Call Center Security: How to Protect Employees and Customers

For many companies, call centers are the heartbeat of the business. So they require CSOs to strike a balance of physical and digital security measures for employees and customers alike.

Pratibha Srikanth Murthy, 24, was raped and murdered on her way to work at a Bangalore call center in the early hours of December 13, 2005. But the court proceedings that gripped India in February this year weren't the trial of her alleged assailant, cab driver Shiv Kumar. Instead, the case focused on her ultimate superior at work, Som Mittal—the managing director of call center operator Hewlett-Packard GlobalSoft in 2005, when Srikanth Murthy was killed.
Now the president of India's National Association of Software and Services Companies (Nasscom), the main industry body for the country's vast outsourcing and call center industry, Mittal has been charged under Indian laws that require certain businesses to provide safe transport for female employees traveling to and from the office at night. Ironically, Nasscom itself helped to draw up guidelines for such transport, which include requirements for guards to accompany drivers in company taxis, and that female employees should not be the first to be picked up or the last dropped off.
And with India's Supreme Court rejecting in February a challenge to the case being brought, the stage is now set for Mittal—and by implication, Hewlett-Packard GlobalSoft—to face trial. If found guilty, he would face a fine of 1,000 rupees (around $25) and would get a criminal record.

Thankfully, fatal attacks such as that on Srikanth Murthy are relatively rare. But almost three years after the murder, the name of Hewlett-Packard GlobalSoft is still being associated with the case—and that association looks like it will continue for some years. With call centers already the focus of security concerns around keeping data safe, the Srikanth Murthy case is a salutatory reminder that it's also important to keep safe the people who work with that data.
"The reputational risk is enormous," says Patrick Chagnon, manager of corporate intelligence and investigation at Shelton, Conn.-headquartered security consultancy SSC. "Having employees attacked or robbed at gunpoint isn't good: People worry that if you can't protect yourselves, how can you protect others—and their data?"
The trouble is, as regular news reports highlight, there's not only ample evidence that call center operators are indeed failing to keep safe the data that they should be protecting, but also that their employees run a higher-than-average risk of attack.
"Attacks do happen, and happen all too frequently," says David Brown, managing consultant for security advisory services at Skokie, Illinois-based consultancy Forsythe Solutions Group. "It's like ATMs late at night, or mall parking lots—call center employees are vulnerable because call centers are frequently 24-hour operations, and often located in industrial or sparsely populated office park areas."
What's more, adds John Beale, managing director of London, U.K.-based Security Alliance, a consortium of specialist information security vendors, the physical security measures—and security personnel—that are in place at call centers are usually focused on another mission altogether: making sure employees are carrying in or out data storage media. "It's not so much about protecting the employees—it's more about protecting the data," he says.
Talk to experts, in fact, and a depressing list of call center security vulnerabilities emerges—poorly protected people, poorly protected data and poorly protected systems.
"When companies undertake penetration testing and audits of their call center's operations, one of the things that stands out is the sheer number of people who are no longer employed by the organization, but who still have access rights to its computer networks and systems," says Winn Schwartau, founder of security awareness certification company SCIPP International, and an information security expert who has testified before Congress. "Discovering that someone who left two to three years ago still has access rights is the norm—it's not even a horror story."
And according to experts like Schwartau, in many organizations three distinct aspects of call center security are in urgent need of review, and—if necessary—repair. These are: revocation of building and/or network access in a timely manner for people no longer employed by the organization; better control of call center agents' access to customer financial data such as credit card and bank account details; and—of course—the physical security and protection of those agents.