Call Center Security: How to Protect Employees and Customers

For many companies, call centers are the heartbeat of the business. So they require CSOs to strike a balance of physical and digital security measures for employees and customers alike.

Danger: Parking Lot
And what of security outside the call center—the parking lot, for instance? Self help is important here, says SSC's Chagnon. "Encourage people to use a buddy system so people aren't walking out to their cars on their own at 2 a.m.," he says. "Get them to leave the building together and try to park close to each other."
But employer provision counts, too. "Open, well-lit parking lots with good visibility in all directions is a good idea—and ideally, parking lots with controlled access," he adds. "Our recommendation is to push security out to the parking lot perimeter."
Good nighttime lighting is crucial, agrees Forsythe Solutions Group's Brown. "Monitoring cameras are helpful, too, as are panic buttons on lamp poles," he says. "So too are live bodies that can physically respond if a button is pressed, or the camera sees something untoward."

Standard Procedure
Whether it's relating to safe parking lots or access right revocation, recommendations like these aren't new. Many pertaining to information protection are found in security standards including the aforementioned PCI DSS, as well as ISO 27001 and its best-practice counterpart ISO 27002. What's lacking, says Gerhard Knecht, director and CSO of Unisys, is monitoring and compliance—not a basic understanding of what to do.
As a result, all of the call centers that Knecht is responsible for—some 14, ranging from Bogota to Budapest, and Sidney to Sao Paulo and Salt Lake City—are certified to ISO 27001. "But this just specifies a minimum standard," he stresses. "In practice, we're aiming for something higher." Accordingly, each center must complete a quarterly maturity profile audit covering 91 separate questions, each with four "response scenarios"—with each response scenario equating to a given maturity level.
In terms of access rights revocation, for instance, the maturity profile requires call centers to revoke access not just when someone has left the organization, but when they have moved departments. "Eighty-six of the questions come from ISO 27002; five come from the requirements of Sarbanes-Oxley," says Knecht. "For each question, each call center has to specify which level of security maturity applies—based on the response scenarios—and then justify that assessment."
What's interesting, he notes, is that so few Unisys customers proactively ask the same questions. Even so, he says, "I send our clients the maturity metrics on a regular basis and encourage them to come and audit them." Such apparent indifference is surprising, he adds: Regulatory regimes such as Sarbanes-Oxley are quite clear—companies can outsource an activity, but can't outsource the accountability for security that goes with that activity.