The looming deadline for the European General Data Protection Regulation (GDPR) is just the latest of a long string of compliance concerns for businesses, building on the established data protection and security concerns of the Payment Card Industry (PCI) standards. Securing customers’ sensitive data is receiving more attention than it has for a long time, perhaps ever.
The common idea of data protection fixates on how that data is stored and protected. Yet true protection and security starts at the very edge of an organisation. For instance, when customer contact centres take customers’ payment details or record sensitive personal information, how will the business ensure those customers – and the business itself – are protected?
Knowing the risks
At this first point of contact, data faces several risks: both intentional and accidental. For instance, a call centre worker could, whether through poor training or simple human error, record more of a customers’ payment card data than they are allowed to by the PCI – or even store that data on less-secure infrastructure.
Similarly, the GDPR places specific limitations on when and how organisations can store data, as well as how long it can be stored for and how it should be protected.
On top of this, businesses need to be ready to share data with customers, or with other organisations, if the customer requests it: a request that will often come to the contact centre first.
The risk isn’t limited to factors inside the organisation. Attackers might see the contact centre as the weakest link in an organisation’s security – where the combination of vast potential for human error with the need to make data accessible could provide an easy route into an organisation.
>See also: The future of unified communications
With PCI penalties growing exponentially – depending on the amount of data put at risk, and the time to identify and rectify any issues – and GDPR penalties easily ranging into the millions of euros, the financial consequences alone can be catastrophic for businesses.
Add to this the risk of reputation damage and it’s clear that organisations need to ensure they are protecting customers and their data at the very edge of the organisation.
Businesses can do a lot to protect their customers, and themselves, by ensuring they are using communications correctly. Any call centre will have best practices and protocols that workers must follow to ensure data is protected.
If the organisation unifies its communications, ensuring it has oversight over every channel that enters the contact centre, from messaging to voice to the forms workers use to record data, it can massively reduce the risk of human error or any malicious attempt to mis-record information.
Not only can a well-designed unified communications (UC) solution record all communications, so the organisation can prove it and its workers are not at fault – or quickly identify any truly malicious activity.
It can also help ensure that sensitive information, such as credit card details, is only recorded in the right location, in the correct format; meaning much less risk of workers sharing too much.
Similarly, workers can be restricted to only communicating with customers, and one another, over selected channels at certain times – again reducing the chances of accidentally sharing data.
Using UC to reduce the risks of human activity will help deal with one point of weakness. However, organisations still need to be wary of external attacks. The first likely target of any attack against the contact centre will be the workers themselves: if they can be tricked into giving up sensitive information, the attack will be much harder to spot.
Controlling communications will go a long way to defend against this, but workers are not the only weak point. Particularly as older telephone lines are discontinued and replaced with IP connections via SIP trunking, the connection between any network and the wider internet is a hugely tempting target for attackers, and a corresponding threat to data protection compliance.
Any data protection strategy should recognise this connection as a major potential risk. After all, even if a successful attack doesn’t affect customer details it can have other implications – for instance, hijacking workers’ VoIP phones to turn them into a robo-calling network.
Control is, again, an important part of protecting the connection from attackers. Access to the IP connection shouldn’t be a free-for-all: it’s much easier to protect a known number of known devices, whether VoIP phones or workstations, than a constantly expanding and shrinking network. Control can also reduce the impact of a successful attack.
>See also: The rise of unified communications
If devices only allow highly specific tasks, and one-way communication, the risk of them being used to steal data is similarly reduced. There are also more obviously technical means to protect the connection – for instance, encrypting data and communications and monitoring for any suspicious behaviour that might be the first sign of a threat.
Organisations should ask just how much security their SIP trunk has, and whether more needs to be layered on top – for example, does the SIP trunk recognise, detect and reject known attack tools?
Compliance – imposition or opportunity?
Good compliance is designed to foster best practice that protects consumers and customers, and helps the business work better. In the face of PCI, GDPR and data protection regulations yet to come, businesses that support their customer relations with a UC strategy based around control and security will soon see the benefits.
Sourced from Paul Clarke, UK Manager at 3CX