Nowadays every company works with at least some kind of outsourced service or product, either to expand operational capacity, reduce costs, or elevate the know-how and strategic advantages of its business operations.
When any of the outsourcing systems integrate with others a company already has, it’s key to ensure that your information is protected to prevent the cybersecurity risks we all know by now: corporate espionage, social engineering, cyber attacks and data breaches. A strong security policy has an inverse correlation with cybersecurity risks: the better your security is, the less are the chances of your corporate sensitive information being exposed or lost due to cyber threats.
You can do the math. With the average data breach worldwide costing a company $3.92 million, and escalating to $8.19 million in the United States, it’s worth the investment to prevent the threats. Better to be safe than sorry.
When contracting a product or a service there are numerous things you should have in consideration, but keep in mind one of the most important ones, the security posture. A trusted partner takes security and privacy seriously, having implemented a variety of safeguards in their processes, design and code, and constructed the infrastructure to carefully protect users, customers and organizational data.
An end-to-end cybersecurity strategy should be designed to protect against known threats but also an ever changing security landscape. When you assess an organization’s security posture, you should look carefully at its policies around software, hardware, services, processes, networks, information, vendors and service providers. This will include a myriad of security controls such as information security (InfoSec), data security, network security, physical security, vendor risk management, vulnerability management, data breach prevention and employee security awareness training. Those controls must not only be focused on a proper risk management process but also also fully aligned with your own compliance requirements.
Here are the top four security criteria we recommend evaluating your vendors on.
The first step when assessing a vendor is to look for information about security frameworks and compliance with different regulations. Personally identifiable information, protected health information and sensitive data are the main focus of data protection regulations and if your vendor meets the most demanding security standards, such as NIST, OWASP and ISO27001, then you are closer to having your information protected.
Be equally aware of industrial regulations like HIPAA or international data regulations like GDPR and CCPA. Understand how sensitive information is protected in the cloud by using end-to-end data encryption, audit logging/change management and deployment flexibility to meet internal, industrial or geographic standards.
One of the ways you can easily assess this step is by looking for a comprehensive set of company security certifications & standards, as well as examples of its internal teams’ individual certifications to show a consistent and continuous pursuit of improvement and adequate knowledge. These will give you a high-level insight into how seriously they take security in their daily operations and processes and their level of expertise, guiding your vendor shortlist process.
Also, take into consideration whether the vendor has a dedicated security team. This team should be able to continuously monitor the threats landscape and conduct regular audits of the system to maintain a strong security posture at any time — and not just when a threat is imminent. Remember, security is a continuous improvement process.
Every company has different internal security strategies; that’s normal. Especially for large enterprises, security policies can vary greatly by industry, size, business unit and geography. Enterprise-class vendors should be able to more easily adapt to your existing security policies and strategies, so you don’t have to adapt to each vendor.
Look for vendors who integrate with a variety of multi-factor authentication providers and identity management providers to streamline adherence to your existing security standards instead of forcing you to adapt to theirs. An additional bonus of taking this step is that it reduces stress on employees who would otherwise have to keep track of more credentials.
Just because a solution is cloud-based it doesn’t have to be any less secure than a physical local one. The advantages of a cloud contact center solution compared to an on-premises one are well known. Still, security can be a chilling consideration for companies moving critical operations to the cloud.
To ensure you can trust the security of your cloud solution, the software infrastructure must be hosted and managed in secure data centers accredited for rigorous standards. These include ISO27001, SOC2, SOC3 and are key to meet your organization’s security standards. Similarly to an on-premises solution, ensure you get full visibility into agents’ activity such as logins and logouts, usual access hours, call destinations, etc. to have a comprehensive, first-hand view of the solution security.
If you happen to belong to an industry that manages financial transactions, such as retail, healthcare or financial services, PCI-DSS (Payment Card Industry – Data Security Standards) compliance is also a key capability to help you maintain compliance in all remote payments that your agents process. For any of these industries, a Level 1 compliance is a requirement.
Last but not least, be assured the vendor’s solution is always on. Cyber threats such as ransomware attacks are known to take down companies’ operations and block them from running their own businesses for uncertain time periods, in exchange for a payout or some other settlement. They are happening every day! That’s a frightening scenario that no security leader wants to encounter in their career.
To ensure your platform is secure from external threats and your business can keep running at any time, make sure your software vendor can provide a 100% Uptime SLA (Service Level Agreement). This is celebrated as a measure of full confidence in the reliability of the platform along with certifications like ISO22301 for Business Continuity Management.
In the checklist “Managing Security of a Remote Contact Center” we explore leaders in IT, security and contact center operations evaluate their current state of security and consider where to make strategic improvements to continue meeting the high security standards required for a contact center’s workforce and throughout a security-focused organization.
The latest posts delivered weekly to your inbox.