// 9
Security
Engineering a securityconscious culture By Michael DeSalles
L
et’s be honest: contact centre agent fraud, within captive or outsourced contact centres, represents one of the most significant security threats facing organizations. For example, one of the most common fraud practices is for a contact centre agent to change a customer’s postal address with the intent to place a new order for a warranty replacement item. The dishonest agent then ships the product to an accomplice or to their own address. There are other reasons why contact centres are vulnerable to fraud. Contact centres are known for large employee populations and high turnover. Combine that with access to personally identifiable information and you have the potential for agent fraud. One can point to several obvious sources of contact centre “insider” entry points. 1. Agents, supervisors, quality analysts, account managers and other employees. 2. Contractors (maintenance teams, catering and food vendors, janitorial crews, construction workers). 3. Third-party suppliers of computer equipment/software and office equipment. 4. Telephony providers and electrical subcontractors. 5. Visitors (clients, prospects, analysts, press corps, consultants). Certifications are not enough! Consider this: security certifications are certainly very important. But in and of themselves they aren’t comprehensive enough to prevent and detect contact centre fraud. Every day, agents make a conscious decision to either commit fraud or behave honestly. If we accept the fact that a high percentage of fraud occurs from within, then organizations must consistently and responsibly: July 2019
❯❯
❯❯
Authenticate the identity of the agent with something the person knows and is; and Track agent activity with technology across multiple sites and geographies.
Using information that only the agent knows, in combination with verifying who they are, provides a much more secure environment in the enterprise. Hardening facilities Controlling access is a critical strategy both to prevent individuals from being in areas where they do not have authorization and to thwart (and stop) illegal activities. Here is a partial list of rigorous facilities controls that Frost & Sullivan analysts have observed in contact centre sites across the globe: ❯❯ Written security policies and building access procedures, including signage and posters on security; ❯❯ All visitors must be logged and admitted through reception; ❯❯ ID badge systems for all employees and visitors; ❯❯ Prohibiting badge-sharing and piggyback entry; ❯❯ Card key, biometric or similar entry locks; ❯❯ Individual lockers to enforce a clean desk policy; ❯❯ 24/7 onsite security guards; and ❯❯ Video surveillance and motion sensors for entrances, interior doors, equipment cages and critical equipment locations within the building. Creating a culture of safety and protection But all the best systems and measures to prevent fraud won’t significantly help unless the company and staff buy into it from top down. Therefore, it becomes imperative that there is an institutional security culture baked into the DNA of the organization. Here are some steps to take to
create this culture. 1. Leadership. The CEO must support security with a system of internal controls and security measures to ensure the privacy of critical customer data. Consider a council or executive body that governs security worldwide. 2. Security organization and management. There should be a separate security organization (not part of IT) that reports directly to a C-level executive with experienced executives with extensive backgrounds. This organization would be responsible for creating and managing employee and vendor (particularly contact centre outsourcer) background check programmes. It also would be responsible for procedures like insider-threat detection and access management and would work with IT security. It would conduct end-to-end security analytics and behaviour analysis to detect and thwart attacks and insider fraud. 3. Fraud risk assessment. Perform regular comprehensive vulnerability assessment analysis of your applications and processes. This process typically generates a list of fraud “opportunities”. One of the outcomes could be to create remediation efforts to eliminate those opportunities in agent recruiting, training and daily operations. 4. Certifications and compliance. Employ a team of Certified Information Systems Security Professional (CISSP)certified information security experts and fraud risk analysts and conduct independent audits. Ensure that the company is in full compliance with the strictest internationally recognized security standards and with the regulations in the countries you market to and serve across industry verticals.
5. Technology. Develop special processes, tools and platforms designed to make the contact centre environment more secure. As examples utilize data loss prevention system and intrusion detection systems. 6. Security hotline. Set up an internal fraud hotline at each site that allows employees to report suspected fraudulent activity. Most critically, educate all employees on the dangers of fraud and on how these acts harm them, their customers and the company. Building daily awareness with employees is a fraud deterrent in and of itself. Making anti-fraud operational best practices part of your company’s DNA goes a long way in supporting and embracing security as not only “the right thing to do”, but also a competitive advantage for the future. Make no mistake. Contact centre security is complicated, multifaceted and difficult to manage particularly across multiple sites, countries and regions. It takes C-level support and millions in resources and investments. It is challenging, but not impossible, to build a security-conscious culture within the entire organization: reinforcing customer trust, reducing agent churn and uncovering gaps that may put clients’ intellectual property at risk. Frost & Sullivan believes that a truly effective contact centre security programme is proactive in not only understanding the current threat environment, but also detecting the kind of fraud that insiders will commit in the future. Michael DeSalles is a principal analyst, with
consulting firm Frost & Sullivan (www.frost.com). He has over 25 years of industry experience spanning contact centre operations management, customer service and support, agent supervision, sales training and project management. DMN.ca ❰