Module Three – Building a Human Firewall

The final module now looks at cyber security threats, both internal and external. And how businesses and their employees can prevent these; prepping staff to become their organisation’s ‘Human Firewall’, even if working remotely.

Introduction
Contact Centre challenges
Cyber security risks and how to prevent them
Test your Knowledge

Introduction

Welcome to the third and final module of PCI Pal’s Summer School.

So far, we have introduced you to PCI DSS Compliance and why it matters to businesses taking payments, before looking at data breaches, data privacy laws and the associated repercussions of these.

The final module now looks at cybersecurity threats, both internal and external. And how businesses and their employees can prevent these; prepping staff to become their organisation’s ‘Human Firewall’, even if working remotely.

At the end of the module will be five scenario-based questions to test your learning.

Contact Centre challenges

Security is a major concern for contact centres, when considering the large amounts of data handled by individuals and the potential to create a data security breach.

Some 72% of contact centres accept card payments from brands or from one of the five payment card brands associated with the Payment Card Industry Standards Council (PCI SSC).

Data security and PCI Compliance are the responsibility of every employee, whether handling customer data or not.

Businesses are required to train all staff on hire and at least annually on both subjects, which includes employees confirming that they have read and understood the company’s security policies and procedures. These policies will include PCI DSS needs and the 12 requirements covered in module one.

Contact Centre challenges

Though a business is liable for the financial and legal fallouts of a data breach, if an employee is found to be at fault for a data breach, even unintentionally, they could face the relevant disciplinary actions as stated in the company’s security policies and procedures. This could mean disciplinary actions against the ‘responsible’ agent.

So, although it is an organisation’s responsibility to provide the relevant training, resources, and framework, data security is ultimately the responsibility of everyone within the business.

Contact Centre challenges

Remote workers

As we know, there are ways in which organisations can keep on top of data security and achieve PCI compliance within the contact centre, but not all of them are appropriate for remote working.

Using compensating controls such as a ‘clean room environment’ or ‘pause and resume technology’ will only limit a small amount of credit card data being exposed within the contact centre environment. When faced with working remotely however it’s clear that these solutions are not suitable.

A contact centre manager cannot ensure a cleanroom environment where the agent is working from home which is a real problem. Another is the use of pause and resume, which only stops credit card data being recorded and stored. It can still be heard and seen which means that it can easily be exposed and used unlawfully.

Cyber security risks and how to prevent them

There are steps that can be taken to defend a company from cyberattacks by helping businesses and their employees stay one step ahead of the threat – providing staff with the training and knowledge to become the organisation’s ‘Human Firewall’.

Here are five of the biggest cybersecurity risks businesses face and the measures that can be put in place to help prevent them:

Cyber security risks and how to prevent them

1. Phishing attacks

If only there were as many generous benefactors in the real world as spam emails would have us believe!

Phishing attacks are scammers attempting to gain access to sensitive information, usually via email. The most common form of phishing attack are cybercriminals posing as supposedly trustworthy contacts such as banks and online services, creating realistic emails to dupe users into handing over payment information, passwords and more.

What can be done to prevent them?

  • Genuine companies will NEVER ask for sensitive information via email, so be suspicious of any emails that do.
  • All spam filters on email accounts should be switched on and staff provided with training on the telltale signs of a phishing scam.

Cyber security risks and how to prevent them

2. Ransomware

This is a form of Malware (software intentionally designed to cause damage to a computer, server, client or computer network) that attempts to encrypt data before asking for a ransom to be paid for the data to be returned. Most ransomware is released via malicious attachments or weblinks.

To stay protected:

  • Businesses should ensure all staff are aware of the threat posed by malicious emails, particularly those that try to prompt a response.
  • Keep all software and applications up to date.
  • Perform regular backups so data can be recovered if necessary and regularly test backups.
  • Companies should install anti-malware software as one step towards Payment Card Industry Data Security Standard (PCI DSS) compliance.

Cyber security risks and how to prevent them

3. Data Leakage

The risk of data leakage is at its greatest in organisations that handle and store sensitive customer information like the contact centre. The use of smartphones and tablets has made it more difficult than ever to guarantee that data is safe.

To lock it down:

  • Ensure all mobile devices are password protected.
  • Turn on GPS tracking and switch on functionality that allows the data to be wiped remotely if a device is lost.
  • Data you are required to store is encrypted.

Cyber security risks and how to prevent them

4. Hacking

Hacking is the process cybercriminals use to gain access to company IT systems and networks.

Successful “hacks” can offer rich pickings for hackers, allowing them to steal customer payment information, intellectual property and other sensitive data.

To protect against hackers, businesses should:

  • Install network firewalls.
  • Implement strict data access security measures in line with PCI requirements.
  • Never take, process or store sensitive information that is not needed.

 

Cyber security risks and how to prevent them

5. Insider Threats

Employees, contractors, clients and other third parties always pose a risk of an accidental or malicious data leak. Sophisticated tactics or even simply just a lapse in concentrating can allow attackers to make their move.

To mitigate the risks, businesses should:

  • Educate teams about the risks that exist.
  • Limit the amount of sensitive data staff can access.
  • Control the use of portable storage devices in the workplace.

Ensuring data security and PCI Compliance is maintained whilst working from home. Businesses should:

  • Take steps such as multi-factor authentication
  • Instruct staff to only to use business hardware and devices
  • Provide staff with training to understand the risks associated with working remotely
  • Use a secure cloud payment solution
1
2
3
4
5

Whilst working at your desk, you notice a stranger with a clipboard briefly talking with a manager near the entrance door. The manager points to you, and the stranger walks over to your desk alone. The stranger introduces himself as Markus and sits down with you, saying he is an auditor here to inspect various documents and asks you to help him. What appropriate action could you take?

Please select an option before moving onto the next question.

A dedicated employee, who would never intentionally harm the organisation, has neglected basic data security practices which can quickly lead to the misuse of valuable data. How can this best be prevented?

Please select an option before moving onto the next question.

You receive an email from an unknown sender, that starts by revealing one of your currently used passwords! This sender insists they received this password by spying on your computer, and now has compromising/scandalous images and recordings of you. They promise to delete these images, in return for you sending £1,000 in BitCoin to them. What step should you take immediately?

Please select an option before moving onto the next question.

As you open the side door to return to work after a break, you see a woman wearing a local delivery company's outfit shuffle towards the door. She appears to be struggling to carry two heavy boxes, which seem to be marked for delivery to the company. She asks if you could just hold the door open to let her deliver these boxes. What option below would be appropriate?

Please select an option before moving onto the next question.

During a gap between calls, you notice one of your coworkers is doing something to busy themselves. Which of the following would likely pose a security concern?

Please select an option before moving onto the next question.

Checking your answers...

Thank you for completing Module Three of the Summer School. We hope that you have learned more about PCI DSS, cybersecurity and protecting yourself and your workplace.

Need PCI Pal to help? Take a look at our solutions.