- Email: [email protected]
How contact centres can leave businesses exposed to cybercrime
FEATURE
How contact centres can leave businesses exposed to cybercrime
Chris Knauer
Chris Knauer, Sitel Group More than 30% of organisations have experienced cyber attacks on their IT infrastructure, which can have severe consequences for companies that have not built cyber security into their operational budgets.1 The average cost of a data breach in 2018 was $3.86m and it typically took approximately 266 days to detect and contain a smaller breach.2 The costs associated with this kind of incident are crippling for average businesses, representing a significant fraction of revenue, given that the average annual receipts for a firm approaching 100 employees is $7.12m.3 Yet while many businesses have a clear understanding of their own IT infrastructure, they may not have the same depth of understanding regarding their vendors’ IT security. While security spending to reduce the risk of a breach is a core component of any digital business, many business and security leaders are unaware of the security gaps that may exist in contact centres.
Risky behaviour The first question IT leaders need to address is what kind of risky behaviour might be taking place outside their organisations that would impact their
information security. Data loss prevention (DLP) used to be the go-to strategy for ensuring that sensitive information was not released outside of the corporate network. Network administrators could control what data end users could transfer, but these protocols are not always consistent among vendors. For contact centres dealing in high quantities of sensitive information exchanged person-to-person, DLP does not address the human behaviour element. IT security administrators therefore need to be able to measure and score risk around an individual’s activity. The initial challenge is a misalignment of objectives between contact
How customers share payment card information with call centres. Source: Semafone.
6
Network Security
centres and their clients’ security teams; customer experience metrics often take priority over security measures at contact centres, because they’re more relevant to support agents’ direct goals. While this may improve customer relationships, making customers’ exchanges with a company as friendly, efficient and seamless as possible, it leaves firewall gaps too dangerous for security professionals to ignore. If these gaps are left unaddressed, for many businesses it is only a matter of time before they experience a data breach.
“Armed with the right training and best practice tools, employees can work in sync with digital defence security procedures and help close exposed gaps in company firewalls” One example of a way in which customer experience takes priority over security to the detriment of the firm involves the security of calls in contact centres. More than 70% of agents who collected payment data and personal information over the phone (address, full name, social security number, etc) still require customers to read their information aloud.4 This exposes the information to agents, quality assurance call recordings and nearby eavesdroppers. More problematic is the high level of breach attempt under-reporting: when agents experience a breach attempt, either by company insiders or outsiders, 42% do not report the situation. This produces an ideal environment for cyber criminals, creating low barriers
November 2019
FEATURE to entry and minimal consequences for malicious attacks.
Software solutions A natural response might initially appear to be to implement software solutions designed to block viruses and other malicious attacks, but anti-virus measures are not enough – 70% of organisations do not believe the threats they experience can be blocked by such software.5 A more effective route in closing these firewall gaps is better employee training. Well-trained and informed employees are the first line of defence for businesses against information security breaches. Armed with the right training and best-practice tools, employees can work in sync with digital defence security procedures and help close exposed gaps in company firewalls.
“Scripts used by contact centre agents control the quantity and type of information that agents can release. Once a cyber criminal successfully derails an agent and takes him or her off-script, the agent is no longer operating within security guidelines” One area in which training can mean the difference between a secure system and a data breach is phishing via social engineering. Social engineering is a common tactic that cyber criminals use to manipulate contact centre agents into releasing confidential information, extracting passwords and bank information by preying on the trust between businesses and consumers. Well-trained agents will be able to spot suspicious messages, verify the sender and details and avoid clicking on links containing malware that can infect the entire system. But a successful contact centre data breach corrodes trust in the very system designed to improve customer experiences, ultimately damaging the business and decreasing trust. In addition to phishing, untrained contact centre agents are also susceptible to vishing. Vishing involves making phone
November 2019
How call centres responded when they discovered a possible insider or outsider breach. Source: Semafone.
calls or leaving voice messages masquerading as being from reputable companies in order to trick individuals into revealing personal information. The objective here is to try to connect with the contact centre agent on an emotional level, with the ultimate goal of taking the agent off-script. Scripts used by contact centre agents control the quantity and type of information that agents can release. Once a cyber criminal successfully derails an agent and takes him or her off-script, the agent is no longer operating within security guidelines. As a result, the likelihood of compromising privacy is increased. The probability of this agent allowing him or herself to be driven off-script increases when campaigns focus heavily on net promoter scores (NPS) in which the agent is rewarded for caller satisfaction. A successful contact centre program blends the best of security and NPS programs by extensive training for agents to recognise these attempts. Agents are trained to recognise emotionally charged attempts to break through security barriers to take the agent off-script and redirect the conversation to return to the script and operate within security guidelines.
AI support IT systems can support employees here with artificial intelligence (AI). By implementing advanced AI and machine
learning systems that analyse call speech patterns in real time, systems can recognise unusual call patterns and alert agents and system administrators. This helps prevent a potential breach earlier in the process, improving with time as more data is added to the equation. It also helps create a record of potential risks for managers, underlining the need to identify and track person-to-person breach attempts. Being able to measure variance is what helps monitor and reduce fraud. Many contact centres are already in a position to begin implementing this technology by using security systems they currently have in place.
“Implementing security systems to support trained contact centre agents helps businesses significantly cut down on the risk of a security breach from contact centres” New technology can also be leveraged to redirect consumers to secure websites and interactive voice response (IVR) sites when there is a need to input sensitive information such as credit card data. These are sent via text or email to the consumer while the consumer is online or on the phone with the agent. In this case, agents never hear the sensitive data, increasing trust for the transaction.
Network Security
7
FEATURE Security systems can also provide support with content filtering, identifying phishing attempts in emails and written communications to ensure they are already flagged as a potential security risk before agents receive them. This additional alert helps trained agents manage the risk appropriately, following company security protocols. Spear-phishing emails – the practice of sending personalised email scams to extract personal information or infect victims with malware – were the most widely used infection vector in 2017, employed by 71% of groups staging cyber attacks.6 Implementing security systems to support trained contact centre agents helps businesses significantly cut down on the risk of a security breach from contact centres.
Agent buy-in As businesses demand better security procedures from their contact centres, creating buy-in from support agents is critical. While many businesses might think the responsibility for staff rests with contact centres, it behoves businesses’ IT departments to reconsider their involvement and take a more active, collaborative role. After all, if a breach does occur as a result of underwhelming contact centre security, the end victim is ultimately the business.
“The role of well-trained agents here is twofold – making sure sensitive information is securely recorded in the first place and recognising and stopping malicious breach attempts. When best practices are executed successfully, trained contact centre agents become a priceless asset” While their roles may not be purely security or IT focused, there is a strong appetite for technological proficiency among all employees, including contact centre agents: 39% of employees believe their job performance could benefit most from technology skills training.7 It 8
Network Security
Answers to the question, ‘Which type of training do you think you need most?’. Source: Sitel Group.
is up to businesses to work closely with their contact centre partners to ensure that their employees are receiving adequate security technology training and maintaining security best practices. A key element of successful best practice implementation is merging physical and digital security systems – this is a vital part of maintaining an effective firewall. Businesses need to be aware of and involved in how their contact centres are managing that process. Cyber criminals typically target the most vulnerable aspects of a company’s security infrastructure, taking the path of least resistance through the unaddressed gaps between physical and digital systems. Because most security teams are not involved in or aware of the risks at their companies’ contact centres, these silos combined with the systems gap create an ideal back door for criminals. Combating this gap requires co-operation not only between teams but between companies. But when security training and development with vendors is addressed in a positive, holistic way, you avoid duplicating efforts or creating additional vulnerabilities. Ultimately everyone’s goals in this process are aligned – the real challenge is one of leadership. The key message that IT leaders need to take to the C-suite is that digital and physical security convergence – both internally and among vendors – is the best way to minimise breach exposure.
Widening the view Given the potential for severe business consequences following a firewall breach, IT administrators need to widen their view of security systems to include vendors such as contact centres. Evaluating AI systems used by contact centre vendors and confirming that contact centre employees have received satisfactory security training is essential to limiting business security risks. Managed effectively, the role of welltrained agents here is twofold – making sure sensitive information is securely recorded in the first place and recognising and stopping malicious breach attempts. When best practices are executed successfully, trained contact centre agents become a priceless asset to the security infrastructure of contact centres and businesses. Digital security infrastructure can also support agents in return. By using advanced AI to filter content and conduct speech analytics and track calls, security systems can recognise and alert agents to unusual call patterns in real time. This supports agents’ efforts to recognise potential fraud immediately, cutting down on risk and exposure. By developing these employee training and security systems, businesses can work with their contact centres to continue to build and maintain customers’ trust, ultimately enhancing business success.
November 2019
FEATURE About the author As Sitel Group’s SVP and chief security officer, Chris Knauer is responsible for defining the company’s overall security strategy and improving the effectiveness of global security for the organisation. In this role, Knauer drives initiatives that enhance the group’s people-driven culture with security programmes that align with Sitel Group’s core values and build trust with its clients. He has more than 25 years of experience in progressive security and technology roles with global brands.
References 1. Cisco Cybersecurity Report Series’. Cisco. Accessed Jun 2019. www.
cisco.com/c/en/us/products/security/ security-reports.html. 2. ‘Cost of a Data Breach Study’. IBM/ Ponemon Institute. Accessed Jun 2019. www.ibm.com/security/databreach. 3. ‘Does your business revenue stack up to others?’. QuickBooks, Intuit. Accessed Jun 2019. https://quickbooks.intuit.com/r/money/howdoes-your-revenue-stack-up-to-othersmall-businesses/. 4. ‘The State of Security in Contact Centres Report’. Semafone. Accessed Jun 2019. http://info.semafone.com/ download-state-security-contactcentres.
5. ‘2017 Cost of a Data Breach Study – Global Overview’. IBM/Ponemon Institute, June 2017. Accessed Jun 2019. www.ibm.com/downloads/cas/ ZYKLN2E3. 6. ‘Internet Security Threat Report – Volume 23’. Symantec. Accessed Jun 2019. www.symantec.com/content/ dam/symantec/docs/reports/istr-232018-en.pdf. 7. ‘Sitel Group’s Future of Work Report: the employee experience affects the customer experience’. Sitel Group, 24 Apr 2019. Accessed Jun 2019. www.sitel.com/news_ item/sitel-group-future-of-workreport/.
Office walls and roadblocks: how workflows and terminology get in the way of visibility
Tom Stitt
Tom Stitt, ExtraHop So many of an enterprise’s security problems aren’t about technology. They’re about organisation. They’re about bureaucratic blind spots. They’re about not being able to see the forest for the trees. The kinds of artificial barriers that separate different parts of the enterprise IT infrastructure may have once been useful, but they’re increasingly getting in the way of scale and the ability to deliver business outcomes. It must be said, boundaries used to be a lot clearer. The perimeter, for example, tended to be contiguous. Today, that inside/outside dichotomy is harder to draw. In recent years we’ve seen the rise of bring your own device (BYOD) schemes, virtualisation, everything-asa-service and, most importantly, the cloud. As the enterprise environment – in security parlance, the attack surface – has expanded and diversified, tools and teams have become even more siloed. As it turns out, the key to success is exactly the opposite.
November 2019
Enterprise anatomy In the modern enterprise there are three key stakeholders. IT operations (IT Ops) ensures the performance of applications and the infrastructure on which the business relies. Security operations (SecOps) ensures the integrity of those systems and protects them from outside threats, inside actors and accidental misconfigurations. And then there is the business itself – the employees and customers who are the users and consumers of these applications and systems.
In the same way, the enterprise environment is increasingly distributed across three locations: the datacentre – the traditional home for enterprise infrastructure and applications; the cloud, where enterprises are sending more and more of their workloads in order to take advantage of scale and elasticity; and the remote site and device edge, where more and more data resides every day. And all too often, these three locations come with their own toolsets. This not only increases tool sprawl exponentially, it also perpetuates the siloing of IT Ops and SecOps, and risks disconnecting those two teams from broader business priorities. But it doesn’t have to be this way. Yes, environments are more complex, teams are more siloed and tooling continues to sprawl, but there is one thing that all
Network Security
9
How contact centres can leave businesses exposed to cybercrime
Chris Knauer
Chris Knauer, Sitel Group More than 30% of organisations have experienced cyber attacks on their IT infrastructure, which can have severe consequences for companies that have not built cyber security into their operational budgets.1 The average cost of a data breach in 2018 was $3.86m and it typically took approximately 266 days to detect and contain a smaller breach.2 The costs associated with this kind of incident are crippling for average businesses, representing a significant fraction of revenue, given that the average annual receipts for a firm approaching 100 employees is $7.12m.3 Yet while many businesses have a clear understanding of their own IT infrastructure, they may not have the same depth of understanding regarding their vendors’ IT security. While security spending to reduce the risk of a breach is a core component of any digital business, many business and security leaders are unaware of the security gaps that may exist in contact centres.
Risky behaviour The first question IT leaders need to address is what kind of risky behaviour might be taking place outside their organisations that would impact their
information security. Data loss prevention (DLP) used to be the go-to strategy for ensuring that sensitive information was not released outside of the corporate network. Network administrators could control what data end users could transfer, but these protocols are not always consistent among vendors. For contact centres dealing in high quantities of sensitive information exchanged person-to-person, DLP does not address the human behaviour element. IT security administrators therefore need to be able to measure and score risk around an individual’s activity. The initial challenge is a misalignment of objectives between contact
How customers share payment card information with call centres. Source: Semafone.
6
Network Security
centres and their clients’ security teams; customer experience metrics often take priority over security measures at contact centres, because they’re more relevant to support agents’ direct goals. While this may improve customer relationships, making customers’ exchanges with a company as friendly, efficient and seamless as possible, it leaves firewall gaps too dangerous for security professionals to ignore. If these gaps are left unaddressed, for many businesses it is only a matter of time before they experience a data breach.
“Armed with the right training and best practice tools, employees can work in sync with digital defence security procedures and help close exposed gaps in company firewalls” One example of a way in which customer experience takes priority over security to the detriment of the firm involves the security of calls in contact centres. More than 70% of agents who collected payment data and personal information over the phone (address, full name, social security number, etc) still require customers to read their information aloud.4 This exposes the information to agents, quality assurance call recordings and nearby eavesdroppers. More problematic is the high level of breach attempt under-reporting: when agents experience a breach attempt, either by company insiders or outsiders, 42% do not report the situation. This produces an ideal environment for cyber criminals, creating low barriers
November 2019
FEATURE to entry and minimal consequences for malicious attacks.
Software solutions A natural response might initially appear to be to implement software solutions designed to block viruses and other malicious attacks, but anti-virus measures are not enough – 70% of organisations do not believe the threats they experience can be blocked by such software.5 A more effective route in closing these firewall gaps is better employee training. Well-trained and informed employees are the first line of defence for businesses against information security breaches. Armed with the right training and best-practice tools, employees can work in sync with digital defence security procedures and help close exposed gaps in company firewalls.
“Scripts used by contact centre agents control the quantity and type of information that agents can release. Once a cyber criminal successfully derails an agent and takes him or her off-script, the agent is no longer operating within security guidelines” One area in which training can mean the difference between a secure system and a data breach is phishing via social engineering. Social engineering is a common tactic that cyber criminals use to manipulate contact centre agents into releasing confidential information, extracting passwords and bank information by preying on the trust between businesses and consumers. Well-trained agents will be able to spot suspicious messages, verify the sender and details and avoid clicking on links containing malware that can infect the entire system. But a successful contact centre data breach corrodes trust in the very system designed to improve customer experiences, ultimately damaging the business and decreasing trust. In addition to phishing, untrained contact centre agents are also susceptible to vishing. Vishing involves making phone
November 2019
How call centres responded when they discovered a possible insider or outsider breach. Source: Semafone.
calls or leaving voice messages masquerading as being from reputable companies in order to trick individuals into revealing personal information. The objective here is to try to connect with the contact centre agent on an emotional level, with the ultimate goal of taking the agent off-script. Scripts used by contact centre agents control the quantity and type of information that agents can release. Once a cyber criminal successfully derails an agent and takes him or her off-script, the agent is no longer operating within security guidelines. As a result, the likelihood of compromising privacy is increased. The probability of this agent allowing him or herself to be driven off-script increases when campaigns focus heavily on net promoter scores (NPS) in which the agent is rewarded for caller satisfaction. A successful contact centre program blends the best of security and NPS programs by extensive training for agents to recognise these attempts. Agents are trained to recognise emotionally charged attempts to break through security barriers to take the agent off-script and redirect the conversation to return to the script and operate within security guidelines.
AI support IT systems can support employees here with artificial intelligence (AI). By implementing advanced AI and machine
learning systems that analyse call speech patterns in real time, systems can recognise unusual call patterns and alert agents and system administrators. This helps prevent a potential breach earlier in the process, improving with time as more data is added to the equation. It also helps create a record of potential risks for managers, underlining the need to identify and track person-to-person breach attempts. Being able to measure variance is what helps monitor and reduce fraud. Many contact centres are already in a position to begin implementing this technology by using security systems they currently have in place.
“Implementing security systems to support trained contact centre agents helps businesses significantly cut down on the risk of a security breach from contact centres” New technology can also be leveraged to redirect consumers to secure websites and interactive voice response (IVR) sites when there is a need to input sensitive information such as credit card data. These are sent via text or email to the consumer while the consumer is online or on the phone with the agent. In this case, agents never hear the sensitive data, increasing trust for the transaction.
Network Security
7
FEATURE Security systems can also provide support with content filtering, identifying phishing attempts in emails and written communications to ensure they are already flagged as a potential security risk before agents receive them. This additional alert helps trained agents manage the risk appropriately, following company security protocols. Spear-phishing emails – the practice of sending personalised email scams to extract personal information or infect victims with malware – were the most widely used infection vector in 2017, employed by 71% of groups staging cyber attacks.6 Implementing security systems to support trained contact centre agents helps businesses significantly cut down on the risk of a security breach from contact centres.
Agent buy-in As businesses demand better security procedures from their contact centres, creating buy-in from support agents is critical. While many businesses might think the responsibility for staff rests with contact centres, it behoves businesses’ IT departments to reconsider their involvement and take a more active, collaborative role. After all, if a breach does occur as a result of underwhelming contact centre security, the end victim is ultimately the business.
“The role of well-trained agents here is twofold – making sure sensitive information is securely recorded in the first place and recognising and stopping malicious breach attempts. When best practices are executed successfully, trained contact centre agents become a priceless asset” While their roles may not be purely security or IT focused, there is a strong appetite for technological proficiency among all employees, including contact centre agents: 39% of employees believe their job performance could benefit most from technology skills training.7 It 8
Network Security
Answers to the question, ‘Which type of training do you think you need most?’. Source: Sitel Group.
is up to businesses to work closely with their contact centre partners to ensure that their employees are receiving adequate security technology training and maintaining security best practices. A key element of successful best practice implementation is merging physical and digital security systems – this is a vital part of maintaining an effective firewall. Businesses need to be aware of and involved in how their contact centres are managing that process. Cyber criminals typically target the most vulnerable aspects of a company’s security infrastructure, taking the path of least resistance through the unaddressed gaps between physical and digital systems. Because most security teams are not involved in or aware of the risks at their companies’ contact centres, these silos combined with the systems gap create an ideal back door for criminals. Combating this gap requires co-operation not only between teams but between companies. But when security training and development with vendors is addressed in a positive, holistic way, you avoid duplicating efforts or creating additional vulnerabilities. Ultimately everyone’s goals in this process are aligned – the real challenge is one of leadership. The key message that IT leaders need to take to the C-suite is that digital and physical security convergence – both internally and among vendors – is the best way to minimise breach exposure.
Widening the view Given the potential for severe business consequences following a firewall breach, IT administrators need to widen their view of security systems to include vendors such as contact centres. Evaluating AI systems used by contact centre vendors and confirming that contact centre employees have received satisfactory security training is essential to limiting business security risks. Managed effectively, the role of welltrained agents here is twofold – making sure sensitive information is securely recorded in the first place and recognising and stopping malicious breach attempts. When best practices are executed successfully, trained contact centre agents become a priceless asset to the security infrastructure of contact centres and businesses. Digital security infrastructure can also support agents in return. By using advanced AI to filter content and conduct speech analytics and track calls, security systems can recognise and alert agents to unusual call patterns in real time. This supports agents’ efforts to recognise potential fraud immediately, cutting down on risk and exposure. By developing these employee training and security systems, businesses can work with their contact centres to continue to build and maintain customers’ trust, ultimately enhancing business success.
November 2019
FEATURE About the author As Sitel Group’s SVP and chief security officer, Chris Knauer is responsible for defining the company’s overall security strategy and improving the effectiveness of global security for the organisation. In this role, Knauer drives initiatives that enhance the group’s people-driven culture with security programmes that align with Sitel Group’s core values and build trust with its clients. He has more than 25 years of experience in progressive security and technology roles with global brands.
References 1. Cisco Cybersecurity Report Series’. Cisco. Accessed Jun 2019. www.
cisco.com/c/en/us/products/security/ security-reports.html. 2. ‘Cost of a Data Breach Study’. IBM/ Ponemon Institute. Accessed Jun 2019. www.ibm.com/security/databreach. 3. ‘Does your business revenue stack up to others?’. QuickBooks, Intuit. Accessed Jun 2019. https://quickbooks.intuit.com/r/money/howdoes-your-revenue-stack-up-to-othersmall-businesses/. 4. ‘The State of Security in Contact Centres Report’. Semafone. Accessed Jun 2019. http://info.semafone.com/ download-state-security-contactcentres.
5. ‘2017 Cost of a Data Breach Study – Global Overview’. IBM/Ponemon Institute, June 2017. Accessed Jun 2019. www.ibm.com/downloads/cas/ ZYKLN2E3. 6. ‘Internet Security Threat Report – Volume 23’. Symantec. Accessed Jun 2019. www.symantec.com/content/ dam/symantec/docs/reports/istr-232018-en.pdf. 7. ‘Sitel Group’s Future of Work Report: the employee experience affects the customer experience’. Sitel Group, 24 Apr 2019. Accessed Jun 2019. www.sitel.com/news_ item/sitel-group-future-of-workreport/.
Office walls and roadblocks: how workflows and terminology get in the way of visibility
Tom Stitt
Tom Stitt, ExtraHop So many of an enterprise’s security problems aren’t about technology. They’re about organisation. They’re about bureaucratic blind spots. They’re about not being able to see the forest for the trees. The kinds of artificial barriers that separate different parts of the enterprise IT infrastructure may have once been useful, but they’re increasingly getting in the way of scale and the ability to deliver business outcomes. It must be said, boundaries used to be a lot clearer. The perimeter, for example, tended to be contiguous. Today, that inside/outside dichotomy is harder to draw. In recent years we’ve seen the rise of bring your own device (BYOD) schemes, virtualisation, everything-asa-service and, most importantly, the cloud. As the enterprise environment – in security parlance, the attack surface – has expanded and diversified, tools and teams have become even more siloed. As it turns out, the key to success is exactly the opposite.
November 2019
Enterprise anatomy In the modern enterprise there are three key stakeholders. IT operations (IT Ops) ensures the performance of applications and the infrastructure on which the business relies. Security operations (SecOps) ensures the integrity of those systems and protects them from outside threats, inside actors and accidental misconfigurations. And then there is the business itself – the employees and customers who are the users and consumers of these applications and systems.
In the same way, the enterprise environment is increasingly distributed across three locations: the datacentre – the traditional home for enterprise infrastructure and applications; the cloud, where enterprises are sending more and more of their workloads in order to take advantage of scale and elasticity; and the remote site and device edge, where more and more data resides every day. And all too often, these three locations come with their own toolsets. This not only increases tool sprawl exponentially, it also perpetuates the siloing of IT Ops and SecOps, and risks disconnecting those two teams from broader business priorities. But it doesn’t have to be this way. Yes, environments are more complex, teams are more siloed and tooling continues to sprawl, but there is one thing that all
Network Security
9