Call Center Security: How to Protect Employees and Customers

For many companies, call centers are the heartbeat of the business. So they require CSOs to strike a balance of physical and digital security measures for employees and customers alike.

The need for call center security occasionally is driven home in a tragic way.

Pratibha Srikanth Murthy, 24, was raped and murdered on her way to work at a Bangalore call center in the early hours of December 13, 2005. But the court proceedings that gripped India in February this year weren't the trial of her alleged assailant, cab driver Shiv Kumar. Instead, the case focused on her ultimate superior at work, Som Mittal—the managing director of call center operator Hewlett-Packard GlobalSoft in 2005, when Srikanth Murthy was killed.

Now the president of India's National Association of Software and Services Companies (Nasscom), the main industry body for the country's vast outsourcing and call center industry, Mittal has been charged under Indian laws that require certain businesses to provide safe transport for female employees traveling to and from the office at night. Ironically, Nasscom itself helped to draw up guidelines for such transport, which include requirements for guards to accompany drivers in company taxis, and that female employees should not be the first to be picked up or the last dropped off.

And with India's Supreme Court rejecting in February a challenge to the case being brought, the stage is now set for Mittal—and by implication, Hewlett-Packard GlobalSoft—to face trial. If found guilty, he would face a fine of 1,000 rupees (around $25) and would get a criminal record.

Thankfully, fatal attacks such as that on Srikanth Murthy are relatively rare. But almost three years after the murder, the name of Hewlett-Packard GlobalSoft is still being associated with the case—and that association looks like it will continue for some years. With call centers already the focus of security concerns around keeping data safe, the Srikanth Murthy case is a salutatory reminder that it's also important to keep safe the people who work with that data.

The reputational risk is enormous," says Patrick Chagnon, manager of corporate intelligence and investigation at Shelton, Conn.-headquartered security consultancy SSC. "Having employees attacked or robbed at gunpoint isn't good: People worry that if you can't protect yourselves, how can you protect others—and their data?"

The trouble is, as regular news reports highlight, there's not only ample evidence that call center operators are indeed failing to keep safe the data that they should be protecting, but also that their employees run a higher-than-average risk of attack.

"Attacks do happen, and happen all too frequently," says David Brown, managing consultant for security advisory services at Skokie, Illinois-based consultancy Forsythe Solutions Group. "It's like ATMs late at night, or mall parking lots—call center employees are vulnerable because call centers are frequently 24-hour operations, and often located in industrial or sparsely populated office park areas."

What's more, adds John Beale, managing director of London, U.K.-based Security Alliance, a consortium of specialist information security vendors, the physical security measures—and security personnel—that are in place at call centers are usually focused on another mission altogether: making sure employees are carrying in or out data storage media. "It's not so much about protecting the employees—it's more about protecting the data," he says.

Talk to experts, in fact, and a depressing list of call center security vulnerabilities emerges—poorly protected people, poorly protected data and poorly protected systems.

When companies undertake penetration testing and audits of their call center's operations, one of the things that stands out is the sheer number of people who are no longer employed by the organization, but who still have access rights to its computer networks and systems," says Winn Schwartau, founder of security awareness certification company SCIPP International, and an information security expert who has testified before Congress. "Discovering that someone who left two to three years ago still has access rights is the norm—it's not even a horror story."revocation of building and/or network access in a timely manner for people no longer employed by the organization; better control of call center agents' access to customer financial data such as credit card and bank account details; and—of course—the physical security and protection of those agents.

And according to experts like Schwartau, in many organizations three distinct aspects of call center security are in urgent need of review, and—if necessary—repair. These are:

Access Denied

Take access right revocation, for instance. It's not that companies don't recognize the need to revoke access, says Schwartau—it's that they tend to lack the means to make it happen as consistently as it should. "It may well be the human resource function's policy to revoke access—but human resources doesn't control the network," he says. "The result is that human resources has a checklist, but not the means to enforce it."

The answer, says Forsythe Solutions Group's Brown, is to replace lax enforcement with a process "that is extremely well-defined, and which takes into account the various scenarios that may come to pass. When someone retires, it's a very different set of circumstances from someone being dismissed with due cause."

And in the case of such "due cause" dismissal, he adds—especially when the due cause includes data manipulation or data theft—the procedures to be followed should include having physical security personnel in attendance (to prevent system access and to escort off premises), as well as legal personnel, law enforcement liaison, press relations and potentially even crisis management, depending on the likely scale of the illicit activity uncovered."It's important to have those procedures well defined," stresses Brown. "Not because you might need to invoke them, but because you will need to invoke them. These things happen, and are happening more frequently. There's an emerging sense of value in terms of the data that call centers hold—and the greater that sense of value, the greater the risk."

Greater risk also manifests itself in organizations using single sign-on system log-in, adds SCIPP International's Schwartau. While offering productivity gains, single sign-on increases the risk of data loss (or damage) in the case of password theft or misuse. "With single sign-on, one password provides access to multiple systems," he observes. "When an individual leaves the employment of an organization using single sign-on, it's vitally important that revocation takes place—and when that individual has been terminated, takes

place instantly."

Keeping Call Centers Safe and Secure continual background checks and drug testing take place. If there's financial stress, or domestic violence, or the breaking of restraining orders, or drug dependency—then there's a risk that individuals might be motivated to abuse their position." USB thumb drives and floppy disks. It's important, too, he adds, to also restrict less obvious ways of skimming off confidential information, such as cameras—and cell phones containing cameras—which can be used to take screen-shots. Payment Card Industry's global Data Security Standard, promulgated by member firms such as Visa, MasterCard and American Express, precisely in order to make the theft of payment card data more difficult. The formation of the industry's Security Standards Council, says Bob Russo, its general manager, reflected the recognition by the member firms that one industrywide digital data security standard was likely to be stronger than five or more different approaches.

When it comes to keeping financial data safe and secure, the reputational cost of information theft and misuse is immense. So it pays to get the basics right—starting with hiring checks. "Typically, employers do a surface scan—that often isn't thorough enough—and then don't follow through," says Greg Boles, Irvine, Calif.-based director and leader of threat management and security services for risk management advisory firm Aon Consulting.

"What they should do is a very thorough background check, and then make it a condition of employment that

And if individuals are motivated to steal information, the next line of defense is to make data theft as difficult as possible. To start, says Boles, it's important to restrict the devices that are allowed into call centers—essentially banning anything that can load data digitally, such as CD-ROMs,

As well as posing a risk, technology can also help mitigate that risk. Thin clients and virtual machines, for instance, allow call center operators to impose far more control over what agents' desktops can—and more importantly, can't—do. So can software solutions which prohibit downloading by individuals without the appropriate permissions.

But these are backstops, stresses Howard Schmidt, a former CISO for Microsoft and eBay, who these days serves on the board of (ISC)². "The basics have to come first," he says. Included in Schmidt's compendium of "basics"—in addition to controls such as employee screening, device prohibition and so on—is data "redaction": only displaying on agents' screens parts of data fields such as credit card numbers and dates of birth, never the whole number or date. "Agents rarely need such information, so it makes sense to limit access to it. In most situations, the last four digits of a card number, or the month and year of birth, is all that is required."

Indeed, such redaction is one of the recommendations of the

Published in December 2004 as version 1.0—and updated to version 1.1 in September 2006—PCI DSS should be followed by any call center dealing with card payments, says Russo. "Basically, if a call center stores, processes or transmits credit card data, then they are in scope [of the requirement to comply with the standard]," he says. While compliance is mandatory, he adds, only so-called "Level 1" call centers—those processing more than 6 million card transactions per year—actually have to prove that compliance through audits.

Danger: Parking Lot

And what of security outside the call center—the parking lot, for instance? Self help is important here, says SSC's Chagnon. "Encourage people to use a buddy system so people aren't walking out to their cars on their own at 2 a.m.," he says. "Get them to leave the building together and try to park close to each other."

But employer provision counts, too. "Open, well-lit parking lots with good visibility in all directions is a good idea—and ideally, parking lots with controlled access," he adds. "Our recommendation is to push security out to the parking lot perimeter."

Good nighttime lighting is crucial, agrees Forsythe Solutions Group's Brown. "Monitoring cameras are helpful, too, as are panic buttons on lamp poles," he says. "So too are live bodies that can physically respond if a button is pressed, or the camera sees something untoward."

Standard Procedure

Whether it's relating to safe parking lots or access right revocation, recommendations like these aren't new. Many pertaining to information protection are found in security standards including the aforementioned PCI DSS, as well as ISO 27001 and its best-practice counterpart ISO 27002. What's lacking, says Gerhard Knecht, director and CSO of Unisys, is monitoring and compliance—not a basic understanding of what to do.

As a result, all of the call centers that Knecht is responsible for—some 14, ranging from Bogota to Budapest, and Sidney to Sao Paulo and Salt Lake City—are certified to ISO 27001. "But this just specifies a minimum standard," he stresses. "In practice, we're aiming for something higher." Accordingly, each center must complete a quarterly maturity profile audit covering 91 separate questions, each with four "response scenarios"—with each response scenario equating to a given maturity level.

In terms of access rights revocation, for instance, the maturity profile requires call centers to revoke access not just when someone has left the organization, but when they have moved departments. "Eighty-six of the questions come from ISO 27002; five come from the requirements of Sarbanes-Oxley," says Knecht. "For each question, each call center has to specify which level of security maturity applies—based on the response scenarios—and then justify that assessment."

What's interesting, he notes, is that so few Unisys customers proactively ask the same questions. Even so, he says, "I send our clients the maturity metrics on a regular basis and encourage them to come and audit them." Such apparent indifference is surprising, he adds: Regulatory regimes such as Sarbanes-Oxley are quite clear—companies can outsource an activity, but can't outsource the accountability for security that goes with that activity.

Copyright © 2008 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)