Close

Join the Insider Program

Explore exclusive HealthTech coverage and enjoy early access to the latest stories.

Click to Join Today
Aug 22 2024
Security

4 Strategies for State and Local Governments to Secure Contact Centers

An exceptional citizen experience requires authentication and threat prevention measures.
by

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

State and local government teams are constantly thinking about how to improve customer service. Making things more efficient, reducing barriers to doing business with agencies, simplifying paperwork and moving to online processes wherever possible are all top-of-mind strategies for managers who want to deliver better constituent services. One piece of that equation is often contact centers. Offering services and information via phone and internet chat can move the needle toward happier customers.

Contact centers are part of the public face of an agency. They interact directly with customers and often have direct and privileged access to confidential information, IT applications and financial systems. Contact centers are also reachable from anywhere in the world. All of this makes contact centers perfect targets for hackers and attackers.

This risk represents a challenge for IT leaders that want to secure these critical teams, but who also must work within the constraints of contact centers: Workers there are some of the lowest-paid, insufficiently trained and near the bottom of the organizational hierarchy.

Here are four strategies to help combat threats and reduce risk in contact centers.

Click the banner below for contact-center modernization insights.

xs_customerexperience_animated_Q324_clickblend_desktop xs_customerexperience_animated_Q324_clickblend_mobile

 

1. Protect Against Social Engineering

Social engineering attacks are the easiest way for an attacker to compromise a contact center and get a foothold in a government network. Whether it’s someone pretending to be a boss, a crying coworker or an irate customer, people are people, and everyone wants to be helpful, especially when that’s their job.

The standard advice against social engineering is training, but if that worked perfectly, social engineering attacks wouldn’t be so famous for their rate of success. Instead, IT teams must go beyond basic training to more intensive approaches. Launching social engineering attacks and penetration tests against agency staff may sound mean and a bit unfair, but people learn in one of two ways: repetition or dramatic effect.

When social engineering is successful, the silver lining to an awful incident is that it becomes a learning moment for everyone. Turn the unfortunate example into a compelling story and people will listen and learn from it, even if it means slight embarrassment for the agency or executive who fell victim to the attack. Examples, real ones, drive the point home in a way that a hypothetical never can.

READ MORE: Why a strong cyber resilience strategy is critical.

2. Protect Against Phishing

Training is great, but throwing some technology at the problem of contact center security is also a big help. Contact center workstations must be locked down, and personal computers should be avoided. If people are working from home, use desktop virtualization tools to deliver applications to contact center staff while completely blocking any personal applications between client and virtual desktop windows.

Contact center networks also need hefty protections. This is where unified threat management or next-generation firewalls’ URL filtering, reputation-based IP rules, anti-malware filtering and built-in intrusion prevention system all come into play. Locking down the desktop with endpoint protection suites and filtering email is just a starting point. Adding additional layers, even if they seem redundant, helps match security investment to organizational risk.

Zero-trust zealots may not favor this defense-in-depth approach, but there’s good justification for it: These are staff members who interact directly with the public and who we know are primary targets for attack. Extra protection is appropriate for contact center team members.

Customer Experience Sidebar

Related Content:

Discover seven best practices for public sector contact centers.

Learn how South Carolina uses call centers to enhance citizen services.

Explore how prompt engineering can support successful AI projects.

 

3. Scrutinize and Control Everything

We like to talk about empowering staff, reducing hierarchy and making things more efficient. That’s a great approach, but agencies must also take care that they’re not throwing basic information security and risk management out the window. Role-based access controls, for example, put some guard rails around what contact center staff can see and change. For constituent-facing contact centers and, more important, staff-facing contact centers, RBACs and applying the least-privilege principle are table stakes. They help ensure that credential theft doesn’t go anywhere, that a compromised workstation can do only a bare minimum of damage and that insider threats are contained.

Feeding access logs and security information into regular audits also helps reduce risk of contact center compromise. Traditionally, audits are rare, maybe annual events, and are done by hand. If an IT team has been searching for an artificial intelligence project to get their feet wet and hands dirty, feeding log information to get real-time analysis of what is happening and what anomalies are worth investigating is a great place to start. If that’s too big a stretch, at the very least put detection rules into any security information and event management and log analysis tools to pick up on people who seem to be exceeding their authority or who are executing a lot more transactions than the average contact center member.

RELATED: How AI will power customer experience gains.

Technology enforcing strong process controls removes the human element. Multifactor authentication for contact center staff, and multifactor verification for constituents helps with the problem of credential and identity theft. Just as importantly, make sure that these process controls can’t be short-circuited. For example, either an application or a separate contact center team member must be the one to actually verify constituent identity, not the worker who is interacting with the constituent.

4. Create a Culture of Security

If contact center staffers don’t understand the importance of their actions on the front lines, they won’t be on the same page with IT teams trying to reduce the risk of breach or compromise. That means having clear and simple incident reporting procedures — ones that don’t penalize contact center staff.

Judgment-free feedback is also valuable. If a contact center team member isn’t following the process or is putting the agency at risk, yes, shut that down as quickly as possible. But move forward with these incidents as learning and training opportunities, not as a reason to punish what could be human, helpful behavior.

Giving contact center teams an awareness of how important their vigilance is to mitigating risk is a start, but rewarding staff who report phishing (and fishy customers) is better. Contact centers need their own support structures: internal help desks, escalation procedures and resources that can give them what they need to react better when something just isn’t right.

LEARN MORE: Improve email security with anti-phishing applications.

izusek/Getty Images

More On

Related Articles