Granular security to curb contact center insider data theft
The risk of insider theft of customer data in contact centers has increased in line with the boom in data volume, but this can be mitigated with granular security and vigilance, analysts note. They say well-established contact centers will realize that keeping ahead of the curve in implementing best practices will give them a competitive edge.
"Generally, it is not too difficult to get hold of private information and most systems are not secure enough to stop copies [from] being made and removed from the organization," said Andrew Kellet, senior analyst of IT solutions at Ovum.
According to him, the main problem has to do with the availability--and access--of sensitive customer information, rather than the environment of a contact center.
It is also why the issue of insider infiltration is not specific to any one market or geography, he noted, because "data theft happens wherever there is a financial opportunity" and when call center workers feel undervalued or overworked.
Daniel Hong, lead analyst of enterprise at Ovum, added that the incidents of insider data theft in news headlines were only those that got uncovered and deemed "newsworthy", while other cases go undiscovered or unreported.
Despite the rise of the Internet, customer interaction with contact centers is still growing, and this increasing volume of data generated also heightens the risk of theft and fraud, he said. "Anytime sensitive information is exchanged, there is always a high risk," he said. "Add to that, the call center has been around for almost 40 years, and the world since then has become more digital with vast amounts of customer information housed on various CRM (customer relationship management) databases."
Krishna Baidya, industry manager of ICT practice in Asia-Pacific at Frost & Sullivan, noted that data compromise risks were not new, but the "scale of incidences of data theft coming to light of late seems alarming", noting how data leaks nowadays were not limited to contact centers but enterprise-held data as well, such as the massive data breach involving Sony PlayStation.
The analysts' comments come in the wake of recent news that Indian call centers were stealing and selling confidential data of some 500,000 Britons, including medical records and credit card details.
Granularity, vigilance key
Asked what security measures will help best ensure data protection from insider threats, Kellet said a robust data loss protection (DLP) system is a "good point to start", but emphasized the crux of the matter is ultimately controlling what data operators are allowed to see.
IT controls can and should be "very granular", so data can be segmented into only that which needs to be viewed by an operator to complete a task or request. Such granularity should extend to the use of monitoring software, so that unusual usage patterns can be picked up, reported and action taken, he added.
Frost & Sullivan's Baidya said well-established contact centers typically have rigorous security controls and best practices in place to prevent insider filtration, including restricted data access, security audits, and video camera monitoring of staff.
Under such scenarios, insider data theft incidences at the agent level are quite rare, he said. However it may not be so if the main contractor does not carry out due diligence when sub-outsourcing to another provider, he pointed out.
For contact center employees at supervisory or management level who have more privileged access to data, it is also a test of their integrity when it comes to data breaches, he added.
He also stressed that part of the responsibility of ensuring protection of customer data should also be on the organization that outsourced its customer service. These companies need to be prudent in selecting the outsourcer of choice based on certifications and past records, as well as enforce a stringent SLA (service level agreement) in terms of data security or breaches.
Risks to reputation
As the risks of insider data infiltration and theft have been longtime concerns among contact centers, there would already have been preventative security measures in place, especially since a strong reputation was critical in this industry, said analysts who spoke to ZDNet Asia.
Contact centers which are "serious about their business" and want to be one-up in terms of offering customers peace of mind as a service differentiator will not only keep pace with regulations but also take initiatives to be "ahead of the curve through certification and adopting advanced security technology", Baidya said.
Hong concurred: "At the end of the day if fraudulent activities are on the rise it reflects poorly on management--and management gets this."
"These are competitive markets, and loss of integrity can mean loss of future business," added Kellet. The vulnerability to data theft is so well known that most contact centers, especially those in the finance sectors, would already have several security controls in place, he noted.
That said, just how thorough companies are in being vigilant about securing data varies. Kellet, for one, noted: "most organizations [in general] are not vigilant enough and contact centers aren't any different".