Published: October 24, 2018 | Comments
Note from the editor: As we inch ever closer to the holiday season, many contact centers are in the midst of hiring and training temporary staff to manage higher contact volume. Unfortunately, amid all the stress and excitement of the holidays, your seasonal team may be exposing your organization to unknown security threats. According to Semafone CEO Tim Critchley, hiring seasonal staff opens the doors to additional “inside” risks for contact centers. In this Q&A, Tim shares insight you'll need to know to protect your customer data.
Why do seasonal employees pose a more significant security threat than full-time employees?
TC: There are three reasons why seasonal employees can pose a greater security threat when compared to full-time employees. The first stems from the fact that temporary employees consider their position simply that - a temporary job. Therefore, they have no real stake or allegiance to the company or employer. So, when seasonal agents have access on a regular basis to personally identifiable information (PII), such as credit card data, the temptation to abuse this information is higher. The temp believes they can more easily slide under the radar and therefore thinks they are less likely to face any real or serious consequences and besides, they will be gone once the holiday season ends.
Secondly, we are increasingly seeing contact centers take on "work from home" agents, often to handle seasonal spikes in call volumes. While this business model can lower overhead costs and streamline hiring processes, it also carries bigger risks. With less supervision and freedom to work in the comfort of one's home - using personal computers and other devices - it is difficult to ensure these agents abide by the strictest data security practices. Plus, "clean room" policies (no cell phones, paper/pens, bags) are simply impossible to enforce.
And finally, given their short tenure, the vetting and training process is often laxer for seasonal and temporary agents. Someone with malicious intentions or equally dangerously, a complacent attitude towards data security, can inadvertently fall through the cracks. While we have good reason to believe that most agents and customer service representatives (CSRs) are fine, honest people, it takes just one bad apple to expose sensitive data for the wrong reasons. In fact, a single breach will on average have direct costs for an organization of $3.86 million, while jeopardizing customer trust and brand reputation forever.
What steps should contact centers take before they hire temporary staff during the holiday season?
TC: Since employers are in a hurry to fill positions due to the upcoming holiday rush, they can overlook typical or best practice protocol. I urge contact centers to vet all potential hires; perform thorough background checks, and spend the time to train them adequately. No matter how much training or vetting you complete, you can't stop every "rogue" employee.
It's critical for businesses to verify that the proper security controls are in place for all people, processes, and technologies. For example, enforce the principle of least privilege user access (LUA) on all computer systems. This means that an employee should have the minimum level of access to PII to perform their jobs at any given time. So, if your contact center agent does not need to access customer credit card data when they are not on the line with that customer, don't give it to them. Similarly, look for ways to segment networks to protect payment data. For instance, accept payments on systems that are entirely separate from day-to-day business activities (like email). I also recommend performing a Payment Card Industry Data Security Standard (PCI DSS) audit (or at least a self-assessment) and revisiting your Information Security plan before any major hiring efforts.
What are some ways to better train seasonal staff to spot scams or suspicious activity?
TC: Spoofers and scammers are becoming smarter and more devious, making it difficult for even the most trustworthy agent to detect an attack. What if an agent opens an email attachment, appearing to be from a customer, that contains a piece of fast-spreading malware? Or what if a fraudster pretending to be a customer manipulates the agent on the phone to provide sensitive data?
To better prepare seasonal staff to combat these and other emerging threats, I recommend holding a thorough, mandatory training session for all new hires. This can even be conducted virtually for agents around the globe and those working from home. In such sessions, run through some scenarios, like those above, and describe the ideal response, as well as the repercussions of a breach. And, don't forget to reinforce security basics, including locking computers when leaving a workstation, frequently changing passwords and being aware of one's surroundings. Lastly, encourage employees to report all breach attempts, security incidents or anything suspicious to management. Creating an anonymous system for doing so can help mitigate fear, improve trust and expedite response.
What sort of technology do you recommend contact centers use to protect their customers during this holiday season?
TC: No matter how well you train your agents or how many security controls you have in place, it is impossible to protect your contact center from every single threat - whether due to a "rogue" temporary agent, or a devious hacker tapping into your network. As long as your contact center collects, processes and stores PII, there will be someone eyeing that data. To make your contact center a less obvious target during the holiday season and beyond, consider technologies that remove sensitive data from the environment entirely like dual-tone-multi-frequency (DTMF) masking technologies.
DTMF masking technologies allow callers to discretely enter payment card data directly into their phone's keypad. The DTMF sounds are masked with flat tones so the agent on the line, call recordings, and nearby listeners cannot decipher the numbers. While agents remain in full voice communication with the customer, the data is sent directly to the appropriate third party, such as a payment processor, bypassing the contact center completely. This eliminates the opportunity for all agents including rogue, temporary or seasonal workers, as well as outside hackers and fraudsters, to access sensitive information. As a bonus, contact centers can more easily comply with the PCI DSS and other stringent regulations, while freeing their agents (even those working from home) to provide the best possible customer service without fear of exposing PII. As we like to say, "no one can hack the data you don't hold!"