Call Centers on the Privacy Frontlines

The call center has always been a fast-paced environment. Running efficiently means optimizing staff time, getting new employees trained in a hurry, and maximizing every minute of the day.

However, the world around us seemingly speeds up every day. Data moves around the world in seconds, and customers need more information in less time. They need it right now.

At the same time, that information is more valuable, more sensitive, and perhaps more vulnerable than ever before. No company wants to intentionally cause harm to its customers or be on the front page of the newspaper thanks to a data breach.

Perhaps your call center is even doing some breach remediation work. You wouldn’t want to jeopardize that by having an embarrassing breach, yourself.

So, it’s important to know where a call center’s vulnerabilities are and how to prevent them.

Social Engineering

You’ve probably heard the term “phishing.” Maybe even “spearphishing” or “whaling,” nowadays. All of them refer to the practice of criminals essentially tricking employees, even high-level employees (the whales!), into giving away important information voluntarily.

This is where it’s vital to train employees to stick devotedly to clear and direct policies about how information is handled, but also to think critically about what it is they’re being asked to do for the customer.

Of course, these employees are also trained to provide great customer service, and that’s where their hearts can sometimes betray their heads.

You’ve probably run across many of these scenarios. Maybe a woman calls up and tells you she wants to add her husband to her account. However, right in the middle of verifying her identify, a baby starts crying loudly in the background and she excuses herself and puts her husband on the phone to finish the call.

Well, no, he doesn’t know her password, but you just heard her, right? And he’s the one that’s supposed to be added, right?

It’s hard to fault an employee’s instinct to be helpful. There’s a baby crying. They just want to get this done. Why do you need a password? You just heard my wife tell you she wanted to add me to her account?

Criminals like this work in pairs. They prey on a call center employee’s desire to be helpful and to complete a successful interaction. Often, they have just a piece of personal information to pair with a name, like an email address or phone number they’ve gathered from publicly available sources or a previous data breach, and they’re hoping they can use someone’s kindness to get access to full account information.

It’s vital that you drill your employees with these kinds of scenarios and emphasize the importance of identity verification techniques. They should never give access to account information without being completely sure of a customer’s identity. These criminals are really quite inventive.

Often, the information being requested in this kind of attack isn’t even particularly sensitive, but it gives them just enough information to get unauthorized access.

However, this sort of attack isn’t limited to attempts at gaining access to a single account. Sometimes, they’re looking to gain information about network access as a whole. Make sure to emphasize that employees should also never give out any information about how the call center functions, even simple information like how shifts are organized or where training is done.

Who Can See What?

We may live in a digital world, but privacy breaches often arise from the use of good old pen and paper. Call center employees need to write things down. It’s part of the job. A customer might have a laundry list of issues that can’t all be addressed via one view of the system. That’s understandable.

But is there a policy in place for how that piece of paper is then destroyed? Have you trained employees to know they should take all of their paper notes and shred them at the end of their shift?

If not, you likely have janitorial staff with access to personal information on a regular basis. Hopefully, you have a trustworthy staff that knows to pick up the shredding slack, but these sorts of employees are also often the targets of criminals looking for an in. They need training, too.

There are technical solutions that can help here, too. With software that properly redacts information based on role and scenario, you can limit the amount of information an employee sees in the first place. If a representative only needs to confirm the last four digits of an SSN, they should only see the last four digits of the SSN.

This can defeat pen-and-paper threats, too. If someone has nefarious intents, it’s impossible to write down when you don’t have access to. Make sure you’re working with your organization’s privacy and security teams to see whether there are technical solutions to augment your training regime.

Procedures for Escalation

Finally, and perhaps most importantly, it’s vital that frontline employees know what to do should something bad actually happen. One of the biggest issues I see in the industry is employees not being trained to know what action to take to report a breach, and not understanding whom to contact when something happens.

Say they get a call from a customer in a panic, saying someone has accessed their account, or someone is using their phone to make phone calls, what is the representative to do? There tends to be gaps in how quickly this type of information about vulnerabilities is communicated up the chain.

For folks who actually work on mitigating breaches, speed is of the essence. The faster information is reported up the chain, the faster they can respond and make sure situations don’t get worse.

Even one customer suffering a privacy breach might be an indication of a larger issue that can be cut off before it develops. Unfortunately, there tends to be a backlog or build-up of these individual issues before they are escalated to the management level, and then to the security team.

Everyone, from the representatives to shift managers, right on up the line, needs to know whom to contact and when. The faster we know, the faster we can take action. If representatives don’t report it, and don’t let the powers that be know about issues in the proper format, then small issues tend to become big issues.

Conclusion

Of course, there are other best practices that you’ve already likely tackled. I’m assuming you have auditing capabilities to see who accessed what, and proper procedures in place for screening potential employees, but, if you don’t, get on that, too!

People make mistakes. Information is slippery and tough to corral sometimes.

That’s why the best defense is frequent and pervasive training. When procedures are firmly ingrained, emphasized and enforced by management, they become second nature, and much harder for bad actors to defeat.