Is Your Contact Center [Secure]?



Security is front of mind for a lot of organizations these days, especially due to the 400% increase in cyberattacks since the pandemic started. Notable and alarming attacks include those on the federal government with nation-state threat actor using existing 3rd party tools as vehicles for intrusion. Your customer’s contact center is no exception – they’re facing standard cyber security attacks, such as DDOS attacks, but are also seeing an increase in attacks targeting customers’ personal data. If they are using a cloud-based contact center managed and maintain in a data center, these threats can increase; even more so if they outsource contact center agents, increasing points of access and areas of liability.


Determining the best option for your customer and their organization can be difficult, but this article is designed to give you some modern concepts and best practices that should be applied, regardless if their contact center is staying on premise or in the cloud.


PCI compliance


No amount of contact center technology will guarantee that your customer is in full PCI compliance, since the scope of compliance goes beyond contact center to ensure no sensitive financial data is ever made available to inappropriate or malicious parties. Limiting access by agents and securely storing call center records helps keep data protected and mitigates PCI concerns.


One way to accomplish this is to create an interface that agents can transfer callers to take the customer’s payment data, process it, and then transfer the caller back to the agent once the transaction is complete. If this can be done by an independent outsourced agent it is best so that data is never stored with the customer, only shared with the financial institution facilitating the payment. This is preferred over having the caller share their information with your customer, and then your customer is involved in the direct handling of sensitive data. This also prevents agents from writing down sensitive information offline and other employees, including IT admins, having access to log files showing private financial information.


Data Management


The data that your customer is storing and transmitting should always be encrypted, an important layer of security. This makes it more difficult for sensitive data to be viewed without the encryption keys, further demonstrating the business’ commitment to keeping customer data protected. The best practice is to avoid storing or transmitting sensitive customer data if possible; if you must store it, try to set for short durations and then permanently purge it or find a way to move another secure location for long-term archival. It is important for a business to evaluate if data needs to be stored – do they need to keep the customer’s social security number on file or can they instantly purge sensitive data?


Many businesses have a CRM integration capturing this information in real-time, making it unnecessary to store. Additionally, if call recording is mandated for security purposes, find a way to transcribe these recordings to isolate sensitive data. Then using an automated or manual process, delete or relocate this data on a continual basis.

Businesses should also see if they can identify if there is a more secure want to acquire this data, such as having the customer submit the data in a secure system or only provide limited digits, versus providing all information to a live agent.


Firewalls – Sometimes a Contact Center’s Worst Enemy


Firewalls are a good security measure and contact centers can benefit from using them, but as a cloud communications architect supporting contact centers for the past two decades, I have seen first-hand how many support tickets are caused by these security measures – at least 30%. It is not uncommon for security personnel or an automated security application to shut down critical service. The unfortunate truth is IT security staff and contact center engineers typically do not run in the same circles. IT security for the most part are experts on standard network and UC technology. If you have an IVR doing a database dip to an external database or an agent recording a greeting using a web-based desktop client, security might be unaware of the access required and can disrupt these services without even knowing what they have done. Another best practice is that when changes are made to security policies or configurations on security appliances, these changes are conveyed to contact center support. It is much easier to then draw a correlation between the change and a disruption in service.


Treating Contact Center Security Like Any Other Application


One of the biggest mistakes an organization can make is to not have the same security controls or posture in place for their contact center or CCaaS as they do for other applications. Contact centers have sensitive data needing protection, just like a CRM/ERP system or a database. With that in mind, organizations should take a defense in depth approach, incorporating the below minimum key elements for contact center or CCaaS environment:

  • Proper physical controls

These are controls that include security measures that prevent physical access to the IT systems that are part of the contact center. If leveraging a CCaaS solution, the managed service provider would be responsible for maintaining this and providing documentation detailing what physical controls are in place.

  • Proper technical controls

Technical controls include security measures that protect network systems or resources the contact center or CCaaS solution utilize. This would include NGFWs, IPS, IDS, ACLs, etc.

  • Proper administrative controls

Administrative controls are security policies or procedures directing the organization’s employees on using solutions, such as instructing users to label sensitive information as “confidential” within the contact center or CCaaS application.

  • Proper access control measures

The appropriate access control levels should defined within the contact center or CCaaS solution. Access controls can be enforced by such solutions as zero trust, software defined perimeter (SDP), biometrics, 2-Factor Authentication, etc.

  • Endpoint protection

Ensure ALL endpoints utilizing a soft phone or contact center/UCaaS application have endpoint detection and response/antivirus/advanced malware protection installed.

  • Security event monitoring

Ensure that contact center security information and security events are being logged and correlated within a SIEM or MDR solution.


Implementing the above elements won’t make your customers’ contact centers invincible, but by taking a defense in depth approach, you can protect, detect, mitigate, and isolate an attack quicker, giving them greater control over threat actors.

Next Steps ...


Like to learn more about Security Solutions for your Contact Center? Give us a call at (813) 343-0440 or send us a message to schedule an appointment.



0 views0 comments