I can’t underplay the extent and severity of the cyber threats that we all face. Verizon’s latest Data Breach Investigations Report states that 85% of tracked breaches involved a human element, and contact centers have become a front line of engagement between sophisticated threat actors, and the cybersecurity and fraud organizations opposing them.
The information outlined below covers a short selection where that human element is central to the issue. It’s not meant to be a list of fundamental security activities, but it covers areas where collaboration and cross-functional efforts between teams like security, operations, IT, HR, and third parties are critical to success.
Perhaps most crucially the below content provides advice and recommendations on what you can do.
At some point, you’ll face an insider threat. It could be a new hire or a long-term employee who has the opportunity and motivation. They may be simply disgruntled. Or they have been recruited by nefarious others with offers of financial reward or even threatened with physical or psychological harm if they don’t do their bidding.
It could even be someone who’s specifically sought a role in your organization to engage in illicit activities.
• Create an environment where reporting possible cybercrimes like recruitment or extortion is actively encouraged. Don’t limit this to an anonymous hotline - it can be valuable but is just one avenue to report issues. Ensure your employees and management team know who to call when they have a concern. Onboarding training, ongoing security/compliance training, and communications to your staff following an incident can be venues for this message.
• If possible, monitor 24/7, and potentially send possible security issues to an incident response team. In addition, when you get those reports they should be handled quickly and emphatically. Make sure the employees know you’re taking this information seriously, follow up with them afterward, and where appropriate, recognize those who did the right thing.
• Build a perception of oversight. This is challenging, and an area that could easily become “big brother” but is fundamental to ensure you don’t become a bigger target. Timing is crucial. Informing teams that you’re actively monitoring as part of security training can help avoid negative connotations, as it comes when it’s expected.
• When something does happen, act quickly, and be sure to be seen doing so. Have some prepared communications ready for the kind of events you expect. Cyberattacks often have devastating impacts on brands and drive in calls and contacts from worried customers. There is also compliance with laws like on data breach notifications to follow.
• Document processes for each of the insider threats. Extortion is obviously going to be a far different animal than recruitment, involving different parties, sensitivities, and response timelines.
• Learn from your mistakes. When an insider incident occurs, take the time to perform a full post-mortem on every aspect of what happened. Involve the right people in this activity, not just your security experts, but businesspeople and IT too. Assume that it will happen again, by different means, and create a mitigation plan that addresses all the gaps.
• Follow up on your mitigation plans. Often after the first items are completed, other stuff gets in the way. Be rigorous on your follow-ups to make sure all your gaps are closed.
• Build and rebuild your monitoring program, take the time to understand all data available from various teams, and elements that can act as indicators of malicious activity. Refine these, working toward faster and more accurate identification of threats. This is doubly important now as so many more of us work from home and lack the oversight of an office environment.
• Don’t just look at your own employee background checks, look at the hiring processes of your third parties. The malicious employee you’ve just addressed may seek employment at organizations you do business with and regain access to your own systems at a later time. Developing insights into how your partners hire and making fully sure you always know who has access to your systems from their side is critical.
Building on the people element, another area that should be continuously revisited is phishing.
This could be of your employees, your customers, or your partners, and while we often think of the phishing email, it could be through any other means of communication, voice, chat, SMS and even face-to-face.
The perpetrators are extremely good at what they do. To them this is their job, and they may well know as much about your company and processes as your employees do.
• Execute regular phishing awareness campaigns. Make them a challenge that’s not easy to immediately identify, e.g., send one on new tools to your technology team, or an invoice to your Accounts Payable team. If possible, perform SMS campaigns too.
• Create consequences or gamify these campaigns so employees understand their importance. One concept worth exploring is an employee security score based on their phishing campaign results, security training etc. Reward the best for their performance.
• Don’t rely on account notes to prevent repeated access attempts. Threat actors will repeatedly target specific accounts until an employee lets them in. Develop alarms, preferably automated, visible to your frontlines that clearly show repeated access attempts to specific accounts or from specific callers.
• Make training as engaging as possible. Building in real-life scenarios with interactive elements can really make a difference on retaining critical information.
• Explore new technologies. There are a host of interesting capabilities out there that identify bad actors calling in, trawl the web for unauthorized sites bearing your brand, systematically validate your customers, and more.
• Be serious about least privilege access. Limit unnecessary access to sensitive information, high risk transactions, and accounts, then systematize the controls, so it’s not based upon a human decision. Pay extra attention to fallback processes, in the number of employees that have access, the quality of the process, and their use and abuse.
Combatting Fraud with voice authentication
I will never forget the time I called the local phone company about my bill and was asked to first recite my mother-in-law’s maiden name.
The contact center agent explained that the account was opened in my wife’s name, and it was she that established the challenge question. But I could not recall my mother-in-law’s Finnish maiden name and if I did, I probably would not be able to spell it.
Despite my pleas that my wife would have no objection to my speaking on her behalf, the agent was having none of it. I had to accurately answer the question. That was the rule.
There are fundamentally three ways to establish authenticity:
• Something you know - password, PIN, secret handshake, etc.
• Something you have - badge, driver’s license, credit cards, uniform, etc.
• Something you are
The first two options are easy to fake or pilfer. The last option, something you are, cannot be duplicated.
Biometrics are physical attributes that you and you alone possess. Most commonly used are your fingerprints and the face. Both of these are pretty foolproof, but they are little hard to handle over the phone.
The one biometric that is unique, works best over the phone, and is virtually impossible to steal or replicate is your voice.
Voice authentication is just as accurate as fingerprinting and is also ideal for mobile callers and people with disabilities. The technology is available today and ideally suited for contact centers.
Not only is voice recognition a pain-free form of authentication but is also a good way to spot fraudsters who are trying to pass themselves off as anguished customers who desperately need the credit card information that was in their stolen purses.
--Dick Bucci, Chief Analyst, Pelorus Associates [email protected]
Once they’ve made their way into systems, be it through an insider, phishing, or a more technical breach, one of the most disruptive threats faced is ransomware.
The days where a threat actor simply locked down a system are gone. Today, expect data exfiltration, and subsequent escalation, with the intent to put as much pressure on you as possible to pay out.
• Create a ransomware playbook. CISA/MS-ISAC released an excellent document laying out best practices and a response checklist that can be easily adapted for your own organization.
• Ask for your partners playbooks and share the appropriate elements of your own. Helping partners prepare for such an incident helps everyone.
• Keep your playbook up to date, particularly details on communications and contacts, and keep a copy offline in a location you could get to.
• Assess your business functions, identifying any that are single-threaded, and your plan for an extended outage. If you’re a client, build redundancy across your contact center operators, if you’re an operator, offer redundancy capabilities to your clients for work you don’t perform today.
• Ensure you have a clear and up to date inventory of all your connections with partners and know how to cut them quickly.
• Engage experts to perform a tabletop ransomware exercise, and perform this at both a senior leadership level, and with your operational team.
• If you have a ransomware incident, keep your employees informed. If an outage is extended, attrition becomes an increasing problem, and you could face as much of an issue getting employees back online as with the incident itself.
• Most importantly, don’t delay. Time is of the essence and clarity in communications is key. Be as open as possible with your partners and expect the same from them. Trust is severely challenged at a time like this, and timely, open communication will go a long way in ensuring that doesn’t persist.
Another persistent threat we all face is account takeover, both of our employees and of our customers. Often authentication processes are little changed from more than a decade ago. Thankfully, technical capabilities in this space are evolving, as is security awareness and the value placed on privacy.
• Develop detailed processes to robustly authenticate your customers and your employees. This absolutely must include multi-factor authentication. Take the time to map all this out and understand it - the breadth of interaction points, customer types, employee types, technologies, and fallback mechanisms is likely wider than you expect.
• If you have to use fallbacks, ensure they have additional controls and monitoring.
Another persistent threat we all face is account takeover, both of our employees and of our customers.
• Build robust notifications to both your customers and employees when high risk transactions occur. If someone has a password reset, they should know about it. Ensure they know who to tell if it wasn’t them, and that it’s immediately acted on.
• Identify any credential sharing. As you limit access to specific groups, the pressure to share credentials across teams “just to get the job done” will grow.
• Be willing to have your team say no and stand behind them when they do. Prepare a script and create a process that allows them to escalate. Ensure performance metrics aren’t adversely impacted by “doing the right thing.”
Contact centers sit in a unique position. They may have access to the systems of one, or several multinational companies, they could be located across the world from the customers they are serving, and often heavily prioritize customer satisfaction and efficiency.
Working from home has changed the cyber risk profile too, though perhaps less than one might think if the principle of least privilege is well exercised, and a VPN with strong associated security measures is used.
By thoughtfully approaching security it really is possible to address the risks and enhance the experience at the same time by designing seamless solutions and emphasizing the importance we place on security to our customers.