Experts project the permanent remote workforce to grow from 16.4 per cent in 2020 to 34.4 per cent in 2021. With more personnel decentralisation, companies will face more cybersecurity challenges.
Remote call centres will particularly be highly vulnerable due to the type and amount of data they handle. Therefore, IT must heighten security protocols and ensure that teams observe the best practices to address cybersecurity threats.
Let’s discuss why your remote call centre is a hot target for fraudsters and how you can enhance cybersafety in the department.
Data Security Risks in Call Centres
Intruders attack organisations through the easiest loopholes, irrespective of the department. However, call centres have certain aspects that increase their risk to internal and external threats. Let’s see why they are a magnet for data thieves.
Sensitive Customer Data
Call centres handle sensitive customer data, something that fraudsters work day and night to find. At the least, call agents have direct access to personally identifiable information (PII), used to verify customer identities. This can include credit card numbers, bank details, SSNs, healthcare records, email addresses, passwords, dates of birth (DoB), and more.
Masters of social engineering often contact unsuspecting call centre representatives and lure them into exposing such information. If successful, they exploit it to commit fraudulent activities, like illegally transferring funds from bank accounts.
Identity theft and fraud cases have been rising steadily over the past few years. According to data by the Federal Trade Commission (FTC), complaints shot from 2.9 million in 2017 to just over 3.2 million in 2019.
Of the 1.7 million fraud-related cases in 2019, 23 percent of the complainants reported having lost money. Consumers lost at least $1.9 billion to fraud.
Entry-Level Employees
Some companies hire entry-level call centre representatives who demand relatively low wages. While this is a viable cost-cutting measure, it introduces other risks in call centres.
First off, some people take entry-level contracts only to gain experience, after which they look for greener pastures elsewhere. They don’t approach their jobs passionately since they aren’t long-term careers. Such workers don’t have much employer loyalty.
Second, a low-income worker might lack the motivation to work diligently. If they are struggling financially, a little incentive from external agents can have them selling customer information. Considering all the work involved in call centres, unmotivated agents can even misuse the data for personal gain.
Does that sound like your call centre? Your organisation and clients might be in trouble. You have a team of insiders who can assist intruders in harming your organisation without a second thought.
The Impact of Insider Threats
A study by The Ponemon Institute indicates that insider threats are on the rise. Since 2018, cybersecurity incidents due to rogue insiders increased by a staggering 47 per cent. The cost of the said threats increased by 31 per cent over the period.
If you thought that all insider-caused breaches are intentional, you are wrong. Data shows that most of the incidents occur due to mistakes by negligent employees and contractors.
While organisations lose a lot of money in dealing with negligent insider cases, the cost per incident is relatively low. The amount per breach involving insider criminals and credential thieves is two to three times.
High Attrition in Call Centres
Most workplace crimes by employees happen when they are about to quit or after leaving. The reason is simple – it’s hard to implicate an outsider for a crime that occurs inside your company. For this reason, organisations with a high turnover of employees who handle sensitive data face the risk of serious data breaches.
Sadly, attrition has been increasingly high in almost all sectors, call centres being among the most affected. Based on data from 2008 to 2017, call centre attrition fell gradually from 42 per cent in 2008 to 27 per cent in 2011. It started rising again from 2013 to reach 30 per cent in mid-2017.
If these statistics are something to go by, CISOs and IT managers have a reason to worry. Maybe it’s time for HR to raise the entry requirements for call centre employees and compensate them generously to retain them. Organisations should also support staff in difficult times to give them peace of mind and boost employer loyalty.
Tech Vulnerabilities in Remote Call Centres
Modern contact centres rely on digital systems to communicate with customers, and the technology is ever-evolving. However, criminals are continually finding ways to circumvent intrusion prevention and data security mechanisms.
The invention of chip and pin technologies heightened payment card security to almost foolproof levels. Fraudsters had to find alternative workarounds, one of which was exploiting the phone channel.
It’s not uncommon for VoIP providers to allude that their services are secure, but is that the case? While vendors can apply the highest cybersecurity protocols in their systems, there’s always a chance that a criminal will break them. Hackers are fast learners who scrutinise software systems and exploit the smallest loopholes.
As you can see, technology is vulnerable, and employees can expose data accidentally or maliciously. So, what can a data breach bring? Let’s discuss the damaging outcomes of a cybercrime.
Consequences of a Data Breach
The repercussions of a data breach are hard-hitting. They can even wipe a successful business out of existence. Below are some of the most damaging consequences.
Financial Loss
A data breach, especially one that exposes PII, can lead to untold financial implications. If customers lose money, you have to compensate them. You’ll also spend on incident response, investigations, legal fees, and setting up better security measures.
Penalties for non-compliance are costly. In healthcare, technology and healthcare are inseparable, but stakeholders have to comply with strict regulation such as the Health Insurance Portability and Accountability Act (HIPAA) in the USA. Although the UK doesn’t have a HIPAA equivalent per se, any companies in the UK that do business in the US will need to abide by HIPAA laws. Fines due to negligence can cost $100 to $50,000 per violation.
Legal Action
The law requires organisations to demonstrate their ability to protect personal data from unauthorised access and misuse. If such information gets compromised, its owners can sue your business. Many victims in Europe and America have taken companies to court seeking compensation for data loss.
Forensic Investigations
A company that has suffered a data breach is responsible for investigating the cause of the incident. The findings are useful in creating a more reliable defence strategy to avert future cybercrime attempts. However, the associated expenses, which are often unanticipated, are costly in the short term.
Reputational Damage
A successful customer retention strategy requires a lot of time, effort, and resources. However, one data breach incident is enough to ruin your reputation and ruin your business. Once you’re a victim of a cyberattack, most customers will lose trust with your company and stop shopping with you.
The worst part is that they will spread the word, either by telling others, protesting on social media, or commenting on your business website. You’ll lose out to competitors in no time.
Operational Disruptions
Cyberattacks interfere with business operations in incredible ways. A distributed denial of service (DDoS) incident, for example, prevents legitimate users from accessing websites and online resources.
The cost of unexpected IT outage is high. A 2015 attack brought the BBC domain down for three hours, taking the on-demand radio and TV offline. It took the broadcasting giant about two weeks to recover.
Cybercrime Prevention in Remote Call Centres
Organisations have to implement a multi-layer data security strategy to stop intruders from accessing sensitive information illegally. If you run a call centre, consider the following information security measures.
Heighten Physical Security
Given a chance, bad actors would steal files right from their physical storage instead of struggling with sophisticated technologies. For this reason, safeguarding your data storage assets should be on top of your list. It revolves around physical controls.
Ensure that only authorised staff can visit restricted areas such as server rooms. Only the employees on duty should use office computers. Install a reliable surveillance system and employ qualified personnel to monitor your offices.
Apply Data Security Basics
There are some fundamental security practices that every department using computer systems should implement. These include:
- Antivirus and firewall protection
- Long, non-default passwords
- One password for one account
- Two-factor authentication
- Software updates and patches
- Monitoring privileged users
While these bare minimums aren’t sufficient, they will at least give intruders a challenge trying to access your data assets stealthily.
Staff Training
Employees can only protect data if they understand its value and what can happen if it lands in the wrong hands. Therefore, organisations should sponsor staff training programs focused on data security. Teach your agents how to identify social engineering and phishing messages to avoid getting duped by imposters.
With the knowledge of GDPR and other regulations affecting your company, employees will be careful about the information they disclose to callers. The IT security officer should ensure that workers only access the data they need to complete work-related tasks.
Back Up Important Data
Data loss impedes productivity and can cost you business, whether it happens accidentally or due to an attack. It robs you of clients’ trust and reverence, yet you have to disclose the incident to your customers.
Therefore, it’s advisable to back up all your customer data in secure cloud storage where you can retrieve it on demand. Choose a service provider with robust security features, including but not limited to, password-required entry, two-factor authentication, and security certificates. The backup will help you get back to business quickly if a breach compromises or destroys your data.
Use Advanced Encryption
The good thing about multi-layer security is that it increases the barriers an intruder has to break to access your information. Encryption is an effective way to frustrate an attacker who manages to steal confidential information since it converts data into an unintelligible form. Only an authorised person with a decryption key can decrypt the data to make it useful.
Advanced encryption and decryption systems work in the background without human involvement. It’s a must-have for organisations that are serious about preventing data breaches.
Avoid Oral Q&A
In this age, no call centre should require customers to provide sensitive details about themselves orally. Adopt a dual-tone multi-frequency (DTMF) system that clients can enter PII as text via phone keypads. The system should encrypt messages and deter interception.
Bypass Rogue Insiders
DTMF doesn’t benefit callers who cannot use the keypad. So how can you prevent rogue insiders from accessing sensitive data about customers? One solution is a cloud-based telephone system that routes confidential information directly to the service provider.
For instance, you can route cardholder data to the Payment Service Provider (PSP) through a secure cloud-based system. The call should be muted to the call centre representative when the customer is providing their information via Automatic Speech Recognition Software (ASR). The data doesn’t need to enter the call centre.
Use a VoIP Firewall
Unprotected VoIP systems can be vulnerable to Telephony Denial-of-Service (TDoS) attacks. TDoS can overwhelm your remote call centre with endless illegitimate calls, preventing customers from reaching your agents.
Fortunately, there are firewalls exclusively designed for VoIP connections that can detect and redirect calls flagged as possible threats. They can preempt DDoS attacks aimed to paralyse your call centre. Additionally, looking into VoIP solutions which provide extra security measures is also key.
Clean Your IVR
Interactive voice response (IVR) is a telephony technology in remote call centres that lets businesses and callers interact through automated menus. It facilitates self-service, hence, faster resolution of customer issues. If uncontrolled, it can expose private data to other users.
To avoid accidental exposure of customer information, erase all data from the previous call before availing IVR resources to a new user. Interactions should take place in real-time, when possible, to avoid saving confidential information in hidden areas.
Run Penetration Tests
The best way to enhance cybersecurity in your call centre is by looking at your company through the eyes of a cybercriminal. After setting up your physical and logical security controls, conduct a vulnerability assessment to test the reliability of your network security.
In-house IT professionals can do it, but a consultancy is the best bet to eliminate bias. Seal any discovered loopholes before attackers find and exploit them.
Keep Learning and Improving
No system is entirely secure as cybercriminals keep devising new tactics. Update yourself with the latest cybersecurity practices and be among the first to implement them to stay ahead of cybercriminals.
Wrapping it Up
Overall, the remote revolution has been a massive change for the entire world. Moving businesses that are traditionally in-office to remote work locations has brought with it a myriad of possible vulnerabilities as well as some great work-life balance.
Creating a company policy for keeping your clients and your employees cybersafe will provide you and your team with added security and peace of mind in an ever-changing world.
Originally published Mar 26, 2021, updated Jan 16, 2023