Things that are easy to miss in the race towards hybrid working and the cloud

The mega-trend towards hybrid working and cloud migration seems unstoppable. But customer service organizations could find their wheels come off if they fail to address a hazardous twist in the transformation journey.

For many businesses, switching to the cloud makes sense on multiple levels. On-premises kit is seen as expensive to buy, install and maintain, whereas agile, scalable cloud platforms are considered to be more efficient, cost effective and easier to manage. Then there are all the benefits around greater business resilience and environmental sustainability.

Next comes your deployment strategy — and choosing from all the different pathways to the cloud, from rehosting and re-platforming, to re-factoring using Kubernetes, and rebuilding applications in cloud-native ways.

But there’s one aspect of hybrid working that has potential to impact organizations’ customers, finances, and brand reputation and the cloud, and some organizations are failing to recognize it. It’s an issue for customer service organizations especially, and it relates to who’s responsible when there’s a data breach.

Adapting quickly

Right now, the cloud is particularly attractive to customer service organizations with large contact centers, customer service teams and a tech stack to match. Many of them have had to adapt quickly over the past 18 months to enable agents to work remotely, so they can keep the business functioning and customers satisfied.

On one level, this has been particularly helpful for IT teams, as it made their business colleagues readily understand and accept the value and importance of the cloud. Nearly everyone sees the need for digital transformation.

On another level, though, the rush to introduce hybrid working and the cloud presents the following complication: customer service organizations process huge volumes of customer information and payment data, and this poses a big risk.

Before, when everyone worked from the same physical site, traditional security methods were often deployed to protect sensitive customer and payment card data. But now the attack surface has broadened massively.

In its The State of Security 2021 study, data specialist Splunk reports that 53% of IT and security leaders say attacks are on the increase, while 76% say remote workers are harder to secure. This presents a host of new challenges that need to be addressed extremely carefully.

When security evaporates

A common misconception among companies is that their cloud providers’ compliance with the Payment Card Industry Data Security Standard (PCI DSS) also makes them compliant from the start.

Yes, you can buy a cloud service that’s PCI DSS-compliant and designed correctly for ultra-secure services. But self-service configuration isn’t always easy and it’s possible that someone could, for example, change access controls. As a result, a cloud service that’s prized for being “secure” becomes badly compromised.

You can’t blame your cloud provider if there’s a data breach. That’s because the responsibility for data security is yours and yours alone. If mistakes happen, vulnerabilities arise and attacks are launched, the buck always stops with you. This covers how you map and manage your cloud infrastructure, as well as the way your process data.

It’s helpful to think of any sensitive data that could be accessible to a rogue agent or a hacker, from someone’s card number to their date of birth. This might relate to any of your channels handling data, from online transactions and automated IVR payments, to purchases over the phone with an agent or payments made through web chat.

Using partners

If you run a customer service organization with a contact center, the likelihood that you will be managing multiple software with a continuous stream of customer data is high. With the cloud, there’s the desire to blend it altogether, centralize your customer data and share it in an omni-channel fashion.

If you decide to configure and manage card and customer services yourself, then you need an expert eye to check your set-up and configuration changes. Becoming secure and staying secure demands a full, “back to basics” mapping of card/personal data flow and a deep understanding your technology footprint.

This isn’t an area where you can afford to take chances or learn on the job. Data breaches can result in fines from regulators, bad publicity, a loss of customer confidence and plummeting revenues.

Using a cloud security partner is your second option. A third-party data security provider can reduce your security and compliance burden, even to the point of preventing every ounce of sensitive data from ever entering your own systems. They can also provide additional guidance and expertise as new standards are released and emerging threats are identified.

But remember: the ultimate responsibility for protecting and storing customer data lies 100% with you. If they fail, then you still carry the can.

Here are five key questions to ask any cloud provider or security partner:

• What does their service provide? Create a responsibility matrix for your cloud services. Assess what each potential partner offers, establishing which security duties stay with you and which are shared. Understand how their service changes your footprint and your risk profile.
• What does compliance really mean? Obtain their PCI DSS Attestation of Compliance certificate, Cyber Essentials certificates, ISO certificates and ensure that they cover the scope of the solution being provided to you.
• How good is their reputation? Just like when hiring a new employee, an equal level of rigor should be applied when considering cloud service providers. Also assess the organization’s financial state, testimonials, and previous history.
• Are they strong on availability? Any downtime or event for your service provider is likely to impact your availability, revenues and service levels agreed with your customers.
• How good is their own security strategy? Obtain and understand their responsibility matrix, review their security operations, and talk to them about how things work. It’s also useful to know what their service design strategy is as well as their data classification approach, storage, and retention. These are all specific to you because their risk now becomes your risk.

How to get to the facts

When it comes to gathering information from the service providers, information security questionnaires are a very popular approach, but many of them don’t delve deep enough or provide an adequate insight into their risks and security posture.

The responsibility matrix approach works best when creating your security questionnaire. It creates a more tailored and effective assessment of the provider, and also considers the people, process and technology triangle.

A completed security questionnaire does not constitute success. All the responses should be scrutinized for holes and gaps so the risk to you is minimized. Don’t hesitate to get clarification on unclear or ambiguous responses. Also: assess your providers regularly. As the threat landscape changes, major emerging threats are being identified and it’s becoming increasingly important to keep up to date with their risk exposure and mitigation strategy.

Ultimately, it’s important to view your cloud estate and its security in a similar way to an end-to-end supply chain — formed by the best partners, each playing their part and with no weak links. That way, you’ll be able to advance your cloud strategy with confidence in a world where regulations, threats and technologies are changing constantly.