How can contact centres and customer services be protected from escalating cyber threats? asks Bertrand Deroubaix, Risks, Quality & Security Director at Odigo.
When it comes to cyber security, it’s no longer a question of knowing if an organisation is going to be attacked, but when. Whether large-scale or targeted, cyberattacks can have far-reaching consequences: financial losses, damage to company image, disruption of service, etc. In the field of customer relations and contact centres, several new types of attack are emerging, and one of the targets – whether direct or indirect – is the contact centre.
Contact centre software has evolved towards an “as a service” model, commonly known as CCaaS. Companies are making this choice to increase the efficiency of their advisers and optimise the customer experience. Thanks to the cloud, omni-channel technology and AI, this transformation is supporting the shift towards hybrid working and generating new uses.
The geographical dispersal of teams increases the area over which organisations are exposed to risk. Security loopholes can then appear and sooner or later be exploited by cybercriminals. For organisations, it’s not a question of turning back the clock, but of rethinking their contact centre transformation and management strategies to incorporate risk management. In particular, this means understanding cyberattacks to better anticipate and deal with them.
Recognising and understanding cyberattacks to respond more effectively
According to the ANSSI (The French National Information System Security Agency), 831 proven intrusions were observed in 2022, compared with 1,082 in 2021. This is actually due to a reduction in the number of ransomware attacks against certain organisations and can’t be interpreted as a drop in the threat level, which has simply shifted to less protected entities. Cybercriminals are continuing to hone their skills and are turning to peripheral targeting, which does not focus solely on equipment, but also on a company’s ecosystem: partners, service providers, subcontractors, and so on.
Whatever the motives of an attack – criminal, a desire to damage an organisation’s reputation, etc. – the consequences are financial loss, theft or disclosure of data and business interruption.
When a criminal targets a contact centre, they can do so via the telephone, interactive voice servers (IVR) or the Internet. We have identified three main types of attack:
- Fraudulent calls are among the most common attacks in the customer relations field. They can take two forms: equipment piracy and identity theft ‘spoofing’. Toll fraud is a global problem, costing organisations millions of euros every year. In addition to the financial impact, it can lead to saturation of telephone lines, mobilising a company’s IT and human resources to create the conditions for a Telephony Denial of Service (TDoS) attack. In the second form identity theft, a cybercriminal may seek access to a file and personal data in order to buy products, transfer money or modify connection data.
- Telephony Denial of Service (TDoS) attacks aim to make a telephone system unavailable by exhausting all its resources. This makes it impossible to receive or make calls. They are sometimes used to extort money (ransomware) or to hinder a target’s activity (hacktivism).
- Phishing or malicious emailing takes advantage of the omnichannel model of CCaaS solutions, which handle email, chat and social networks. Cyber criminals exploit these different communication channels to launch phishing attacks and distribute malicious code such as ransomware, spyware or other malicious software.
Optimising security with the CCaaS model: best practices
In the CCaaS model, three main parties are involved in securing the platform and the data hosted in the cloud – in compliance with the standards and regulations in force. The hosting provider manages the security of the cloud, whilst the CCaaS service provider manages the security of the platform hosted in the cloud. Finally, the company (client) oversees all aspects of contact centre security and deploys the means to protect access to services and data.
While it is impossible to prevent 100pc of attacks, there are best practices for limiting their impact, ensuring service continuity and preventing them from succeeding.
- Implement a robust Identity and Access Management (IAM) policy to prevent unauthorised users from accessing company resources.
- Ensure that the CCaaS solution provider has sufficient cybersecurity and data protection resources. To do this, ensure it has recognised certifications and complies with the standards specific to the client’s business sector. It’s also important to remember that digital service providers will soon be subject to the new NIS directive (NIS2), which strengthens security requirements and introduces incident reporting obligations.
- Take advantage of the latest innovations to optimise cybersecurity and data protection. SaaS solutions provide access to AI-based vulnerability detection, data encryption and secure interactions.
- Set up systems with telecom operators and work hand in hand on fraud detection. Machine learning algorithms monitor any changes in traffic and provide alerts in the event of an incident.
Contact centres and customer services departments have become prime targets because of the sensitivity and value of the information they process. Awareness is the first step towards prevention. Companies must then fully integrate risk management into their cyber strategy, to prevent attacks and protect their customers’ data. In this way, they can ensure the continuity of their business, comply with current regulations and strengthen the confidence of their customers. Security regulations and standards also need to be reinforced to help protect customer data. In this respect, the evolution of the NIS Directive to toughen security requirements and the obligation to report incidents is good news. Beyond the technical and regulatory aspects, it is essential to raise awareness and train employees.
Finally, consumers also need to be aware of online security risks. They should be encouraged to take steps to protect their own data and be aware of existing and emerging types of attack, such as vishing (telephony ‘voice’ phishing attacks). By joining forces, businesses and consumers can help reduce the risk of cyber attacks and maintain trust in contact centres and customer services. Security is a shared responsibility.
