You can spell ‘compliance’ without UC – but should you?

Compliance is a topic at the forefront of everyone’s minds - as GDPR is added to the list of regulations businesses need to keep on top of.

The looming deadline for the European General Data Protection Regulation (GDPR) is just the latest of a long string of compliance concerns for businesses, building on the established data protection and security concerns of the Payment Card Industry (PCI) standards. Securing customers’ sensitive data is receiving more attention than it has for a long time, perhaps ever.

>See also: For the many, not the few: A unified communications how-to

The common idea of data protection fixates on how that data is stored and protected. Yet true protection and security starts at the very edge of an organisation. For instance, when customer contact centres take customers’ payment details or record sensitive personal information, how will the business ensure those customers – and the business itself – are protected?

Knowing the risks

At this first point of contact, data faces several risks: both intentional and accidental. For instance, a call centre worker could, whether through poor training or simple human error, record more of a customers’ payment card data than they are allowed to by the PCI – or even store that data on less-secure infrastructure.

Similarly, the GDPR places specific limitations on when and how organisations can store data, as well as how long it can be stored for and how it should be protected.

On top of this, businesses need to be ready to share data with customers, or with other organisations, if the customer requests it: a request that will often come to the contact centre first.

The risk isn’t limited to factors inside the organisation. Attackers might see the contact centre as the weakest link in an organisation’s security – where the combination of vast potential for human error with the need to make data accessible could provide an easy route into an organisation.

>See also: The future of unified communications

With PCI penalties growing exponentially – depending on the amount of data put at risk, and the time to identify and rectify any issues – and GDPR penalties easily ranging into the millions of euros, the financial consequences alone can be catastrophic for businesses.

Add to this the risk of reputation damage and it’s clear that organisations need to ensure they are protecting customers and their data at the very edge of the organisation.

Taking control

Businesses can do a lot to protect their customers, and themselves, by ensuring they are using communications correctly. Any call centre will have best practices and protocols that workers must follow to ensure data is protected.

If the organisation unifies its communications, ensuring it has oversight over every channel that enters the contact centre, from messaging to voice to the forms workers use to record data, it can massively reduce the risk of human error or any malicious attempt to mis-record information.

Not only can a well-designed unified communications (UC) solution record all communications, so the organisation can prove it and its workers are not at fault – or quickly identify any truly malicious activity.

>See also: With unified communications simplicity is the ultimate sophistication

It can also help ensure that sensitive information, such as credit card details, is only recorded in the right location, in the correct format; meaning much less risk of workers sharing too much.

Similarly, workers can be restricted to only communicating with customers, and one another, over selected channels at certain times – again reducing the chances of accidentally sharing data.

Protecting weak-points

Using UC to reduce the risks of human activity will help deal with one point of weakness. However, organisations still need to be wary of external attacks. The first likely target of any attack against the contact centre will be the workers themselves: if they can be tricked into giving up sensitive information, the attack will be much harder to spot.

Controlling communications will go a long way to defend against this, but workers are not the only weak point. Particularly as older telephone lines are discontinued and replaced with IP connections via SIP trunking, the connection between any network and the wider internet is a hugely tempting target for attackers, and a corresponding threat to data protection compliance.

Any data protection strategy should recognise this connection as a major potential risk. After all, even if a successful attack doesn’t affect customer details it can have other implications – for instance, hijacking workers’ VoIP phones to turn them into a robo-calling network.

Control is, again, an important part of protecting the connection from attackers. Access to the IP connection shouldn’t be a free-for-all: it’s much easier to protect a known number of known devices, whether VoIP phones or workstations, than a constantly expanding and shrinking network. Control can also reduce the impact of a successful attack.

>See also: The rise of unified communications

If devices only allow highly specific tasks, and one-way communication, the risk of them being used to steal data is similarly reduced. There are also more obviously technical means to protect the connection – for instance, encrypting data and communications and monitoring for any suspicious behaviour that might be the first sign of a threat.

Organisations should ask just how much security their SIP trunk has, and whether more needs to be layered on top – for example, does the SIP trunk recognise, detect and reject known attack tools?

Compliance – imposition or opportunity?

Good compliance is designed to foster best practice that protects consumers and customers, and helps the business work better. In the face of PCI, GDPR and data protection regulations yet to come, businesses that support their customer relations with a UC strategy based around control and security will soon see the benefits.

 

Sourced from Paul Clarke, UK Manager at 3CX

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...