Data protection systems and tools that are currently on the market offer robust protection against external cyber threats. For most businesses, though, the most significant security risk to a company’s data or systems comes from within—human error. Most (84%) C-suite leaders and just over half (51%) of small business owners cited employee negligence as their biggest information security risk, according to Shred-it’s 2018 State of the Industry Report. Consumers agreed: 96% said they viewed employee negligence as a contributor to data breaches at U.S. companies.
Simply put, “the human mind is hackable,” says Chris Knauer, SVP and Chief Security Officer at Sitel Group, one of the largest customer experience (CX) management companies in the world. “Humans are subject to suggestion; we feel the need to please people, but in the process of doing so, sometimes we inadvertently do things that are not in the best interest of the very people we’re trying to serve.”
That may be the customer, or it may be a leader or colleague within the organization. “The newer sophisticated types of attacks place today are trying to take advantage of that,” he adds. “It’s not like the Nigerian prince emails from 10 or 15 years ago. What you see now are emails that look like they’re coming from your manager or from a chief executive of the company.”
Social Engineering Is an Ongoing Threat for Contact Centers
The desire to help their customers is what makes agents vulnerable to social engineering attacks in which criminals who are skilled in manipulation tactics gain agents’ trust and trick them into giving away confidential account information. What might seem like an innocuous bit of information provides the criminal with another detail that they may not have had. And if they do it enough times, they can collect enough information about the target to take over the account.
A common social engineering tactic is a criminal who poses as an angry customer knowing that, when agents get flustered, they’re more likely to be manipulated. “An effective way to manage this type of scenario is to have escalation paths within the call center to quickly determine whether this is a real issue or a potential scam,” Knauer says. “If you have one person dealing with an angry caller, it’s likely that person is going to be manipulated. But if it’s two people, you tend to get a more unbiased view of what’s happening with a particular call situation.”
In some cases, the agents themselves create a security risk by going off script; for instance, by asking leading questions in the customer verification process. A typical example is when agents confirm a customer’s home address by saying: “Are you still living at 123 Main Street?” instead of asking the caller, “What is your home address?”
So how can you help frontline staff to be more vigilant against master manipulators and other data security risks? Provide security awareness training on the different types of threats that agents are likely to encounter. Training should include data security protocols, standards for handling sensitive information, how to report a suspected issue and what to do when an incident takes place, along with general cyber- and workplace security best practices.
Role-playing can be an effective approach to ensure that agents learn how to identify social engineering tactics and when to escalate calls. Knauer and his security team also periodically call various programs within the center to see if they can manipulate agents into releasing information. He has found that agents in programs that emphasize Net Promoter Scores will sometimes feel pressured to try to please the caller, but as he explains, “the reality is that consumers want to know that their information is secure. Taking a customer call is like driving on the highway—you have a starting point, an end point and there are lanes that you need to stay within. The bottom line is we want people to use the scripts and tools they have in place to manage the call, stay within the lanes of the highway and don’t take any off-ramps.”
Admittedly, security awareness training can be a bit dry, especially when presented classroom-style. Knauer suggests using shorter, interactive sessions to engage agents. Communication from company leaders also can provide valuable encouragement and support. In a recent phishing scam, attackers sent fake emails to Sitel Group employees posing as CEO Laurent Uberti and requesting them to transfer funds or release gift cards. Uberti issued a video message discussing the scam and telling employees not to respond if they received the email, and that he would never ask them for gift cards or to transfer money.
“The message that he created was very powerful,” Knauer says. “And it set the tone for the rest of the company that our executive team is not going to come to you haphazardly from a Gmail or Hotmail account and ask you to do something that is not part of our business.”
