Critical Security Considerations for a Cloud-based Contact Centre
This post is published in conjunction with PCI Pal partner, 8×8.
The risk is real. Inadequate security and lack of compliance in your contact centre have serious consequences. Data breaches make headlines and affect reputations. Privacy violations put companies at legal risk. Downtime results in lost revenue. Recovering from hacking or fraud can be costly and sidetracks management’s attention.
To further complicate the challenge, you’re aiming at a moving target. New security threats are constantly emerging. What do you need to know, from a security perspective, as you evaluate moving your contact centre to the cloud? How can you be confident that customer data is secure when contact centre agents work from home?
What do I need to know?
When you’re ready to evaluate a cloud-based contact centre, be sure to work with a vendor who is willing to have frank conversations about adherence to compliance requirements and how they achieve them. Failure to conform to laws like the Federal Information Security Management Act (FISMA) could jeopardize your company’s ability to do business with government agencies or security-conscious financial firms. Avoid all vendors who discuss security adherence in vague terms. Confirm the solution you select addresses the following three areas.
- Follow best practices for encryption and collaboration. Not all cloud systems are built equally. Poorly-written APIs and weak identity access management can expose businesses to unnecessary risks. A key area of focus should include encryption; ensure the solution you select has encryption both at rest and in transit. You’ll want to be sure your solution enables agents to collaborate across the business, so check the US National Security Agency guidelines for best practices in selecting and safely using collaboration services for telework.
- Ensure adherence to regulations. Regulatory requirements depend on your industry, so it’s important for your cloud-based service provider to comply with key standards such as HIPAA, PCI, FISMA, and all others relevant to your business.
- Look for 3rd-party verification. Ensure your service provider maintains verifiable 3rd party certifications. In-house verification may not encompass the full scope needed to feel confident the solution is secure.
How is the landscape of security threats changing?
Security threats continue to increase in sophistication and frequency. According to Forbes, data breaches exposed over 4.1 billion records in the first six months of 2019. Over 3800 separate incidences of data breaches occurred in 2019 globally, and the number of data breaches in 2020 is expected to surpass 5000.
When you reduce the number of service providers comprising your solution, you reduce your risk. As part of your cloud contact centre evaluation, ask providers which components of the solution are native and which are provided by other vendors. A single platform for all components or one with strong integrations (unified communications, contact centre, video conferencing, and meetings) means better security, as the vendor has unobstructed access to the infrastructure and application stack in order to monitor, detect and respond to threats quickly.
What do you need to think about with work-from-home agents?
Many of the following security considerations are relevant whether your agents are at home or in the office.
- Provide company laptops for remote workers, as their own devices may have security vulnerabilities
- Use DTMF masking technology rather than having customers give credit card information
- Use multi-factor login authentication for an added layer of security
- Provide password managers to keep passwords hidden
- Ensure systems are updated with the latest patches and antivirus protection
- Use a VPN for connections directly into company systems
How can you be confident that sensitive customer information is secure with work-from-home agents?
Basically, follow similar security procedures as if your work-from-home agents were in the office. When taking customer credit or debit card data, ensure the provider you use for payments meets the highest security standards. They must, at the very least, be PCI DSS (Payment Card Industry Data Security Standard) Level 1 Service Provider certified. PCI DSS has been published and maintained by the PCI Security Standards Council since 2006 and is endorsed by Visa, Mastercard, American Express and others as the minimum security requirement for handling credit card transactions.
For example, Agent Assist enables agents to simply and securely handle payment authorizations required to meet PCI DSS compliance by prompting customers to enter card data using their telephone keypad. Cardholder data is captured in the cloud and sent directly to the payment processor without ever being accessible by agents.
Should I transition to the cloud now, or wait?
The time is now. As security threats continue to rise, select a provider who will handle infrastructure security for you. They’ve invested hundreds of millions of dollars to make their platform safe. Piggyback on their investments and reduce the pressure on your own IT teams to keep your company safe and compliant at all times.