Hackers are already trying to breach your contact center’s database. One day, they might break in. We offer some common and not-so-common measures to help prevent disruption of your business.
Presently, worldwide hackers’ infestations assault businesses of all sizes—from the enterprise to the esoteric corner shop.
Data is the new covet, and there’s more than enough for hackers to plunder, disrupt, and restrict while concealed at the kitchen table, basement couch, warehouse desk, and even in the sanctuary of certain foreign government buildings.
A Multitude of Measures
Of course, you know that contact centers are data gold mines that store a wealth of information cybercriminals want.
It’s almost instinctive for hackers to stalk your databases. Imagine foxes pacing along the wire of an enclosed chicken coop. They, like hackers, circle and probe until they exploit a weak spot in the perimeter. Then they pounce, leaving you to deal with havoc. Security measures do not deter; they are merely in the way until hackers discover a way around them.
Therefore, contact centers should employ a multitude of different cybersecurity measures, including those not required by mandatory standards.
Otherwise, it could be ransomware. Like Kronos or Colonial Pipeline. Or a malicious software update á la SolarWinds. Perhaps a Distributed Denial of Service (DDoS) interruption. Maybe even a Telephony Denial of Service (TDoS) occupation. And phishing expeditions still fool enough people for hackers to cast nets targeting millions of email addresses.
Whatever the method of the data breach, your contact center could be next.
According to RiskBased Security, reported data breaches in the United States in 2021 increased by 10% over those in 2020. The data types exposed included credit card and Social Security numbers, names, emails, addresses, dates of birth—in the billions—all accessible in contact centers.
By the end of 2023, nearly 30% of all companies in the world will have experienced data breaches. And half of all those data breaches will occur in the United States. Many of them will have been at contact centers. And in the contact center space, virtually all data breaches involve employees/agents acting as accomplices—either unintentionally or willingly.
However, all the news is not this bleak. Many contact centers do apply common-sense safeguards that block backdoors of opportunity. And that’s good—they all just need to do more. Your contact center probably needs to as well.
Thankfully, our contact center customers consistently ask how to enhance their servers’ security.
We hear a lot of encouraging requests because they are about the right countermeasures that we, along with our partners, can meet. However, not all our potential customers always raise these concerns, so we remind them.
Data Encryption 24/7/365
For example, data encryption is usually one of the first concerns raised, accompanied by “where will you store our data?” Encryption seems like a basic safeguard, yet, according to Statista, 35% of the world’s data that requires security is still unprotected.
We recommend—and do our part to help ensure—that all our customers’ data is encrypted when at rest, in transit, or in flight to minimize the chances of interception.
But keep in mind that hackers monitor internet traffic the way that Frank and Jesse James tracked train schedules, and they both struck when their targeted treasures left the safety of a secure server or a bank vault.
Even with encryption, hackers can steal customers’ personal information to access their data, so we’re getting added inquiries about technology like phone printing, which can pinpoint the actual location of a mobile phone to prevent Caller ID spoofing.
Such technology is essential for cybersecurity. Human agents need certainty that a customer who wants to authorize a credit card for overseas use isn’t someone in Reykjavík, Iceland claiming to be from, for example, Royal Oak, Michigan.
Detecting a Scam in Progress
And here’s a pro tip. Contact center managers who monitor the length of every call that reaches an agent can help stop cybercrime before it occurs.
When an individual call exceeds the expected length, it’s time to consider that a possible scam is in play. Could be a vishing scheme, where the caller assumes the identity of a customer or someone in authority, like our caller from Reykjavík. That’s when a manager should check in with the agent for clarification or to help.
This is especially important with the proliferation of inexperienced agents working at home. To lower costs, entry-level agents often receive the bulk of deflected IVA and IVR traffic. They need to balance sound customer service with sound security practices and shouldn’t rely on their own hunches.
As a result, voice biometric authentication is gaining popularity because hackers who have already pilfered the answer to “what is your favorite book”, which is indeed “Old Yeller”, will not get past the scrutiny of matching their voice prints to the customers they impersonate.
With cybersecurity, if a human being is the last line of defense, cybercriminals will discover vulnerability. It’s one reason our customers request OAuth—an authentication tool that retrieves user passwords from one access point rather than from individual applications.
OAuth helps prevent password theft, since they are stored in a single secure location. It minimizes the chances of agents entering passwords in multiple applications, which reduces the opportunities for hackers to find them. This feature is important when data is integrated from many disparate sources and is displayed on a unified dashboard to supply a single service-enhancing view of the customer.
Build Your Cybersecurity Arsenal
Another cybersecurity concern we address with our customers is compliance with FIPS 140-2 (Federal Information Processing Standards), which “specifies the security requirements that are to be satisfied by the cryptographic module utilized within a security system protecting sensitive information within computer and telecommunications systems (including voice systems).”
Many contact centers have contracts with U.S. government agencies and, therefore, need to abide by these stringent requirements.
However, contact centers not affiliated with the federal government should also adopt FIPS 140-2. This is now becoming the case for many healthcare and financial organizations. It may take some time, but it’s time well spent, because FIPS 140-2 adds a hard-to-breach security layer.
Contact centers should also adopt PCI-DSS (Payment Card Initiative Data Security Standard), which, among other things, promotes the encryption of phone conversations to prevent the recording of credit card numbers to unstructured data files like .WAV or MP3.
Dual-Tone, Multi-Frequency (DTMF) masking and suppression emits an identical monotone rather than the tell-tale sound of individual numbers when a customer enters, for example, a credit card number on a telephone’s keypad.
Session timeouts also surface as a requirement by contact centers to minimize risks of security breaches because the longer sessions are open, the vulnerabilities to being hacked increases. Fortunately, there is proven technology that kills the session ID when the pre-determined auto timeout activates.
When you add these recommendations to those spelled out in Aceyus’ 2021 blog, it’s quite an arsenal. Remember: A contact center can never have too many cybersecurity safeguards.
Social Engineering: Still Cause #1
Finally, with all the technological advancements and billions spent on cybersecurity, there is no substitute for the application of a little common sense, which is mostly free of charge.
Common sense is the best method to protect against the largest single cause of data breaches and that is social engineering.
According to Purplesec, a firm that specializes in cybersecurity, social engineering accounts for 98% of all data breaches.
Even the most-experienced IT professionals have revealed their credit card and Social Security numbers, passwords, and other sensitive data for exploitation. Here’s an interesting statistic from 2018: 43% of all IT professionals claim to have been targeted by social engineering schemes.
Social engineering is especially destructive in the contact center space, which supplies limitless opportunities for a clever hacker to convince a vulnerable contact center agent to divulge sensitive information.
With the proliferation of at-home agents, it’s critical to apply a few fundamental safeguards. For example, never write personal customer information on pieces of paper or repeat it aloud with other occupants present. Even something as simple as working in a space with the door closed increases security.
There are other tools to aid such common-sense measures. We mentioned the effectiveness of phone printing and voice biometric authentication, which takes the guesswork out of who’s on the other end of the line and where they are calling from before the damage is done.
...it’s critical to apply a few fundamental safeguards.
There are even applications available that end an agent-customer video call if another individual steps into camera view on the agent side. It may seem extreme, but these days what’s sacred in the realm of cyberspace?
One last consideration: the more audacious the request, whether on a call, text, chatbot, or email, the more likely it’s a scam designed to create a data breach.
Case in point: how does anyone know if the person hoisting the 46-inch flatscreen through the main exit of the big box store isn’t simply stealing it? Are you aware that it’s a tactic among thieves to make a bold move like this and see what happens?
That’s where the TVs are, right? So, why not walk in and walk out?
It’s the same with the data stored in contact center databases—why not just ask for it?
Ultimately, then, to prevent virtually all contact center data breaches, never open email or website links from unknown or suspect senders or offer privileged information to unauthenticated and unauthorized customers.
Before you think this is rudimentary advice, keep in mind that more than 3.4 billion phishing emails are sent out worldwide—every single day.
So, make cybersecurity a high priority for your contact center. Always make hackers work at gaining access to your invaluable data. Don’t let the foxes into the chicken coop.
10 CYBERSECURITY BEST PRACTICES
Here is a link to a blog that Aceyus posted in 2021, which lists 10 cybersecurity best practices that help keep hackers at bay. Meaning all 10; not just nine—or three.
In summary they are:
1. Be proactive, not reactive
2. Adopt a Zero-Trust Model
3. Use Multi-Factor Authentication (MFA) internally and externally
4. Back up and encrypt your data
5. Secure your access points
6. Keep an eye on activity in your system
7. Don’t forget the basics
8. Plan for the Internet of Things (IoT)
9. Educate and empower employees
10. Keep up on cybersecurity trends
The best strategy to foil hackers’ attempts to breach your contact center database is to adopt a layered approach that plugs and overlaps all the potential cracks in your cybersecurity plan. Hackers only need one fissure to split wide open, and they will never stop trying to breach cyber perimeters.
So, never be vulnerable!