information in real-time, making it unnecessary to store. Additionally, if call recording is mandated for security purposes, find a way to transcribe these recordings to isolate sensitive data. Then using an automated or manual process, delete or relocate this data on a continual basis.
Businesses should also see if they can identify if there is a more secure way to acquire this data, such as having the customer submit the data in a secure system or only provide limited digits, versus providing all information to a live agent.
Firewalls are sometimes a contact center’s worst enemy
As a cloud communications architect supporting contact centers for the past two decades, I have seen first-hand how many support tickets are caused by firewalls – at least 30%. It is not uncommon for security personnel or an automated security application to shut down a critical service.
The unfortunate truth is that IT security staff and contact center engineers typically do not run in the same circles. If you have an IVR doing a database dip to an external database or an agent recording a greeting using a web-based desktop client, security might be unaware of the access required and can disrupt these services without even knowing what they have done.
Another best practice is that when changes are made to security policies or configurations on security appliances, they are clearly conveyed to contact center support, making it easier to draw a correlation between the change and a disruption in service.
Implementing the above elements won’t make your contact centers invincible, but by taking a defense-in-depth approach, you can protect, detect, mitigate, and isolate an attack more quickly, giving you greater control over threat actors. Given the volume and magnitude of threats today, security needs to go beyond the standard to keep contact centers safe.
Contributing author: Jim Bowers, Security Solutions Architect, TBI.