Many organizations weathered the COVID-19 crisis by focusing first on the welfare and well-being of their employees. The quick shift from on-premise to work-from-home (WFH) last year helped to safeguard companies’ human asset. Yet in the scramble to ramp-up the distributed workforce, security measures often took a back seat to business continuity.
Quick to capitalize on the pandemic chaos, cybercriminals viewed the sudden and unexpected move to WFH as an opportunity to attack poorly protected computer networks and systems, as well as the newly remote, vulnerable workforce. An explosion of data breaches ensued. In the first quarter of 2020, the number of records exposed skyrocketed to 8.4 billion, a 273% increase compared to Q1 2019, according to a report by cyberthreat intelligence company Risk Based Security.
Now that work-from-home is expected to become a permanent model for the post-COVID work environment, beefing up cybersecurity and securing the remote-work perimeter has become a priority for organizations. Enterprises are predicted to spend $12.6 billion on cloud security tools by 2023, up from $5.6 billion in 2018, according to Forrester. And Gartner estimates that enterprise spending on cloud security solutions will increase from $636 million in 2020 to $1.63 billion in 2023—a 26.5% CAGR.
And yet, state-of-the-art security technology is not enough to protect businesses from cyberthreats and data breaches. Why? Because that newly remote agent working at a makeshift workstation in a bedroom corner or at the kitchen table is human, and humans make mistakes.
According to a report by enterprise security firm Tessian, the majority (88%) of today’s data breaches are caused by human error. Tessian’s research found that:
- 1 in 4 workers have clicked on a phishing email at work.
- 43% of people have made mistakes at work that compromised cybersecurity.
- 57% of employees are more distracted when working from home.
- A third of workers rarely or never think about cybersecurity at work.
Whether through human error, poor security habits or a lack of awareness, employees often unwittingly allow cybercriminals to get a foot in the door, which is all they need to steal valuable company data or deposit malicious code.
From the Contact Center Pipeline Advisory Board
Q. What do you see as the top data security concern for contact centers that recently transitioned to a work-from-home model?
For me, the top security concern is the possible and likely inadvertent collection and release of private information. Since work-from-home agents have no direct human supervision and are unable to quickly seek help and advice during a call, I think an important risk is the unintentional collection of personally identifiable information (PII). Depending on certain variables, companies employing call center representatives are subject to the privacy restrictions of the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). Hastily hired and incompletely trained agents may inadvertently request and enter PII. The definition of personally identifiable information is very broad and can even include basic items such as phone numbers and email addresses. It is OK to collect this information provided that it is: (a) essential to the company’s business, or (b) the distant party has consented to the collection of this information.
Also, since this work-at-home phenomena is happening so quickly, there is a risk that the network connection to the agent’s desktop or the software used by the agent, principally CRM and interaction recording, are not fully PCI–DSS compliant. Agents customarily collect credit and debit card information in the course of their work. This data must be secured from the point of entry to its storage facility.
Tactics to Strengthen Your Human Firewall
Because bad actors most often target a company’s employees to gain access to customer data and corporate systems, an alert, educated remote workforce adds considerable strength to your cybersecurity defenses.
The following practices can help your WFH team to avoid the most common employee cybersecurity mistakes.
Develop WFH cybersecurity standards. Include security guidelines and standards in your work-from-work policy. Providing explicit instructions on the proper setup and management of work devices, which services to use and how to use them is the first step toward mitigating security risks among newly remote agents. A few WFH security guidelines to include:
Work device use—company-provided or BYOD? Do you allow employees to use their own devices to access company systems, or are they required to work only on company-provided devices? A BYOD (bring your own device) setup presents considerable security risks since employees’ personal devices may have outdated operating systems and nonessential apps (e.g., social media, file sharing, games, etc.) that can increase exposure to malware and other cyberthreats. Furnishing WFH agents with equipment that has been setup and vetted by IT will ensure that devices contain only authorized software along with secure firewalls, antivirus software and other protections.
Even if you provide WFH staff with work equipment, instruct employees to use only company-provided devices to access company systems and only from approved access points (and preferably via a virtual private network), or they may be tempted to log in using their personal devices on an unprotected network, exposing the company to a man-in-the-middle attack in which a hacker can intercept the employee’s communication or data.
Include in your WFH cybersecurity guidelines a stipulation that company-provided equipment is for employee use only. WFH staff should not allow family members or other household residents to access company devices.
Safeguard work devices. Work devices should be password-protected to prevent others from accessing company data. When not in use, devices should be stored in a secure location—e.g., in a locked drawer or by locking the door to the home office. If remote agents are expected to commute with laptops or mobile devices, for instance, in a hybrid model where they work some shifts on-premise and others at home, they should be instructed to keep the devices with them at all times and not locked in their vehicle or in the trunk of their car. Also, ensure that device tracking is enabled on all work devices in case they are stolen or lost.
Is the home office space secure? Not all WFH agents have the space for a designated home office with doors that can be shut. If a separate room is not possible, WFH staff should set aside an area that affords them with (visual and audio) privacy from family members and/or housemates during working hours. Computers should be placed so that the sight line to screens with sensitive information cannot be viewed by others inside the home and are not facing hallways or open areas where someone can view the screen when walking past or from outside a window.
Two additional home-office security measures:
1. Employees should lock their screens if they step away from their computer, even for a moment.
2. WFH agents should be provided with (and wear) headsets to ensure that customers or co-workers who share sensitive information while on a call cannot be overhead.
Enforce the use of strong passwords to log in to devices and networks. Creating strong, unique passwords to access devices and online accounts is a basic security best practice—yet many people ignore it. A survey by LastPass by LogMeIn revealed that 91% of people know that using the same password on multiple accounts is a security risk, yet 66% continue to use the same password anyway. “The Psychology of Passwords” report cited fear of forgetting login information as the number one reason for password reuse (60%), followed by wanting to know and be in control of all of their passwords (52%).
Providing WFH employees with password management tools can help to prevent password reuse. Also, consider periodic awareness training on password practices to reinforce better habits.
Speaking of strong passwords, resetting the password on agents’ Wi-Fi routers should be a fundamental networking safety measure for work-at-home staff. New home-based employees often overlook the security risk posed by wireless routers. Often, people don’t bother to change the default password after setting it up, and they share the password with friends, neighbors or guests. Employees’ personal wireless routers also may have outdated firmware, leaving their home network vulnerable.
Provide guidelines and training for video communication apps. During the pandemic lockdown, individuals and businesses turned to video conferencing to replace in-person contact for meetings, customer support, get-togethers with family and friends, and more. The soaring popularity of third-party video chat applications triggered a rise in attempts to hack video meetings to listen in, record or disrupt them, such as the widely publicized “Zoom bombing” incidents in 2020. Most of the Zoom hacking attacks were traced to end-user security behaviors, such as posting meeting links and personal meeting IDs on social media or other public channels, allowing multiple participants to share screens (vs. only the host) and not locking meetings after they start.
Even with privacy settings in place, WFH agents need additional training on what types of data and information are considered sensitive and should not be shared on a video chat. Employees should also be aware of what can be viewed in the screen background—including items in their workstations or homes that might contain sensitive information.
Provide security awareness training and alerts. Provide regular security awareness training and alerts to ensure that WFH agents remain vigilant. Training should include cybersecurity protocols, standards for handling sensitive information and how to identify different types of scams and attacks, along with general cybersecurity best practices. Make sure that WFH team members know how to report suspicious emails and are updated whenever new phishing attacks surface. Cybersecurity awareness training is not a once-and-done event; it should become a regular part of your team’s discussions.
Create a United Front Against Cybercrime
As our world grows increasingly digital, businesses need to take a proactive approach to safeguard customer and company data from cybercriminals. It is vital to provide clear escalation guidelines for employees to report unusual or suspicious issues, lost or stolen company devices—and, importantly, their mistakes.
Keep in mind that the majority of data security breaches result from human error—and that most security incidents go under-reported. Naturally, if agents are afraid that being tricked into clicking on a phishing link will cost them their job, they won’t report it.
To create a united front against cybercrime, scare tactics won’t work. Instead, provide an open, supportive environment that encourages staff to report errors promptly so that immediate actions can be taken. This reinforces the message that employees are not the weakest link in the cybersecurity chain, but part of the solution.