The SANS Institute recently conducted a study of contact centers’ level of preparedness to handle social engineering-based attacks, in which a criminal posing as a customer tricks a CSR into revealing private account information. While progress has been made in the areas of employee awareness and even training, most contact centers still do not feel that they are adequately equipped to handle such attacks.
Many companies are not factoring security into their overall contact center budget. Security technologies are not being widely used, and in fact, almost 40% of companies surveyed said that they have weak security policies – or none at all - in place around their help desks. On top of that, only 10% of them feel that they have robust plans for risk management and security awareness training of their staff.
The first step in solving this issue is, of course, heightened awareness. If employees know to expect calls of this type, their suspicions will be aroused when a caller starts fishing for private information, or even wants to reset a password over the phone. But because the main purpose of a contact center is to help people, it can be difficult, if not impossible, to determine which callers are legitimate, and which are not.
The following 8 tips can help contact centers do a better job of protecting their customers’ private data:
1. Log and document every single call. Doing so can provide you with valuable information later, if it becomes apparent that a breach has occurred.
2. Automate password resets. While automation comes with its own set of risks, at least social engineering attacks will not be among them. Asking for a manual password reset over the phone is one of the most common social engineering tricks out there.
3. Verify every single caller’s identity and location. Even - or maybe even especially - if the call is being made from mobile phone, this is an important step that should not be skipped over.
4. Have security policies in place. But simply having them is not enough. Employees need to be aware of them, and they need to be enforced.
5. Use workforce training to reduce the impact of attacks. Every minute of training will help combat social engineering, whether an employee notices something strange during a call and immediately puts her guard up, or realizes soon after the fact that she shouldn’t have given out certain information, and then notifies supervisors to alert that customer.
6. Reduce - or completely eliminate - the capture and retention of personally identifiable information by the contact center itself. It’s simple – if you don’t have the information, you can’t give it to the wrong person.
7. For internal support: Ensure that your system is updated with the latest information on new hires and terminations. Otherwise, in the confusion, information can inadvertently get into the wrong hands.
8. For external support: Require a customer ID. There should be some means of establishing customer identity that will add an extra layer of security.
Following these tips can help your contact center to breathe a little easier, knowing you are doing what you can to protect sensitive data.