The security breaches at Sony Corp., makers of the PlayStation consoles, in April this year exposed both the wealth of personal information that contact centre staff gather from customers on a daily basis and also the potential costs and reputation damage that can result from lack of risk management and appropriate security practices.
The information stolen by hackers of the Sony Corp. systems included the names, dates of birth and possibly mother’s maiden name of approximately 100 million Sony PlayStation network customers as well as credit and debit records from over 23,000 non-US customers of Sony Online Entertainment (Edwards & Riley, 2011). It has been estimated that financial costs (including credit card fraud, network repairs and marketing costs) will amount to approximately 50 million USD, whilst restoring confidence in the company’s network and stabilising sales may take up to 6 months (Edwards & Riley, 2011).
Contact centres (also known as call centres) and contact centre staff are particularly vulnerable to safety breaches not only because they have access to important personal information about hundreds, thousands or even millions of customers, but these operations also frequently run 24 hours per day, are located in industrial or sparsely populated areas, are often outsourced, have high staff turnover and employ casual, transient staff. There are also other factors unique to this work environment that may contribute to a risk of safety breaches. In their 2009 study of contact centre workers, Dr Mohan Thite and Associate Professor Bob Russell from Griffith University found that turnover in call centres was as high as 20 percent in Australia and between 40 to 100 percent in India, which houses the contact centres of many Australian organisations. Further, Edwards & Riley (2011) found that call centre staff were often exposed to difficult work environments including lack of control of their work load (e.g. inability to regulate the telephone traffic), noisy environments, little positive feedback and verbal abuse from customers.
Research has revealed a “depressing list of call centre security vulnerabilities..poorly protected people, poorly protected data and poorly protected systems” (Wheatley, 2008).
Audits of contact centre operations in the US showed that an astonishing number of ex-employees still retained computer network and building access rights years after they resigned and that background checks on employees dealing with sensitive personal and financial information were minimal or inconsistent (Wheatley, 2008). Other best practice policies such as banning the use of portable devices such as USB disks that may be used to remove personal information in the contact centre were not well understood or applied by organisations.
And yet contact centre staff have access to very sensitive information that may expose a customer to identity fraud or even bankruptcy if not well handled and secured!
The security of information accessed in contact centres is a very real concern. According to a 2009 study in the US, 80% of Chief Information Security Officers surveyed believed that employees and contractors presented the greatest threat to their data, much greater than the threat posed by hackers. Prince (2009) found that for all reported data security breaches between 2000 and 2009, insiders (staff and contract staff) were the source of 22% of all compromised data and 31% of all incidents of security breaches. This included lost or stolen computers and backup tapes, accidental leaking of information and malicious activity.
A factor that seems to be related to the incidence of insider data security breaches is organisation size. The larger the organisation, the more likely they are to have an insider breach. It appears that in larger organisations employees are more likely to be able to justify breaching security procedures, are more able to hide their activities and are less likely to get caught (Prince, 2009).
Unfortunately, the larger the organisation the more likely it is to have a contact centre!
So, what can be done? Audits tend to be infrequent, IT consultants expensive and sophisticated systems costly and take time to implement.
Experts agree that implementing appropriate procedures and training staff are key requirements of data security arrangements (Prince, 2009; Thite & Russell, 2009). Picking the right staff, to begin with, is also important!
We can help. RightPeople can offer your business a simple, cost-effective and timely solution to the problem of ‘insider threat’. Our Risk Management Profile (RMP) can help you find employees who are most likely to handle information sensitively, act with integrity, follow organisational policies and procedures and are least likely to undertake a malicious security breach. The RMP can also be used with current staff to identify areas where procedures are not being followed or where there are gaps in knowledge about policies. This can help with developing training programs. The RMP identifies integrity, honesty, poor impulse control, stress tolerance and conscientiousness, all of which provide an indication of how an individual will handle data and sensitive information.
The RMP can be completed online, within your organisation or even at a candidate’s home. You will receive a report identifying how the individual scored on each of the key scales, what are the areas for development and how these may be addressed.
Don’t leave the security of your contact centre to chance, contact us to find out more about the RMP today.
References and Further Reading
Edwards, C., & Riley, M. (2011). Sony data breach exposes users to years of identity-theft risk. Bloomberg Businessweek. Retrieved from www.businessweek.com website: http://www.businessweek.com/news/2011-05-03/sony-data-breach-exposes-users-to-years-of-identity-theft-risk.html
Prince, K. (2009). White Paper: Protecting your organization from insider threat. Retrieved from http://www.cio.com website: http://www.cio.com/white-paper/685938/Protecting_Your_Organization_from_Insider_Threat
Thite, M., & Russell, B. (Eds.). (2009). The next available operator: managing human resources in Indian business process outsourcing industry. New Delhi, India: Response Books.
Wheatley, M. (2008). Call centre security: how to protect employees and customers. CSO online. Retrieved from www.csoonline.com website: http://www.csoonline.com/article/356064/call-center-security-how-to-protect-employees-and-customers?page=1