10 call center security tips for protecting customer data and privacy
Call centers are particularly vulnerable to privacy breaches, and it is mainly due to what is best described as a security ripple effect. In this article, we will look at how and why these problems occur before exploring some of the ways call centers can protect their customers.
Understanding how customer data and privacy is at risk can help call centers beef up security, so we will also touch on some of the potential vulnerabilities inherent in security technologies. Ideally, no call center should be without a multi-layered security strategy.
Phishing simulations & training
How are call centers vulnerable to data breaches?
Personally identifiable information (PII) theft
According to Pindrop, data breaches that occur at other companies – usually high-profile attacks on financial institutions and healthcare providers – affect a wide range of enterprises, even in unrelated industries; that includes consumer service companies. These breaches may have a significant security ripple effect on call centers that usually rely on PII to verify a caller’s credentials. If this information – e.g. SSNs or bank card numbers, or customers’ DoB or email addresses. – has been previously breached, a call center’s customers immediately become extremely vulnerable.
The Identity Theft Resource Center (ITRC), together with CyberScout, conducts annual studies of identity thefts. In its 2017 Data Breach Year-End Review, the ITRC found that: “Throughout 2017, there were 830 data breach incidents involving Social Security Numbers, representing more than half of the total reported number of breaches. As a result of these breaches, nearly 158 million SSN’s were exposed or 88 percent of the total number of records exposed.”
IDology’s Fifth Annual Fraud Report said “40% of businesses reported their contact centers were increasingly being targeted by fraudsters, with social engineering being the most widespread fraud tactic.”
In addition, the penalties for not complying with regulations specifying how personal data is managed are high.
Internal threats: Rogue insiders
Semaphone CEO Tim Critchley, writing for ICMI, identifies the top insider call center threat personas as:
- The Tempted Temp: May not be 100 percent loyal to their temporary employer and is tempted to wrangle a bonus from fraudsters once they leave their current position.
- The Credulous Clicker: May accidentally, and quite innocently, expose sensitive customer data when clicking on a malicious link.
- The Vengeful Victim: Any employee with a grudge and access to sensitive data is a Trojan horse.
- The Hidden Hacker: The IT department may view sensitive data as a source of additional funds towards their year-end vacation.
- The Contract Cleaner: All these guys need is “tiny USB sticks, which contain key logging software and a Wi-Fi transmitter” to steal private data.
A 2015 McAfee report (“Data exfiltration study: Actors, tactics, and detection”) found that 43 percent of data loss in data breaches was caused by internal actors, half of these cases being accidental. The study also suggested that data loss prevention (DLP) played a major role in detecting and preventing data thefts.
External threats: Technology vulnerabilities
According to Pindrop: “As network and endpoint security technology has evolved over the years, criminals have had to find other ways to get to the information they want. The same effect has come from the shift to chip-and-PIN technology on credit and debit cards, which has forced more fraud into the phone channel.”
Technology is vulnerable to the wily ways of the criminal who quickly learn to change attack strategies and soon master the art of finding software loopholes.
How secure is VoIP?
VoIP vendors claim professionally-installed VoIP systems are secure. However, being Internet-based, they may still be susceptible to malicious attacks. Colocation America’s James Mulvey has some tips to secure VoIP:
- Set up a secure firewall between the VoIP server and outside network. Specialist firewalls can detect and preempt DDoS attacks that attempt to bombard a call center with requests the service simply cannot handle.
- Use data encryption for all data within, entering and leaving the network. Where a predictive dialer is used to place outgoing calls, "some sort of border patrol to prevent network intrusion" must be enforced.
How secure is IVR?
According to Contact Solutions, call centers need to address potential problems in the way data is stored in IVR systems:
- Data is stored in the system and subsequently copied to multiple locations, which become targets for fraudsters. Each call should have its own allocated space and resources.
- Data, particularly unnecessary data, is not regularly “cleaned” between transactions. Data from one call should be erased before resources are made available for another call.
- Communications are not secured in data transfers. Where possible, transactions should take place in real-time to avoid saving sensitive data in hard-to-find places.
How secure is encryption?
The 2015 McAfee report mentioned above (“Data exfiltration study: Actors, tactics, and detection”) found that 32 percent of data exfiltrations were encrypted.
Yes, there is more is more than one weak link in the encryption chain. According to InfoWorld’s Peter Wayner, a single failure in an encryption algorithm or a glitch in the software can create a vulnerability. "One of the most famous algorithms, RSA, is said to be secure -- as long as it's hard to factor large numbers. That sounds impressive, but it simply shifts the responsibility. Is it truly that hard to factor large numbers? Well, there's no proof that it's hard, but no one knows how to do it right all of the time. If someone figures out a fast algorithm, RSA could be cracked open like an egg ..." Computing power, backdoors, hidden layers, faked certificates and typos are all potentially-exploitable weak links in the encryption chain.
The takeaway: choose your encryption method wisely and understand how and why it may not be totally secure. The trick is to use a multi-layer approach to security, with encryption just one layer of protection.
Top 10 call center security rips for protecting consumers – What do the experts say?
Bearing the vulnerabilities mentioned above in mind, let’s take a look at some layers of protection a call center’s security strategy should include:
1. Dump the auditory Q&A process
Asking customers to read SSN and credit card numbers out loud is an outdated and insecure procedure. Instead, “… adopting dual-tone multi-frequency (DTMF) masking technologies [...] will allow customers to enter private information via telephone keypads and cannot be captured on recording or deciphered.” (Mandi Nowitz, writing for TMCNET)
2. Thwart the rogue insider with technology
Not always deliberately malicious, the rogue insider may be blackmailed or trapped by manipulative social engineering techniques. DTMF is a good option but does not take into consideration callers who cannot use the keypad. Another option for a call center is to implement rigorous (and expensive) in-house safeguards, e.g. a “white room.” Even better, cloud-based telephony systems allow cardholder data to be routed “to the Payment Service Provider (PSP) via a secure private cloud, without the information entering the contact centre.” In addition, the call is muted to the operator for the period while the caller is giving their personal details using Automatic Speech Recognition Software (ASR). (Nick Ismail, writing for Information Age)
3. Make vulnerable data less accessible
One way to do this is ensure all data in rest and in motion is encrypted, so that even if a rogue employee steals it, it is useless to them. Implement role-based access to sensitive data. (TeleApps)
4. Regular penetration testing
Pentests can identify weaknesses in a call center’s security and are usually undertaken by IT professionals, either in-house or by a consultancy. (InfoSec Institute)
5. Anticipate attack – Use proactive, specialist security software
Telephony Denial-of-Service (TDoS) attacks can overwhelm a call center simply in terms of call volume. A workaround to this is the use of “firewalls devised exclusively for VoIP connections that can filter and redirect the incoming calls in case they are detected as a possible threat.” (Nishant Kadian, writing for Call Center Hosting)
6. Enforce strong access controls
The Internet abounds with stories about criminals who stole the identities and access credentials of staff who had long since left the company. According to Winn Schwartau, founder of security awareness certification company SCIPP International, “It may well be the human resource function's policy to revoke access—but human resources doesn't control the network.” In addition, he comments that while offering productivity gains, “single sign-on increases the risk of data loss (or damage) in the case of password theft or misuse." Beware. (Malcolm Wheatley, writing for CSO Online)
7. Practice fundamental security basics
Keep software updated; enforce anti-virus protection, use a password manager, educate staff on social engineering tactics, anticipate divert detection and forwarding, and always use two-factor authentication.
8. Control access at document level
Use a digital document management solution that controls access to documents by role and encrypts documents that leave the center in case they are sent to the wrong customer. (Mia Papanicolaou, Chief Operations Officer for document security specialist, Striata Inc., writing for TMCNET)
9. Thwart the outside infiltrator with high-tech solutions
Humans cannot always identify subtle patterns of behavior or keep track of vast amounts of calls, even with audit trails. “The contact centre advisor’s best line of security lies in multi-layered fraud detection technology. Where other voice biometric technologies fall short is in their inability to differentiate between devices or to identify patterns in user behavior. Phoneprinting can identify specific components about each call, such as the call location, device, and repeat call behavior.” (Call Center Helper, with thanks to Matt Peachey at Pindrop)
10. Multi-factor authentication (MFA)
The use of one-time passwords, biometrics (e.g. voice prints), near field communications (NFC), risk-based authentication and roles-based access to systems for customers and in-house operatives can improve both security and the customer experience. (Jeff Carpenter, writing for Crossmatch)
Why improve your call center security?
If you don’t, you could:
- Lose your reputation in the industry
- Attract penalties or fines for not enforcing regulatory standards
- Lose business due to bad customer experiences
- Face additional costs having to patch your systems after the fact
- Struggle to hold on to staff for much longer than the time taken to train them
- Become the laughing stock of social media
Where to next?
InfoSec Institute can help you secure your call center. To get started, understand the basics of what you are up against:
- Read about how to secure VoIP or take a course on VoIP security
- Watch a video on how malware can bypass anti-virus software
- Under basic encryption concepts
- Learn how to identify people that attempt to socially engineer conversations to steal information by implementing security awareness training programs for employees
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Sources
- Mass Data Breaches Mean Trouble for Call Center Security, Pindrop
- 2017 Annual Data Breach Year-End Review, Identity Theft Resource Center
- Fifth Annual Fraud Report, IDology (paywall)
- Who’s Threatening Your Contact Center’s Data Security? 5 Fraudsters to Know, ICMI
- Grand Theft Data, McAfee
- 11 reasons encryption is (almost) dead, InfoWorld
- 5 Common Encryption Algorithms and the Unbreakables of the Future, StorageCraft
- Amazon Adds Pindrop for Security of Connect Call Center Service, Pindrop
- Data Security in the Contact Center, Adaptive IVR Blog
- The Importance of VoIP Security, Colocation America
- Outdated Call Center Practices Increase Security Risks, Call Center Management
- Why contact centers are failing their most vulnerable callers, Information Age
- Best practices for data security in a call centre environment, TeleApps
- Top 5 Cyber Security Threats to Call Centers and How to Handle Them, CallCenterHosting
- Call Center Security: How to Protect Employees and Customers, CSO Online
- 5 Call Center Security Tips for Protecting Customer Data and Preventing Breaches, Call Center Management
- 14 Ways to Improve Security for your Customers, Call Centre Helper
- A Leap Forward for Contact Centers: Multi-factor Authentication, Crossmatch
In this Series
- 10 call center security tips for protecting customer data and privacy
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness