The data security of information systems has always been a major concern for organizations that rely on computer systems. Recent media reports of disgruntled employees stealing valuable data have heightened public awareness of the problem. And the problem is growing worse: attempts at “phishing” online services for private data increased 150 percent from October 2004 to October 2005, according to the Anti-Phishing Working Group.
In response, organizations are intensifying the scrutiny of their infrastructures and the processes that govern their interactions with their customers. They are examining anew how to control access to networks, systems and data, even focusing down to the level of the transaction financial limits set for any given customer.
As well as these general concerns, there are units within the larger business that have their own worries. For example, in a multichannel contact center, management must be concerned about the security of customer self-service channels, access by agents to the confidential information needed to resolve customer interactions, the security and accessibility of data held by suppliers of on-demand services and information supplied to outsourcing companies running centers on their behalf.
For in-house systems, the solutions start with the implementation of standard processes and systems such as firewalls, password protection and predefined profiles that limit what a particular user can do. Monitoring systems can keep a careful eye on who is doing what and when, so that any violations can be detected quickly and stopped.
At the next level, organizations must rigorously manage and monitor their processes. As financial departments discovered when they began programs to comply with the Sarbanes-Oxley Act, many internal processes don’t stand up to close inspection.
The challenge becomes even more complicated when organizations move some operations off-premises to on-demand services or outsourcers. The success of these shifts relies heavily on efficient networking between the customer and the host site to transfer transactional data, but this means that significant volumes of sensitive data are held off-site and thus is vulnerable to security breaches.
It is reassuring that advanced purveyors of these types of service recognize the issues; some, such as salesforce.com, go the extra mile to demonstrate that their security controls are more rigorous than most customers’ in-house procedures.
On-site and off, though, the greatest challenge involves people. There is growing recognition that one of the fastest growing types of fraud is that carried out by employees. They are fully aware of all the security systems and have the inside knowledge to circumnavigate all but the tightest processes and controls.
Many offshore centers have higher rates of agent turnover than their on-premises counterparts; this fact significantly raises the need to protect systems and data from disgruntled employees and identify fraud, both actual and potential. Uncertainty here can lead companies not to trust suppliers with critical data such as customer passwords. In that case, the supplier cannot provide a full end-to-end service and must refer some inquiries back to the parent company. For example, one well-known ISP decided not to provide its two customer service outsourcers with customer passwords. As a result, a customer calling to query his or her password stood a two-in-three chance of having to call back in the hope that the subsequent call would be routed to the in-house center. This, of course, led to delays, increased costs and very high levels of customer frustration. For this reason, a company considering contracting for such services should examine carefully whether the third party can manage its customer interactions without full access to data.
One of the fastest growing security threats is identity fraud. The U.S. Justice Department reported a California case where a man was indicted, pleaded guilty to federal charges and was sentenced to 27 months' imprisonment for obtaining private bank account information about an insurance company's policyholders and using that information to deposit $764,000 in counterfeit checks into a bank account he established. The UK Home Office has estimated that more than 100,000 people are affected by identity theft in the UK each year, costing the British economy more than £1.3 billion annually. Instances range from major criminal actions such as stealing data in bulk from insecure corporate systems to individuals giving away vital information by responding to bogus e-mail messages.
In the contact center, perpetrators may possess enough information to appear to be genuine customers; they may be able to misuse customer self-service channels to obtain more confidential information or even carry out transactions such as money transfers or purchases. These actions can be extremely difficult to detect until long after the event; for example, customer and company alike may notice nothing until the customer discovers the discrepancy in a quarterly statement.
As the threats to data security proliferate, software vendors are developing procedures and products that can help organizations defend themselves. One challenge for many companies is that they don’t have a single, definitive source of data on which they can base key decisions. When data about customers exists in more than one system and the data differs, it may be impossible to know which is correct and thus to detect possible instances of identity fraud.
Techniques and technologies are being developed to address this issue. One is master data management, which is emerging as the means to control key reference data and the rules by which decisions can be made.
Another emerging strategy that can help is operational business intelligence: deploying the capability to analyze operational data across different systems to spot changes in trends, in real time if necessary. For the contact center, these changes could include sudden increases in spending, spending in different locations or an unusual spike in the values of transactions. Several vendors now specialize in analyzing data from contact centers. Combining this with other back-office data makes it possible to spot changes quickly in both volume and value of transactions.
Of course, companies should do all they can to prevent breaches of security and advise their customers to do likewise. Contact centers necessarily rely on data to fulfill customer inquiries. And more and more centers are deploying self-service channels, both to reduce costs and to improve the customer experience. With fraud of various types on the increase, contact center management must work closely with IT and network groups to ensure that both the data and access to it are as secure as possible.
Richard Snow is a regular monthly contributor to TMCnet. A complete archive of his columns can be found on his columnist page.