What did 2019 teach us about security in the Contact Center?
Privacy has significantly grown in importance. Until recently, conversations about privacy were generally restricted to experts in that area but this has shifted. New regulations such as GDPR (General Data Protection Regulation)— which was established in Europe but has broad international impact — have positioned privacy as a priority in every business’s short-list of concerns, compounded by non-compliance penalties.
Some countries have developed specific legislation that is both raising the bar on privacy as well as impacting global policies. For example, in the United States, the CCPA (California Consumer Privacy Act) was approved in 2019, creating a powerful set of regulations impacting companies who either have operations in California or customers located there.
GDPR has caused European data protection authorities to become increasingly active. New investigations have emerged around circumstances that raise flags, such as suspected data breaches or public complaints. Consequent fines can go up to 20 million euros, or 4% of the company’s total global turnover of the preceding fiscal year — whichever is higher. The biggest fine on record is €204,600,000, as a result of “insufficient technical and organizational measures to ensure information security”. Looking at the total fines for that category to-date, the number comes to a total of €332,967,397 incurred in 63 fines (Enforcement Tracker, May 2020).
The number of countries developing new national regulations to protect consumer data is also growing. According to the United Nations, the latest information from June 2020 states that most countries in the world (77%) have already established or are currently drafting legislation for data protection.
What to Do to Secure Your Contact Center Now That Agents Are Working From Home?
#1 Increase Regulatory Awareness and Maintain Compliance
Even during exceptional business circumstances and times of uncertainty we find ourselves in now, adherence to regulations and increasing customer protections are critical. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), explains, “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects.”
In an ever-changing environment where people can’t go outside safely as much as they used to, they are replacing in-person interactions with digital ones. Consumers have adapted to a, hopefully, temporary new way of living by staying home more and dramatically increasing their use of digital services to interact with each other and organizations.
In this new normal, there is a natural growing trend of online shopping and services, leading to an increase of personal customer data being shared with companies. This must be reinforced by adequate plans to guarantee the data is processed lawfully, as part of business continuity standards even in remote work environments with decreased oversight.
Although GDPR includes exceptions to cover events like COVID-19, companies must be careful and maintain standards for processing personal information. One exception concerns employers and competent public health authorities, allowing them to process personal data in the context of epidemics without the need to obtain the consent of the data subject. This involves reasons of concern either in the area of public health to protect vital interests or to comply with another legal obligation. The full statement is provided by the European Data Protection Board.
There are much more security standards to respect and data privacy regulations to comply with. The most efficient way to prepare a company to answer these is by starting with the most complex and comprehensive one. This way, the simpler ones that follow will have some requirements already fulfilled, easing the work in the following ones.
#2 Create an At-Home Security Standard
In the wake of a quick shift to remote work, it’s natural to assume employees may look for solutions to streamline their processes or to replace what they feel are less than suitable choices from IT. This concept of shadow IT is now spread out amongst the entire employee base and any one of these unapproved solutions could be insecure. If any employee uses their professional email address and password to sign up for an unapproved solution, and a breach occurs, all of the company’s data —both employees’ and customers’ — can be at risk. To get out in front of this, IT and Information Security teams must create a new set of standards that employees can easily understand and apply to new circumstances, adapting many of the best practices developed from the physical contact center to support work-from-home agents.
Because contact centers are a rich source of valuable company and customer data, they’re commonly seen as a soft target for fraud, and social engineering is the most common way to commit fraud in contact centers. Without the right tools and policies in place, agents can become easy prey to wrongdoers that encourage them to access private information or release information they shouldn’t even have access to.
With the right information security standards in place, companies can allow specific employees access to critical information only when it’s needed, but without implementing an overly complex and long process every time someone needs access to that same information. Currently, existing security policies to access information usually range from having tight processes that take a lot of time to go through, to the opposite of having minor security policies in place in an attempt to be faster and more liberal.
But there can be a healthy equilibrium balance on this range of possibilities, starting with providing an appropriate security awareness training to contact center agents and proactively monitoring the threats landscape to mitigate unpleasant surprises. Companies should put proper digital security training in place, so everyone knows how to behave online, and enable reporting and analytics to know who is using the company’s tools and from where. Organizations should also establish simple safety protocols such as two-factor authentication with trustworthy identity providers to make it virtually impossible for anyone besides employees to access company information.
#3 Digital Transformation Is the Perfect Opportunity for a Security Update
One of the ways companies are trying to achieve the delicate balance on security processes is by protecting their contact center first. Using today’s events as an opportunity to pursue a digital transformation strategy can be a silver lining in a darker cloud of uncertainty. Forward thinking organizations are relying on cybersecurity specialists to work with IT, Information Security and C-Suite leaders to build a strategy that takes advantage of current security and compliance options, while planning for a future that looks for return on investment.
Digital Transformation is not just a buzzword on C-level roadmaps. It’s no longer something companies do to thrive or to set themselves apart; it’s needed to stay competitive. It’s something that every level of the organization — from the executive board to staff — has to support and build into their day-to-day goals. Digital Transformation also means responsible autonomy. Along with the right cybersecurity specialists, companies should have the right tools in place from a trusted partner to help manage security as they grow and fill those specialist roles.
Contact Center Security: 2019 in Review & Looking Ahead in 2020
Listen about key security moments in 2019 and what top priorities 2020 brings.
According to a Vanson Bourne report, 61% of companies cited that data privacy was the #1 factor influencing a move to the cloud, followed by 40% citing cost of maintenance and 35% citing cost of migration. With so many concerns in mind, companies should ensure their contact center partner can provide the tools they’re looking for to ensure a successful digital transformation and move to the cloud.
When looking for a cloud solution, it’s not only important to think strategically about how high-level goals will be fulfilled, but also how to put people before process, and process before tools. However, companies should not neglect how tools can help them empower their people on a daily basis without overlooking their processes. This conscious decision will ultimately help companies protect their business and better position themselves in their industry, not just on a business-as-usual basis, but also during uncommon business circumstances that we’re experiencing today.