As Data Explodes in Cloud Contact Centers, the Security Spotlight Shifts to Internal Threats and Privileged Access Management
By: Juhi Fadia
Originally published on Customer Magazine
Contact Centers are one of the riskiest areas for enterprises, especially those which have a large customer base and are in highly regulated industries.
Like any division of an organization, they are susceptible to Advanced Persistent Threats (APT), malware, ransomware, and more.
When it comes to insider threat risk, there are few areas more vulnerable to insider threat attacks.
- Contact Center employees have access to sensitive customer information.
- Contact Center employees are often the lowest paid in the company (or in the outsourced Contact Center representing the company) and may be more susceptible to outsiders offering them money in exchange for access or information.
- Contact Center turnover rates are among the highest across industries, with new employees coming in over and over to replace former employees.
With the rapid shift of physical contact centers to the cloud, in large part accelerated by the global pandemic, organizations are finding it harder to control access (as compared to doing so in a physical facility with an “IT” perimeter, which only allows people in the location to be able to access databases and applications).
We’re seeing a growing trend towards security software that works in the cloud to protect sensitive data and to help prevent insider threats – whether they are intentional or accidental.
We caught up with Orhan Yildirim, CTO, Ironsphere, a Privileged Access Management company that allows organizations to lock down access, to automatically change passwords, to record and address risky situations in real-time, and does so in a cloud-ready way.
“Contact Center employees have direct access to sensitive customer information, with low-level employees handling hundreds of customers’ credit card information, passwords, bank info, health care information, or even social security numbers every day,” Yildirim said. “This level of direct access comes with an inherent spike in risk, especially when the situation is magnified as the cloud is being used to support at-home workers in large numbers. We’re finding that many Cloud Contact Center operations teams are not aware that there are relatively easy, immediate fixes available with PAM software when it is architected for the cloud from the ground up.”
Employees who are struggling financially are much more likely to be tempted by offers from outside agents, which creates a highly risky context. “Especially with recent economic pressures due to the pandemic, there are now large numbers of insiders who are more likely to need money, and we’ve already seen examples of this over the last few months,” Orhan Yildirim remarked. “There is no need to wait for months to set up the solution – a solution which is affordable and can scale up quickly after initial implementation.”
Most insider data theft takes place when an employee is leaving the company, according to some analysts. With the average US contact center turnover rate at around 33% per year and 55% in India, this is an important threat to focus on. “These rates mean that organizations are constantly exposing themselves to departing employees taking and sharing sensitive customer data when they leave,” Yildirim stated. “A high turnover rate means a greater number of employees are passing through each year, which means more data being exposed to more people. The threats are real.”
So, should every employee be treated like a potential criminal?
“Tight restrictions will hinder productivity, frustrate employees, and upset customers,” Orhan Yildirim noted. “In fact, customers appreciate personalized service – so they can get their questions answered quickly, with contextual information, even if it means agreeing to have that information presented to whichever agent responds. Instead of a ‘command and control’ culture, our clients appreciate a different approach, which is gaining true visibility into employee activity. With this information, that we can collect and manage in real-time, including using automation to predict issues or present an alert to a manager in real-time, operators can target the real risks within the company while still delivering friendly customer experience.”
Orhan Yildirim explained that most contact center employees should be accessing the same types of applications and information within existing databases. If an employee starts deviating from that normal behavior, by using software to track all activities, while also using that software to constantly validate access and automatically change password, security teams are ready to leap into action.
“Achieving compliance with regulations, for example, HIPAA, PCI, SOX and more, has always been complex, but is becoming even more challenging when regulations tighten after each breach,” Yildirim said. “Regulations are moving faster and growing more complicated; as they do, the audit process remains antiquated and slow. Another great benefit of using a PAM solution is simplifying audits for the company and auditors, and even the regulatory agencies, with more visibility and cleaner reporting.”
Orhan Yildirim summarized by saying that while the risks are growing, and legacy approaches are as complicated as the problem, “There are new ways to solve this: software solutions that run in real-time, that are easy to bolt onto cloud applications, and can adapt to changing regulations and new operating models.”
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.