In the financial services world, 2005 is the Year of the
Security Breach. Turn to the national television news and watch the latest
reports about credit cardholders placed at risk by a skilled hacker. Open
the Wall Street Journal and read the latest exposé about high-tech criminals
tapping into consumers’ personal information.
With threats looming everywhere in financial services,
settling for bare minimum-security standards is not an option. And while
call centers and collection shops largely are avoiding the glare, they have
nonetheless adopted a new mantra: security, security and, oh yes, security.
Gordon Patterson, chief security officer for NCB Management
Services Inc., a Bensalem, Pa.-based collections firm, voices a common
concern about falling prey to the next attack. “We don’t want to be
tomorrow’s headlines on CNN,” he says. But call centers are surely
attractive targets given the large volume of personal data they handle.
To counter-attack, NCB Management bolstered its security,
putting together a team this past summer to monitor safeguards and potential
threats. Many of the firm’s clients want more stringent security procedures,
such as video surveillance throughout the building, security card access and
criminal background checks on employees, says Patterson, who was promoted
from IT manager to security chief as part of the company’s changes.
NCB Management clients range from credit card issuers to
auto loan providers to mortgage companies. “Clients like to see that an
agency that they’ve entrusted personal data to will not reveal it or let it
escape,” he says. “I think in the future clients will be a lot more wary
about working with agencies that can’t demonstrate an ability to protect
information.”
NCB spent $250,000 this year on the security improvements, a
significant increase from the $50,000 the company has spent in past years on
security. One goal of the new security focus is convincing every employee
that they are part of the security team, educating them about clearing their
desks of any personal information and teaching them to shred documents.
Credit Plus, a Salisbury, Mass.-based company that operates
call centers for mortgage firms, also has made improvements to its security
procedures. Having recently moved to a larger facility, the company then
heightened security measures to help protect confidential information stored
in its systems.
Among the changes now in place: Fiber-optic technology for
data transmissions, security codes and fingerprint scans to access
buildings. The new facility also has a back-up generator that can keep
operations running for up to two weeks in the event of a disaster.
Agent Access
Limiting employee access to sensitive data is a big issue
for most call centers, says Chris Lawrence, principal product manager for
Concerto Software in Westford, Mass. “Although there are still denial of
service attacks and the risk of someone getting through a firewall, call
centers are now focusing on the security of vendors and people in the
organization,” Lawrence says.
At Cambridge Integrated Services, a Greenwich, Conn.,
operator of customer-service call centers for financial institutions, agents
only have access to information they need for calls. They cannot access
information on any other customers. “We have tracking mechanisms so when
someone logs in we can have a trail of where they go,” says Keith Zimmerman,
managing director.
To keep call center agents from having too much information
about customers, Apropos, a call center communication provider, designed a
system for ABN AMRO that shields agents from listening when the customer
punches in PIN and account information. When it’s time for the customer to
enter private information, the system puts the agent on mute and collects
the data, placing it in an encrypted temporary file until the transaction is
finished. When the call ends, the temporary file is permanently deleted from
the server.
Many Apropos’ call center clients work on the inbound side
taking customer service calls for financial institutions, says John Cray,
vice president of products for the Oakbrook Terrace, Ill.-based company. If
a customer calls a center and wants help navigating a Web site, Apropos’
communication manager allows the agent to guide the customer, but restricts
access to certain pages containing sensitive customer information.
Along with internal threats, many call center executives
fear that connectivity to vendors can create problems. Concerto’s call
center customers want to make sure that the technology provider’s system
does not have vulnerabilities that could put their system at risk, Lawrence
says. The company created a security brochure that it gives to clients using
its call center products. It outlines all the potential vulnerabilities of
their system and what anti-virus software they use, he says.
Outside Threats
Although protecting against internal risks is important,
it’s also key to keep the network safe from outside intrusions. Several of
the recent data losses making headlines involved someone gaining access
through a security hole in the system and exploiting that application flaw
to gain additional access, says Mike Hrabik, IT director for managed
security provider Solutionary, Omaha, Neb. “We are starting to see a lot of
newer attacks that are harder to detect because they are not worms, but
humans crafting special requests,” he says.
Outsourcing call center operations, of course, raises
security concerns about how much data needs to be sent overseas or across
the country to a call center, says Herbert Ristock, systems product manager
for Genesys, a call center software provider in Daly City, Calif.
This becomes more important when the center has many
clients, since one client doesn’t want another to have access to its
information. “Some sensitive data is not really required to be transferred
to an outsourcer,” he says. Agents really only need enough information to
make calls and answer questions, so there is no need to send full account
numbers or Social Security numbers to call centers that do not need them.
While securing networks is always a priority, many centers
are performing regular security audits and adding security procedures for
their organization, their vendors and customers to bolster their overall
security. Avaya, a communication systems provider helps call centers plan
their security strategy, performing call center audits to make sure they
have the proper technologies, such as virtual private networks and
encryption capabilities, says Lawrence Byrd, director of communications
applications for Avaya in Basking Ridge, N.J.
Many of Cambridge’s larger customers are asking for regular
meetings so they can track security measures and be sure Cambridge’s
technology is up to date. In addition to encrypting data, Cambridge has made
changes to its physical security. Currently the company uses key cards to
restrict who can enter the building, but Zimmerman says the firm is
considering installing biometric technology – such as fingerprints or iris
scans – for even more secure access.
Security Plans
NCB Management conducts annual ISO 17799 audits, an
inspection that examines the company’s information security procedures, as
well as its personnel and communications security procedures. “If you don’t
get a passing grade in every domain for security then you don’t pass the
assessment,” Patterson says.
Vendors and call center operators seem to agree that
security is definitely a bigger focus this year than in the past. “Four
years ago people accepted a higher threat level,” says Genesys’ Ristock.
“Now you have to do more on the security side because your customers expect
it.”
Call centers need to embrace a strategy, Concerto’s Lawrence
adds. “There are still some customers out there who don’t care because they
may not have the funds to care. But it doesn’t take millions to have a
strategy and pay attention to your internal practices.”
So many different factors go into implementing security
measures that most vendors and call center operators interviewed were
hesitant to say how much should be spent to safeguard a center. However,
Ristock says that most call centers today accept that paying a higher price
for technology is necessary as long as it means better security. They worry
about more than just the costs associated with a security breach. Now, their
reputations are at stake.