/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
Call centers were traditionally created in large warehouse environments, with
rows of agents dealing with customer queries via the telephone. This environment
was fairly easy to secure. The agents, systems and information were contained
within an enclosed physical location and traditional TDM-based telephony
networks were largely proprietary and difficult to compromise. Enabled by new
technologies and greater consumer demand, call centers have since evolved into
fully functional, multi-channel centers.
They are also becoming more distributed. For instance, Internet protocol (IP)
technology removes the need for agents to be confined to a single physical
location and enables systems and skills from around the organization to be
connected to the customer from any location.
However, greater access to information through multiple channels of
communication carries risks as well.
Convergence
The findings of Datacraft/Dimension Data's Global Contact Center
Benchmarking Report 2007, reveal that more than 60% of contact centers have
already introduced IP-based or hybrid IP PBX/ ACDs. In Asia Pacific, 67% of
organizations surveyed also ranked the adoption of Session Initiation Protocol
(SIP) in their plans versus 50% in North America. SIP allows the easy inclusion
of data to interactions. Examples of data relevant to contact centers could be
customer details, credit status, pricing, delivery status, etc.
IP technology allows contact centers to integrate previously disparate
systems to enhance customer experience and reduce response times. All customer
interactions via telephone, email, or web can now be accessed by the agent via a
single IP interface, providing a unified view of a particular customer
regardless the channels used. This enables agents to access customer information
faster, and ensures that the interactions are managed seamlessly by the most
appropriate agent.
/vnd/media/post_attachments/2c1a399905e87d716208d59e0b4335c72aa9036f567a37a2aff786e90e9f9d72.jpg)
However, this unification of systems and information also means that any
single security breach can have greater and far-reaching consequences.
Regulation and Legislation
Information processed by contact centers is heavily regulated and bound by
legislation. Personal information is governed by the Data Protection Act;
financial information may be bound by the Financial Services Industry
regulators; and credit card transactions are subject to Payment Card Industry (PCI)
regulations in the country. Sensitive information must therefore be secured
against exposure to third parties and its distribution should be fully audited.
Do not call (DNC) registers are expected to be introduced in countries like
China and Australia. Telecommunication Regulatory Authority of India had also
announced the same and penalties in 2007.
Multiple Interaction Channels
Most organizations have implemented multiple customer interaction channels.
According to the Datacraft report, voice remains the predominant channel in
contact centers, with respondents reporting that telephone and interactive voice
response account for 73% of total traffic.
However, new communication channels such as email and web are rapidly being
adopted as organizations understand the benefits of enhancing the information
they present to their customers. Participants in the study report that one in
ten interactions is now handled via emails. This is the second highest volume
channel, following agent-assisted telephone.
As the primary interaction channel for contact centers, organizations need to
ensure the security of voice. Traditional telephony networks are inherently
secure, being based on proprietary systems connected via private networks.
IP-based telephony, however, is based on well-publicized standards and
protocols, which make it more vulnerable to abuse and compromise. IP networks
are also highly interconnected, thus providing greater reach to customers,
suppliers and partners, but simultaneously open up potential access channels for
criminals and unscrupulous third parties. IP-based PBXs, voicemail and voice
recording systems-all common in contact center environments-are vulnerable to
attacks unless properly protected. This can lead to loss of service or privacy
violations. The IP voice communication itself is vulnerable to eavesdropping or
other tampering that compromises the privacy and/or integrity of the
communication.
Email is the most common route by which viruses are distributed, and contact
centers need to ensure that viruses are not received from or sent to the
customer during email exchanges. This could lead to business outages and
clean-up costs, or brand damage and potential litigation if the contact center
is responsible for infecting the customer. Contact centers also need to ensure
that they do not distribute sensitive, libelous or defamatory content to
customers and that the privacy of email communications is maintained. Web
content can also be a source of malicious code, and measures should be taken to
ensure that a contact center's web servers are not compromised or used as a host
for such content.
A Proactive Plan
Effective security cannot be achieved by implementing technology alone. It
relies heavily on managing a complex environment that also takes people and
processes into account. Many security systems fail because technology is seen as
the be-all and end-all of the security solution. But without policy and
well-trained, reliable operators, technology alone will fail to protect the
organization from security breaches.
To create secure contact center environments, we advise organizations to
focus on the following areas in particular: managing people, managing access and
managing information.
Managing People
Many contact centers have implemented quality management software suites
comprising voice recording at the basic level. Trainers use these recordings to
coach and evaluate the performance of contact center agents. In some countries,
voice recording is required as a part of industry compliance. By adding the
screen recording module, all key strokes and on-screen activity of the agents
can also be captured. Screen recordings can help validate process efficiency,
process compliance as well as setting alerts in the event of suspicious
activities performed by contact center staff from their desktops.
Technology should be installed at the internet gateway alongside firewalls
and intrusion etection/prevention devices to filter e-mail and web traffic and
prevent malicious code from entering the network. Software should also be
installed on agents' desktops to prevent infection which may be caused by data
being physically transported into the contact center and installed on the
desktop. This software includes antivirus, personal firewalls, host-based
intrusion detection/prevention, etc.
The desktop can be further locked down by deploying policy enforcement
software that will reset desktops to a standard configuration or 'gold build'
should it be altered in any way.
Apart from implementing IT systems, it is imperative that contact center
employees are effectively screened and their backgrounds are checked before they
are hired.
Moreover, a robust security policy should be created, documented and
communicated to all employees. The policy should define security roles and
responsibilities, access privileges, escalation paths and incident response
processes and the policy should be communicated to all staff, and compliance
monitored. Procedures should be defined for the processing and storage of
customer information and an acceptable use policy defined for the network.
Proper provisioning and de-provisioning of users is also critical to ensure that
correct levels of system, application and data access are granted for new
employees. This access needs to be revoked immediately once the employee has
left the organization.
Managing Access
Access to the contact center needs to be carefully controlled, with clear
demarcation lines drawn between internal systems (e.g. customer records) and
publicly available systems (e.g. the company's website).
IP-based Contact
Perimeter security is the cornerstone of access security and ensures that
the systems internal to the contact center are protected from unauthorized
external access. Firewalls and intrusion detection/prevention technology are
essential as the first line of defence and access control is also essential to
control network and information access for employees and agents
Additionaly, there are several strategies that contact centers can implement
to identify and classify an agent and the device they are using, and control
access to the system:
- User ID and password: Hardware tokens or smart cards; Software tokens;
Biometric identification; Network Admission Control. - Managing Information: Protecting the contact center from information
leakages is always a top priority for organizations and we would recommend an
approach that combines Information Leak Prevention (ILP) software and
encryption. ILP software technology is used to control how information is used
on the desktop and if/how it is allowed to be distributed beyond the desktop.
In this way, sensitive data can be prevented from being copied to portable
media devices such as CDs/DVDs, memory sticks and PDAs, etc, or reproduced in
other ways such as printing, cutting and pasting or screen scraping.
ILP technology prevents sensitive information from ending up in the hands of
criminals, thereby reducing the growing risk of identity theft. The software
provides the necessary controls and also monitors user behavior at the desktop
and alerts or takes action against violations of the organization's corporate
policy. Access management and encryption are the most effective ways to achieve
security for this stationary data. Access management enables access only to
those authorized to view the data and encryption renders the information useless
to anyone who manages to break into the system. Encryption should also be used
on agent desktops in a virtual contact center.
The contact center industry has transformed dramatically over the last
decade. Contact centers form the heart of the organization today, and are often
the primary or only point of contact with the customer. New opportunities,
however, also result in a new set of security challenges. Although technology
plays a role, a secure contact center effectively implies the need for ongoing
monitoring of people and processes.
Nagi Kasinadhuni
The author is GM, Converged Communications Solutions.
vadmail@cybermedia.co.in