Short Message Service (SMS)
×

SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

CHANNEL BY TOPICS


QUICK LINKS




 
September 2009 | Volume 28 / Number 4
Call Center Technology

Short Message Service (SMS)

Effectively Protecting Your Customers’ Data



By Brendan B. Read,
Senior Contributing Editor


Today’s organizations depend and thrive on data for marketing, customer service and staff management, and like anything that is valuable, criminals have been seeking it to commit ID other fraud, blackmail or other crimes.


The 2009 Identity Fraud Survey Report by Javelin Strategy and Research reports that the number of identity fraud victims has increased 22 percent to 9.9 million adults in the U.S., while the total annual fraud amount increased by seven percent to $48 billion over the past year. The reasons include profitability, safety (one can do it remotely without facing a gun in one’s face), easy to get away with, and simple to do, explains Greg Young, research vice president, Gartner.


To limit ID fraud U.S. Federal Trade Commission requires financial institutions and creditors i.e. firms that regularly bill/defer payment for goods or services or grants or negotiates credit like mortgage brokers and debt collectors to comply with its new Red Flags; after much delay enforcement begins Nov.1, 2009. The regulations mandate these firms to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.


Unfortunately firms have been launching new data-using processes without having the tools in place to adequately protect users and themselves. Multiple parties have easier reach into the information while service-oriented architecture permits applications to readily transmit data. Automated tools such as web forms enable access without intermediaries.


“The business uses of data have gone far beyond what the security architectures and procedures are designed for and these have not caught up,” explains Young. “There is a disconnect between what businesses do and intended to do with data and what security fence system is in place to enforce those policies.”


Also companies have been erring in favor of not inconveniencing customers as opposed to security such as asking for authentication through passwords and answers to challenge questions. These methods have become more difficult because the secrets used for authenticating users via passwords are readily available. This matter comes to a head with contact center agents who face annoyed buyers on the phone and who have to keep handle times short.


“There is a line between customer access and customer service that is tread more often than not on the customer satisfaction side, because firms don’t want to make it difficult for customers to get at data and risk annoying them,” says Young.


Limiting the People Threat

Contact center staff are on the data security front lines. Properly trained they can thwart intrusion. Yet they can also be crooks or deliberate or unwitting accomplices by bypassing controls and procedures, installing sniffer software to ferret out data, and using their access to forward information to crooks.


Unfortunately contact centers too frequently have environments that foster data loss and theft. Employees are typically low-paid and have minimal or no benefits, are often poorly supervised, rushed to meet metrics, and face enormous stress from demanding customers and management. Agents also tend to be young, sometimes immature, with little workforce experience, and financially struggling.


To limit the risk requires properly staff selection and management, keeping an ear for and acting quickly on any serious morale and performance issues. There needs to be work environments where employees look out for their company rather than looking the other way.


Thomas L. Cardella and Associates applies background including credit and work experience checks on new hires. It also provides them an excellent work environment. Its pay is slightly higher than its competitors while benefits that are the same from the agents to the CEO, and an employee stock ownership plan.


These processes and features have helped the BPO firm attract what CEO and founder Tom Cardella considers a superior quality agent. The average age is 34 years old, which is higher than some of its competitors, leading to a more conscientious and responsible work force, one that sees employment there as an investment in their future.


“Having a vested interest in our company helps manage data security issues, because it isn’t ‘management’ they are hurting either deliberately or through neglect but themselves,” explains Cardella.


Managing Data Access

To prevent theft while enabling quality customer services requires carefully managing data access. There are many data access methods. Among them are data masking – which replaces confidential data with fictitious material – shortening identifiers, data obfuscation and encryption.


Axis Technology, which makes the DMsuite data masking tool, argues that this method is far more effective than encryption because encrypted data is merely a puzzle that takes a little time to decode, explains company founder and president, delivery and operations Michael Logan. In contrast masked data cannot be reversed if it is removed from its environment. Also, by using data masking, companies do not have to disclose if there is a breach because the private data is unable to be used by thieves, therefore eliminating the risk.


Access management includes employee and user authentication, and there is a growing range of new biometric-based solutions to enable just that. For example Convergys has a new platform-independent on-demand voice authentication solution that is implemented by enrolling voice signatures. Companies can then authenticate agent-assisted and consumer transactions more securely than with traditional ID + PIN authentications.


The data access issue comes to ahead with CRM systems because many more people have differing access to the vast amounts of valuable information to perform their tasks. This renders the traditional data control method of separating access by users unworkable.


Larry Ritter, senior vice president and general manager of Sage CRM Solutions, says for those reasons his firm incorporates multiple security models and tools into its applications. These allow customers to apply the appropriate layers of security to their business needs and the right balance of security versus accessibility to their CRM data.


“For CRM, enforcing the appropriate role-based security along with functional/feature security is important for information management and interaction standards compliance,” says Ritter. “From data access security, to segmented record views, to field-level security, to feature/functionality, role-based security and user grouping/management, any combination of security implementations may be relevant to one customer and overkill for another.”


Outsourcing, Hosting, Offshoring and Home Agents

There have been concerns raised by firms and customers whether there is a greater risk of their information being stolen by third parties, staff outside of the U.S., or in their homes. Fortunately these fears say experts may be overemphasized.





Outsourcers have to comply by the same strict laws such as HIPAA that regulates individuals’ health information and standards such as payment card industry data security standards to that apply to card transactions as internal operations. It is also in their best commercial interests to do so; keeping their clients’ customers’ data safe and secure helps keep clients and attracts others.


For example, InfoCision Management Corporation has become a Level II merchant by PCI, which means that it can safely process between one and six million credit card transactions a year, reports Steve Brubaker, Senior Vice President, Corporate Affairs. It is now working on its annual audit to ensure compliance in addition to monthly audits. Level II firms must complete an annual self-assessment questionnaire.


Hosted solutions such as contact management and CRM platforms are systems can be equally safe as their on-premises counterparts. And for similar reasons as outsourced live agent applications: because they have to be.


“Hosted applications may not provide dedicated secure tunnels to the users’ sites while premise solutions can be as secure as money can buy,” reports Bernard Drost, chief technology officer of Innoveer Solutions. “[Yet with premises solutions] I usually see that security is an afterthought or the people deciding on how to handle security are not security experts. The good thing with hosted solutions is that a lot of very big companies host their CRM with the hosting providers so much research has been done to make the hosted system as secure as possible.”


LiveOps has been building and maintaining an enterprise security program for its hosted solutions for over 10 years. Niall Browne, the firm’s chief information security officer says hosted technology platform providers can leverage economies of scale in implementing security controls that can be expensive and complex for single corporations with often overextended IT teams. Hosted providers can also react faster with updates and changes to ward off threats.


In contrast premises-based tools may require creating costly security updates involving patches or complex configuration changes that would need to be created, issued, and distributed to customers and then installed. Which may come too late if the crooks have figured out how to punch through the security.


“If a security weakness is identified, the cloud computing model enables updates to be quickly identified and instantly updated to all customers,” says Browne. “The cost of implementation, compliance and 24/7 security monitoring and support can be spread across multiple clients, so every client has the security benefits and controls at a fraction of the cost and effort of implementing them individually.”


There is little or no increased danger in having Americans’ data handled by contact centers whether internal or outsourced in other countries, reports Gartner’s Young. This includes popular contact center locations like India, the Philippines, Latin America and Canada, which have similar if not more stringent laws and agreements that respect intellectual property and privacy.


There is a risk, though of data loss if firms set up or do business with firms in countries where there is a culture for data and intellectual property theft and/or strong government controls, and industrial espionage. These include some African, Asia-Pacific and Eastern European countries that Gartner’s Young declined to name. He recommends performing due diligence on these nations. Some firms that chose to locate in them have taken additional precautions such as encrypting the data handled on their WANs to prevent local telcos from snooping.


Similarly home agents are at no more risk from data theft than those in bricks and mortars centers. If anything the threat is less because these individuals tend to be higher quality, better educated, older, and more responsible than those in traditional sites. They also treasure the privileges and are not about to endanger them.


The one common technology weakpoint in home offices, one that it also shares with traditional settings is wireless networks that can be a source of unauthorized access. These can be managed by prohibiting them or remotely shutting them down when agents are at work. A similar data armor chink, wireless keyboards, can also be prohibited.


Firms can also deploy the same common authentication tools such as fingerprint, scan, and voice print scans and webcams as in bricks-and-mortar centers. For example West will soon be beta-testing voice biometrics for its “West at Home” agents. It is also evaluating webcams to ensure that its certified agents are in the seats.


Home agent security has been bolstered by remote control tools that capture users’ computers when they logon, preventing them from gaining unauthorized access to files and installing malware, relinquishing the units when they logoff.


These tools have become more powerful. The latest version of West’s internal solution, the West at Home Locked-Down Desktop Security Environment 2.0 now restricts wireless networks and unauthorized ports or virtual machines. Self-deleting code ensures that once the agents exit the Locked-Down Desktop; no traces of the program or applications that run inside of it remain on the agent’s computer. Code obfuscation blocks attempts to reverse-engineer the program’s proprietary code, thereby protecting intellectual property without affecting application functionality.


Checking and Responding

The best means to protect data are the most fundamental. These include checking to see if access credentials are up to date, frequent password changes, dumping unneeded sensitive data, and when staff members leave organizations, removing their permissions immediately. They also entail the virtual equivalent patrols using a combination of checklists and observations for anything out of the ordinary, such as increased traffic from a server that has been quiet.


“Too often firms are blinded by checklists and miss the obvious, like old or no encryptions on wireless infrastructure and unsanitized hard drives,” says Young. “They instead need to think like those who are observing the data network, including criminals. They then can see and close the big holes and prevent theft.”


And if, or more likely when data is exposed, there should be a tested response plan, including handling calls and notifying customers in accordance with the laws. That procedure can involve having a third party pre-arranged on call to manage volume spikes.


“We have been asked, on occasion, to help an organization who has experienced a data loss or breach in security,” says InfoCision’s Brubaker. “Typically we have assisted by providing inbound customer service for calls generated from security breach letters sent to those whose information might have been compromised.”


The following companies participated in the preparation of this article:


Axis Technology
www.axistechnologyllc.com


Convergys (News - Alert)
www.convergys.com


InfoCision
www.infocision.com


Innoveer
www.innoveer.com


LiveOps (News - Alert)
www.liveops.com


Sage
www.sagecrmsolutions.com


Thomas L. Cardella Associates
www.tlcassociates.com


West
www.west.com


CIS Magazine Table of Contents









Technology Marketing Corporation

2 Trap Falls Road Suite 106, Shelton, CT 06484 USA
Ph: +1-203-852-6800, 800-243-6002

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.

STAY CURRENT YOUR WAY

© 2023 Technology Marketing Corporation. All rights reserved | Privacy Policy