Businesses are facing ever-increasing risks of fraud and cybercrime. Every day brings more reports of security breaches and compromised customer data. Cybercriminals are clever and quick to find new ways to steal customers’ and employees’ personally identifiable information, which can be used to commit fraudulent activities ranging from spamming to accessing online accounts to extortion.
Cybercrime schemes surface so quickly that detecting and mitigating cybersecurity risks can feel like an endless game of whack-a-mole. Not surprisingly, in recent years, tackling shifting fraud tactics has been identified as the top challenge for leaders in risk, fraud, compliance, product and operations departments. Yet in an era where customer experience has become a differentiating factor for brands, leaders also are concerned that customers will balk at having to use cumbersome identity verification processes. A consumer survey conducted by IDology, found that, when opening an account online, consumers valued security (88%) and ease (72%), and almost one-third said they abandoned sign-up processes that were too difficult or took too long, according to Christina Luttrell, SVP of Operations for IDology, a leader in multilayered identity verification and fraud prevention.
Antifraud practitioners have taken note, as the results of the IDology Sixth Annual Fraud Report revealed. “For the first time since the inception of the report six years ago, balancing consumer friction with fraud prevention is the No. 1 challenge companies are facing for fraud prevention, surpassing shifting tactics being used by fraudsters, which, until 2018, was the dilemma of greatest concern,” Luttrell says. “This year, two-thirds of the respondents say that the balancing act is the biggest challenge in their industry, up from 40% last year.
“Companies know consumer experience is paramount, as consumers have higher expectations for speed, ease and security for transactions. At the same time, the number of data breaches and the quantity of personal information on the dark web continue to grow,” Luttrell adds. “These two conditions are compelling companies to take a strategic and more sophisticated approach to digital identity verification with the competitive end goal of delivering a frictionless customer experience, effectively deterring fraud and ultimately cultivating long-term customer trust and loyalty.”
The IDology report suggests that, instead of balancing friction and prevention across the board, businesses should think about how to adapt the verification process on a per-customer basis by considering: “What is the right amount of friction for this specific person, and when is the right time to introduce it? Implementing a multilayered identity verification solution, which examines an assortment of attributes and can dynamically make decisions based on a variety of parameters is the most effective way to ensure customers only experience friction when necessary while still maintaining strong security. It also positions organizations to be ready for tomorrow’s customers, economy and fraud trends.”
Top Internal Security Risk: Human Error
Data protection systems and tools that are currently on the market offer robust protection against external cyber threats. For most businesses, though, the most significant security risk to a company’s data or systems comes from within—human error. Most (84%) C-suite leaders and just over half (51%) of small business owners cited employee negligence as their biggest information security risk, according to Shred-it’s 2018 State of the Industry Report. Consumers agreed: 96% said they viewed employee negligence as a contributor to data breaches at U.S. companies.
Simply put, “the human mind is hackable,” says Chris Knauer, SVP and Chief Security Officer at Sitel Group, one of the largest customer experience (CX) management companies in the world. “Humans are subject to suggestion; we feel the need to please people, but in the process of doing so, sometimes we inadvertently do things that are not in the best interest of the very people we’re trying to serve.”
That may be the customer, or it may be a leader or colleague within the organization. “The newer sophisticated types of attacks place today are trying to take advantage of that,” he adds. “It’s not like the Nigerian prince emails from 10 or 15 years ago. What you see now are emails that look like they’re coming from your manager or from a chief executive of the company.”
Social Engineering Is an Ongoing Threat for Contact Centers
The desire to help their customers is what makes agents vulnerable to social engineering attacks in which criminals who are skilled in manipulation tactics gain agents’ trust and trick them into giving away confidential account information. What might seem like an innocuous bit of information provides the criminal with another detail that they may not have had. And if they do it enough times, they can collect enough information about the target to take over the account.
A common social engineering tactic is a criminal who poses as an angry customer knowing that, when agents get flustered, they’re more likely to be manipulated. “An effective way to manage this type of scenario is to have escalation paths within the call center to quickly determine whether this is a real issue or a potential scam,” Knauer says. “If you have one person dealing with an angry caller, it’s likely that person is going to be manipulated. But if it’s two people, you tend to get a more unbiased view of what’s happening with a particular call situation.”
In some cases, the agents themselves create a security risk by going off script; for instance, by asking leading questions in the customer verification process. A typical example is when agents confirm a customer’s home address by saying: “Are you still living at 123 Main Street?” instead of asking the caller, “What is your home address?”
So how can you help frontline staff to be more vigilant against master manipulators and other data security risks? Provide security awareness training on the different types of threats that agents are likely to encounter. Training should include data security protocols, standards for handling sensitive information, how to report a suspected issue and what to do when an incident takes place, along with general cyber- and workplace security best practices.
Role-playing can be an effective approach to ensure that agents learn how to identify social engineering tactics and when to escalate calls. Knauer and his security team also periodically call various programs within the center to see if they can manipulate agents into releasing information. He has found that agents in programs that emphasize Net Promoter Scores will sometimes feel pressured to try to please the caller, but as he explains, “the reality is that consumers want to know that their information is secure. Taking a customer call is like driving on the highway—you have a starting point, an end point and there are lanes that you need to stay within. The bottom line is we want people to use the scripts and tools they have in place to manage the call, stay within the lanes of the highway and don’t take any off-ramps.”
Admittedly, security awareness training can be a bit dry, especially when presented classroom-style. Knauer suggests using shorter, interactive sessions to engage agents. Communication from company leaders also can provide valuable encouragement and support. In a recent phishing scam, attackers sent fake emails to Sitel Group employees posing as CEO Laurent Uberti and requesting them to transfer funds or release gift cards. Uberti issued a video message discussing the scam and telling employees not to respond if they received the email, and that he would never ask them for gift cards or to transfer money.
“The message that he created was very powerful,” Knauer says. “And it set the tone for the rest of the company that our executive team is not going to come to you haphazardly from a Gmail or Hotmail account and ask you to do something that is not part of our business.”
Shining a Light on Dark Data
Hoarding data has been the standard practice for most businesses for years. Whether it’s customer data, email, survey data, presentations, reports, zip files, log files, call recordings, employee information, old versions of documents, account information—companies have stockpiled vast amounts of information. Gartner defines this as dark data—“the information that organizations collect, process and store during regular business activities, but generally fail to use for other purposes.”
Worse, organizations typically don’t even know that the data exists. “It’s data that has two problems: First, the fact that we don’t know about it, so we’re not leveraging it. And the second is that it becomes a security problem because you cannot properly manage it and protect it if you don’t know you have it,” says Amit Ashbel, head of marketing for Cognigo, which provides AI-driven, human-free data protection, governance and compliance.
Dark data is difficult to locate. It can be scattered across databases, computers, cloud services, file servers, applications, external drives—basically, any place that stores data. Ashbel points to a Forrester survey which found that 62% of data security professionals in North America said they had no idea where their most sensitive unstructured data resides. Further, Gartner predicts that, through 2021, more than 80% of organizations will fail to develop a consolidated data security policy across silos, leading to potential noncompliance, security breaches and financial liabilities.
“No one has continuous control and governance of this data, which might contain information that is very personal,” Ashbel says. “If you hold that data, you have the responsibility to protect that data. Regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are telling organizations that it’s no longer legal to have dark data; it’s no longer legal not to know.”
Widely publicized data breaches have heightened consumer awareness about what companies are doing to protect their data. Consumers can now request that businesses provide them with their personal data report, and the GPDR requires companies to do so (the CCPA goes into effect on January 1, 2020, also providing consumers with the right to access personal data, among other things).
“The regulations have created a dramatic shift in why dark data has become so important. As a consumer, you might want to see that your information is being used responsibly,” says Ashbel. “If the company has taken a serious approach to the regulations, they’ll respond to your request. If they don’t respond, you should probably be considering whether they’re managing your data responsibly.”