Remote Working for contact centres: Critical next steps, beyond the crisis
Remote working – is here to stay. How to make sure security is not compromised.
For many, it’ll stay that way too, as some companies stick with the system. Barclays has 70,000 staff working from home and its boss Jes Staley says a big city office “may be a thing of the past”, while Twitter has announced its employees can work from home “forever” if they wish. [1]
But the speed at which companies switched en masse to remote working — though understandable — has involved risks that are now starting to become apparent.
Why contact centres need to retrace their steps urgently
With customer service at stake, contact centres had little time for attention to detail when rushing into remote working. Gaps in processes and policies are being exposed, whether organisations actually realise this or not.
A recent survey has found that 71% of UK contact centres were not fully ready for remote working during the COVID-19 lockdown. [2] Two thirds had to invest in additional hardware, such as laptops, media servers, networking devices and other hardware. Then there were licenses and a bundle of other issues to think about.
But that’s not all. In the stampede, it’s been easy to overlook major security implications.
This guide will help you retrace your steps and fix critical vulnerabilities. It’s time to get out of crisis mode — and into the safe zone.
Contact centres: Remote working means your attack surface has widened
Normally, IT security strategy focuses on narrowing the ways your organisation could be exposed to attack. There’s a tight perimeter around your IT — and it’s where you ramp up protection.
But now, your ‘attack surface’ has widened massively. There’s the potential for criminals to steal sensitive data by targeting your remote staff.
Figure 1: Criminals now have more targets and potentially more opportunities, simply because the home environment may not be as secure as the contact centre premises.
So how do we start to remedy the risks?
It’s essential to focus on the people, processes and technology involved, so we can mitigate dangers.
Let’s take a look at each of these…
Your people: How to avoid having any ‘soft targets’
Your employees’ security awareness and vigilance is critical to your protection and compliance — and should now play a greater role in company culture.
Four top areas where you need to focus
1. Devices used by your employees
With remote working, the issue of which devices your staff will use comes right to the top of the agenda. However, this poses a multitude of questions that need answering.
Use of personal devices brings a lack of visibility of the operating systems used, the software that is installed, the level of patching that is done and the threat of installed malicious software.
2. How staff connect to you
A further concern is how your end-users are connecting to your systems and crossing account data from unsecured locations. You need to know:
– Are they are connecting from public networks?
– Are they using home or shared networks?
– What other devices are connected to these source networks?
3. Email phishing attacks
You’ll already have heard of these and may have identified increases in phishing attacks — some specific to COVID-19.
Phishing emails can be highly effective because they’re targeted and aim to take advantage of a current crisis. They play on human emotions in a pernicious way and instil a sense of urgency. They also demand action so that end users click on a link or open an attachment.
4. Non-approved cloud services
Are staff using personalised or non-approved cloud services to store company data? Perhaps they’re doing this in the spirit of productivity, but does it expose you to PCI DSS, GDPR or other compliance risks? You need to know:
– Which non-approved communication channels are being used by your agents?
– Is integrity and confidentiality being compromised?
– Have any of the solutions being used been shown up to have fatal weaknesses?
How to mobilise your employees as part of your security response
Communicate with them frequently around cyber security, awareness and risks — and make this part of your ongoing strategy. Make sure staff are aware of the security challenges of home-working, such as the increased likelihood of data leakage and the threats posed by phishing attacks.
Encourage reporting so people tell you about suspicious emails. Many employees may receive the same email — and so someone’s early warning could help IT teams to detect and defend against these attacks.
Create a safe environment to report suspected breaches. Recognise that — while we all aim to avoid clicking on a link — lapses will happen and phishing attacks are becoming more sophisticated and convincing. So, ensure people feel safe to report suspected breaches in a blame-free way. That’s because clicking on a link and not reporting it could be the worst outcome of all.
Your processes: Where to set your priorities
With remote working, many standard IT procedures need an urgent recalibration.
Asset management
As we shift to more remote working, employees may have been permitted to take assets home and out of the work environment. It’s vital to understand that assets often include data, such as customer information or intellectual property, that you need to protect. Asset management will give you control of your equipment, which has a monetary and security value. Having procedures in place should ensure assets are tracked and returned when needed.
Reinforcing your acceptable use policy
Your use policy should have clear rules about what’s allowed when employees use company equipment. State that company equipment should be used only for work purposes (even when in the home environment). Make your users aware of what cloud providers and services they can use — as this will mitigate some risks of data and leakage into those cloud providers you don’t know about.
If you don’t issue company equipment, encourage your employees to follow good cyber hygiene and safe working practices with their own devices. Advise them to patch regularly and make them aware of the emerging threats that may impact their security.
Remote access procedures
You need multi-factor authentication — it’s a ‘must’. Also, end users who are connecting on personal devices must provide you with information about their operating systems and whether they have antivirus software. This will give you some level of visibility of connected devices as well as potentially enabling you to prohibit the connection of out-of-date or unsupported devices.
Starter and leaver procedures
An economic downturn will result in some organisations reducing staffing levels. So, validating the ‘leaver’ process becomes crucial to security. You must ensure that departing users don’t have any residual access rights (across your own systems as well as any cloud solutions or other services they have been using). At the same time, refresh your procedures for new starters and movers, so they’re up to date with the new security realities of remote working.
Business continuity testing
This is important in challenging times. By working smartly and being open to change when any shortcomings are highlighted, you can help keep security central to the decision-making process. This will enable you to adapt rapidly in a secure and compliant way.
Your technology: Maintaining PCI DSS compliance in a different world
In so many cases, IT leaders have done a phenomenal job, leading their organisations through a storm by provisioning tech and services to maintain essential business services.
Perhaps you’ve had to re-shape the way your company works to incorporate on-premise and remote operations — and it’s saved the day in many ways? Maybe this has underlined the importance of a flexible IT strategy and the need for innovation?
If so, then an obvious move for organisations to consider is the de-scoping of their contact centres (and remote workers) from PCI DSS by teaming with a third-party partner for payments processing. This can significantly reduce the compliance challenges from everyday security threats and major challenges that arise unexpectedly.
The security rationale and business case for keeping sensitive information out of your entire (office and remote) environment through de-scoping has never been stronger.
Aside from this, here are seven actions for organisations to strengthen compliance:
1. Reach out to your technology vendor, highlighting your changing needs.
2. Do due diligence when evaluating any IT solutions to make sure that you receive an attestation of compliance — for example, if it’s a PCI DSS compliant solution.
3. Review the responsibility matrix to make sure that it is going to meet your needs.
4. Adopt a multifactor authentication approach because there’s a lot of technologies out there that might seamlessly integrate into a wide variety of both VPN endpoints and end user devices.
5. Consider email filtering. It offers good protection against phishing attacks
6. Flag external source emails. This can help users to identify malicious emails that pretend to be from colleagues. It can help them understand the risks and identify future suspicious emails and content.
7. Scan connected devices to identify malicious traffic that’s originating from some of your connected entities. Carrying out log reviews that will help you discover if any suspicious behaviour is occurring such as numerous failed login attempts or attempts to access unauthorised areas.
Using security to give your organisation the edge
A crisis poses challenges but it also provides the opportunity to re-shape and then re-examine your employee policies, business processes and technologies. It’s important that we recognise any shortcomings — so security is kept front-of-mind and becomes embedded in an organisation’s culture. It will make any plans you have more robust and fit for purpose in the future.
To discover more about contact centre resiliency, download Eckoh’s guide to Contact Centre Resilience: 5 things we’ve learned from COVID-19 or get in touch.
Kevin Vaughan is Head of Systems & Information Security at Eckoh
Kevin is responsible for Eckoh’s security posture, continued compliance and monitoring the threat landscape to assess existing and emerging threats. He is a passionate cybersecurity advocate, maintains a variety of security certifications including CISSP and has over 20 years’ experience across Systems Architecture, Operations and Security.
For additional information on Eckoh view their Company Profile