During the summer of the COVID pandemic, sudden urgency emerged to get everyone home safely. Massive amounts of on-site agents were suddenly sent home to work remotely. However, the challenge is that not everyone has been set up in a safe, secure work environment. Now that more months have passed, we can reflect on what some of the challenges were and what we still need to keep top of mind.
Initially, many businesses faced huge call volumes with long wait times. There was a major concern about maintaining the customer experience and ensuring that agents remained engaged despite the sudden stress added to the job. With technological challenges, systems crashing, changing rules and so many new demands on agents, the stress increased for all involved.
In this new unchartered time and suddenly changed work environment, a couple of schools of thought emerged around compliance, authentication and security. Some leaders suggested relaxing the rules during high call volume times to minimize stress on agents when customers get irate from over-authenticating. Most leaders want to maintain the same authentication and security protocols, but the challenge is that there have been remote technology issues, longer wait times and workplace (home) distractions all leading to the agents becoming more vulnerable. This is what the bad actors/hackers are counting on!
Working remotely is great when set up properly and executed to ensure the right security. Many companies were not prepared to send so many people home to work remotely so quickly and were in purely emergency response mode. The intention behind this article is to increase awareness around security mindfulness so that we can all be proactive and preemptive in creating safe, secure, amazing customer experiences.
Hackers are taking advantage of the crisis we are all navigating through as they know the vulnerabilities with the rapid increase in remote workers. The bad actors are hacking through social engineering. This has been going on for many years, but it has increased drastically during this crisis.
What Is Social Engineering?
Before we go on further, let’s define social engineering: Social engineering is “the psychological manipulation of people into performing actions or sharing sensitive information” (Kevin Mitnick, former hacker).
The importance of cybersecurity was highlighted in the May 2020 report on “Cybersecurity Leadership Principles” from the World Economic Forum. Several key issues were addressed around cybersecurity and the new risks during these unprecedented times.
The article stated that, “Working from home or remotely has increased the attack surface exponentially and multiple vectors for cyberattacks through the heightened dependency on personal devices and residential networks.”
Some key points relevant to the contact center industry are:
- Social engineering tactics are highly effective on a workforce that is distracted and vulnerable.
- Rapid deployment of new services, mostly cloud-based and changes to the network architecture, may bypass important risk assurance steps and expose the broader ecosystem.
- Critical business assets and functions are significantly more exposed to opportunistic and targeted cyberattacks by criminal organizations and nation states seeking to take advantage of rising vulnerabilities.
Their advice: “It is imperative that leaders strategically manage information risks, work toward a culture of shared cyber-risk ownership across organizations and take a strategic approach to cyber resilience.”
Why Does Mitigating Risks and Increasing Awareness Matter?
Earlier thinking centered around customer security vs. customer experience, but rather the thinking needs to be that customer security is part of the entire customer experience. Safe and secure customer information is part of creating a customer journey with minimal customer effort.
Breaches of any kind impact the following:
- Customer experience
- Customer satisfaction
- Employee engagement
- Bottomline ROI
- Operational expenses
- Legal costs
- Stock value
Why Frontline Agents Are Prime Targets for Social Engineering
With the focus on NPS, CES, CSAT, AHT, and the innate desire to keep customers happy, frontline customer service agents are prime targets for hackers. This applies even more so to remote agents working in unfamiliar surroundings, with increased distractions and increased stress levels.
Does the following sound familiar?
- “Always keep the customer happy”
- “Need to have a high CSAT”
- “I like to please people”
- “Avoid conflict”
- “Avoid embarrassing the customer”
- “Manage your talk time/AHT”
- “They sound nice”
Why Social Engineering Is So Prominent
According to American computer security consultant Kevin Mitnick, “People are the biggest weakness to security breaches; people can also be your organization’s biggest defense.”
Something to consider:
- The path of least resistance is always people.
- Most organizations and individuals will experience attempted and successful social engineering exploits without even knowing it.
- The global buy-in of social media has made social engineering exploits much easier to carry out.
Why is social engineering growing during this COVID-19 crisis?
- It is a lucrative crime.
- Do not need to be a skilled computer programmer/specialist.
- If you are willing to talk to or email people, you are qualified.
- The internet provides social engineers with a lot of information about their targets by buying data or viewing social media profiles.
- There are so many targets who are currently vulnerable and distracted.
- Hackers are counting on an untrained workforce with technological challenges.
As Stephane Nappo says in Cybersecurity Observatory, “Many sophisticated attacks start from social engineering or just an email. If the offense targets human and process, defense must be aligned accordingly.”
A recent article, “The Many Ways Your Employees Can Get Hacked While Working From Home and How to Respond,” points to research by Check Point Software Technologies which stated that: “Hackers are already exploiting the opportunity to attack unprepared businesses with more than 2,600 detected threats a day.”
Check Point’s survey of 411 IT Leaders reported the following:
- Phishing attacks lead the way at 55%
- Malicious websites, 32%
- Malware, 28%
- Ransomware, 19%
If we look deeper into the phishing attacks that are carried out over the internet, some examples of these attacks are:
- Spoofed internal email addresses
- Current topics in the public eye or relevant to target
- LinkedIn requests
- Facebook notifications
For contact centers, “vishing” attacks, which are carried out over the phone, are also often used to hack a company through social engineering methods. Some examples of these attacks are:
- Coerce target into performing an action
- Click on link in email sent prior to call
- Open attachment in email sent prior to call
- Disclose information through IT-based surveys targeting users
- Passwords targeting users/help desks
- Software on desktop targeting users/help desks
Create a Culture of Security
Given that we need to tackle the cybersecurity puzzle by strengthening the human firewall, how do we solve “the people part of the puzzle”?
Solution: Create a culture of security. It is the sum of the characteristics of what makes your organization unique. This can be anything related to your values, beliefs, attitudes, traditions and behaviors.
What is a culture of security? Having values, beliefs, attitude and behaviors where security is understood to be everyone’s responsibility from the top down, AND the understanding that security is not isolated to a department—it is how everyone across the company behaves. Having security awareness and mindfulness is the foundation to creating a culture of security.
- We need to remember that culture starts from the TOP!! Attitudes, beliefs and behaviors need to be exhibited at the top to create any culture.
- When security culture starts from the top, your team members, on-site and remote agents will take greater ownership responsibility for security issues. The mindset that security is everyone’s responsibility will be part of the culture!
- Everyone needs to have an increased awareness of the most relevant security threats.
- All departments and all teams need to adhere to privacy and security processes and procedures.
According to Katherine Thompson, Partner at Security Culture Institute (SCI), “Developing and creating a security culture is critical during these times as ‘bad characters’ and hackers are exploiting the fact that call volumes are through the roof, and that a huge percentage of the workforce is working remotely and maybe more prone to not following standard operating procedures and processes.”
This may sound repetitive but it is worth repeating: Just as customer service is no longer just a department but instead it is a part of the entire company culture, so too is cybersecurity. Security is not just a department left to IT, rather security awareness needs to be at every level and it is everyone’s responsibility.
A few simple points to reinforce with your on-site and remote agents:
- Think before you click.
- Authentication protects your customers, yourself, your company and your company’s brand.
- When in doubt… Ask!
- Limit social media exposure. Refrain from showing your workstation on social media.
- The work that contact centers and all the people required to run them efficiently do is priceless. During these highly stressful times, contact center teams have tirelessly served customers and helped them through their personal challenges.
To the many leaders, with so many competing demands put on them, I applaud your hard work as you selflessly serve your teams. I hope this article helps with your security mindfulness as you incorporate cybersecurity practices as part of your commitment to creating a memorable customer journey.