Call Center Security: How to Protect Employees and Customers

For many companies, call centers are the heartbeat of the business. So they require CSOs to strike a balance of physical and digital security measures for employees and customers alike.

Access Denied
Take access right revocation, for instance. It's not that companies don't recognize the need to revoke access, says Schwartau—it's that they tend to lack the means to make it happen as consistently as it should. "It may well be the human resource function's policy to revoke access—but human resources doesn't control the network," he says. "The result is that human resources has a checklist, but not the means to enforce it."
The answer, says Forsythe Solutions Group's Brown, is to replace lax enforcement with a process "that is extremely well-defined, and which takes into account the various scenarios that may come to pass. When someone retires, it's a very different set of circumstances from someone being dismissed with due cause."
And in the case of such "due cause" dismissal, he adds—especially when the due cause includes data manipulation or data theft—the procedures to be followed should include having physical security personnel in attendance (to prevent system access and to escort off premises), as well as legal personnel, law enforcement liaison, press relations and potentially even crisis management, depending on the likely scale of the illicit activity uncovered."It's important to have those procedures well defined," stresses Brown. "Not because you might need to invoke them, but because you will need to invoke them. These things happen, and are happening more frequently. There's an emerging sense of value in terms of the data that call centers hold—and the greater that sense of value, the greater the risk."
Greater risk also manifests itself in organizations using single sign-on system log-in, adds SCIPP International's Schwartau. While offering productivity gains, single sign-on increases the risk of data loss (or damage) in the case of password theft or misuse. "With single sign-on, one password provides access to multiple systems," he observes. "When an individual leaves the employment of an organization using single sign-on, it's vitally important that revocation takes place—and when that individual has been terminated, takes
place instantly."

Keeping Call Centers Safe and Secure
When it comes to keeping financial data safe and secure, the reputational cost of information theft and misuse is immense. So it pays to get the basics right—starting with hiring checks. "Typically, employers do a surface scan—that often isn't thorough enough—and then don't follow through," says Greg Boles, Irvine, Calif.-based director and leader of threat management and security services for risk management advisory firm Aon Consulting.
"What they should do is a very thorough background check, and then make it a condition of employment that continual background checks and drug testing take place. If there's financial stress, or domestic violence, or the breaking of restraining orders, or drug dependency—then there's a risk that individuals might be motivated to abuse their position."
And if individuals are motivated to steal information, the next line of defense is to make data theft as difficult as possible. To start, says Boles, it's important to restrict the devices that are allowed into call centers—essentially banning anything that can load data digitally, such as CD-ROMs, USB thumb drives and floppy disks. It's important, too, he adds, to also restrict less obvious ways of skimming off confidential information, such as cameras—and cell phones containing cameras—which can be used to take screen-shots.
As well as posing a risk, technology can also help mitigate that risk. Thin clients and virtual machines, for instance, allow call center operators to impose far more control over what agents' desktops can—and more importantly, can't—do. So can software solutions which prohibit downloading by individuals without the appropriate permissions.
But these are backstops, stresses Howard Schmidt, a former CISO for Microsoft and eBay, who these days serves on the board of (ISC)². "The basics have to come first," he says. Included in Schmidt's compendium of "basics"—in addition to controls such as employee screening, device prohibition and so on—is data "redaction": only displaying on agents' screens parts of data fields such as credit card numbers and dates of birth, never the whole number or date. "Agents rarely need such information, so it makes sense to limit access to it. In most situations, the last four digits of a card number, or the month and year of birth, is all that is required."
Indeed, such redaction is one of the recommendations of the Payment Card Industry's global Data Security Standard, promulgated by member firms such as Visa, MasterCard and American Express, precisely in order to make the theft of payment card data more difficult. The formation of the industry's Security Standards Council, says Bob Russo, its general manager, reflected the recognition by the member firms that one industrywide digital data security standard was likely to be stronger than five or more different approaches.
Published in December 2004 as version 1.0—and updated to version 1.1 in September 2006—PCI DSS should be followed by any call center dealing with card payments, says Russo. "Basically, if a call center stores, processes or transmits credit card data, then they are in scope [of the requirement to comply with the standard]," he says. While compliance is mandatory, he adds, only so-called "Level 1" call centers—those processing more than 6 million card transactions per year—actually have to prove that compliance through audits.