Just how do you keep organised crime from the door of the call centre? Albert Selzer locks down with some solid advice on data theft.
The news from India in 2005 that call centre workers had been selling valuable customer details caused a short-lived stir in the industry. But last year’s stories of Glaswegian gang-members that had infiltrated the city’s call centres raised questions once more: how secure are our call centres now? And how secure can they be in the future?
Of course, crime is a common sociological problem, and there is no reason why call centres should be an exception. In fact, given the nature of the information that they hold – especially those operating in the financial services – they are a rather obvious target. Criminal enterprise has recognised the value of personal and financial data and they have understood where it is and how to obtain it.
If opportunity is one side of the coin, then risk is the other. Any company needs to pay attention to both.
|Seven top ways to keep your customer data safe
1) Accept that there is no silver bullet that will instantly solve this problem.
Despite the radical advances in technology on all fronts, there is no simple single technological solution.
2) Have clear policies and guidelines regarding the handling and theft of data.
Spell out the consequences of data theft and emphasise that the company will prosecute those caught stealing data.3) Earmark information without telling the agents where or what it is.
All the agent knows is that any data with which they interact can be traced, and the source of any security breach identified.
4) Classify and compartmentalise information.
This ensures each agent has access to only a limited, relevant set of information and makes it easy to trace the source of any leak.
5) Consider the use of voice biometrics as a security defence mechanism.
Speaker recognition can continuously sample an agent workstation to ensure that the call handler matches the log-in. Biometric voice-printing can play a role in securing against and investigating data theft.6) Vet personnel, including IT staff.
Check their references properly and ask them to sign non-disclosure agreements when joining the company.7) Collaborate with others.
Share difficulties and problems, as well as possible solutions and best practice for maintaining security. A proactive, united approach will instil greater faith in the industry at large.
Data theft poses a serious risk to the call centre, so it is incumbent upon management to address this risk with the same diligence as any other aspect of the business. Managers should not make the mistake of delegating the issue to levels within the organisation who are not empowered to produce company-wide counter measures.
What to do about data theft?
There is no silver bullet that will instantly solve the problem. Despite the radical advances in technology on all fronts, there is no simple, single technological solution. One has to use a number of techniques and technologies in concert.
There is, after all, no point in locking the front door if you are going to leave all the windows open. Instead, security is a multi-layered activity that needs to be viewed holistically – something that is much easier to do from the boardroom than from the depths of the server room.
Call centre security is largely a defensive activity. It is a question of focusing on areas where you can be attacked. These are: physical access to any point at which data can be accessed or storage devices stolen; the entire information technology infrastructure; and, most importantly, personnel who have access to data.
Physical security is fairly straightforward, and there are any number of methods for effectively securing the premises and controlling access to equipment. Similarly, methods of protecting the network from virtual attack are well documented – although, as technology is a constantly moving feast, these systems need to be kept current.
Facing up to the real problem: people
But the challenge really starts when it comes to personnel security. People have always been the weakest link in any security system. You can lock the cash in the safe and make sure that every cheque has two signatures, but if trusted employees start stealing from the company then these measures won’t count for much.
This problem is compounded at call centres because of the very high turnover of staff. Organisations that deal with sensitive data, government departments and institutions that work with vulnerable people, including children, all have vetting procedures – some more rigorous than others. But these are expensive and time-consuming, and thus completely contrary to the ethos of a call centre.
It is precisely this problem that the Glasgow gangs have taken advantage of. By inserting their people in to the call centre through legitimate means, they have acquired authorised access to valuable data, leaving no trace of what was being stolen and by whom.
Looking at counter-measures
All is not lost, though. Call centres can fight back by doing some simple things. Have clear policies and guidelines regarding the handling and theft of data. Spell out the consequences of data theft and emphasise that the company will prosecute those caught.
One successful method is to earmark certain pieces of information without telling the agents where or what it is. All the agent knows is that any data with which they interact can be traced, and the source of any security breach identified. It makes that particular call centre a harder target than the next one.
Call centres also need to look at how data is organised and stored, and what group of agents have access to what information. Information needs to be classified and compartmentalised so that each agent has access to only a limited, relevant set. Not only does this reduce the amount of data that a rogue agent could steal; it also makes tracing the source of any leaks much easier.
Vet personnel as best you can within the confines of the law, and check references. Requiring personnel to sign non-disclosure agreements on joining the company emphasises the sensitivity of data and makes civil action easier, should it be appropriate.
IT professionals have an exemplary record, but their access to all data, security settings and user accounts, make them a prime target. Vet them very carefully, too. In addition, sourcing personal references from referees you know and trust offers the best security.
What about the technological side of things?
Technology can, and already does, help. Biometric technologies, such as fingerprint, palm or iris scanners can improve log-on and physical security. Speaker recognition can continuously sample an agent workstation to ensure that the call handler matches the log-in. Biometric voice-printing can play a role in securing against and investigating data theft.
When it comes to protecting sensitive data, the issue of tracking and auditing agent activity is a vital one. Both screen and voice recording technologies provide accurate audit trails of an agent’s activity, demonstrating who had access and when, and irrefutably verifying the identity of anyone interacting with the data.
When supplemented by voice recognition tools that take vocal ‘fingerprints’ to identify agents, they can also be used as evidence in any legal proceedings that might ensue.
The benefits of these kinds of technology are largely preventative. They act as a deterrent to criminal activity by increasing the likelihood of being caught and successfully prosecuted. However, this is dependent on adequate communication and education. All policies, guidelines and the consequences of criminal actions should be communicated throughout the organisation from a senior level.
Uniting the industry against data theft
Call centres are, understandably, not very vocal about data theft. But liaison between call centres with respect to the methods used by criminal enterprise, and successful counter measures, can only benefit the industry as a whole. No doubt the Customer Contact Association (CCA) can and will play a positive role in facilitating discussions of this nature.
This is clearly a serious issue for call centres themselves, but also for their clients. Most organisations now operate in a tight web of corporate governance and data management legislation, and are extremely aware that they are only as secure as the weakest link in their extended enterprise of partners and suppliers.
Nor does outsourcing solve the problem: instead it merely moves it. The ownership of data, and therefore the responsibility for it, has not shifted.
In selecting outsourced call centres, companies should look closely at how they secure themselves against data theft and should audit these measures regularly. Offshoring adds complexity and risk, and the business needs to understand whether the socio-economic environment in to which they plan to offshore is acceptable from a business risk point of view.
It is not possible to circumscribe all the measures one can or should take, and which might be appropriate for any particular call centre. Security is a balancing act between cost and efficiency on the one hand and risk on the other. Each call centre must find the recipe that works best for its particular circumstances.
But whatever individual call centres choose to do to manage this particular risk, it seems that some form of co-operation and collaboration will be required. If one call centre is attacked, the reputation of the industry as a whole suffers. Alongside the central register of call centre agents, industry benchmarks will help identify which are the most secure call centres, while some forum for sharing information and best practice will help raise standards sector-wide.
Criminals attack easy targets. It is clearly in the industry’s best interests to ensure that no such targets exist.
Albert Selzer is managing director at DataVoice EMEA