Effectively protecting your customers' data.Today's organizations depend and thrive on data for marketing, customer service and staff management, and like anything that is valuable, criminals have been seeking it to commit ID other fraud, blackmail blackmail, in law, exaction of money from another by threat of exposure of criminal action or of disreputable conduct. The term was originally used for the tribute levied until the 18th cent. or other crimes. [ILLUSTRATION OMITTED] The 2009 Identity Fraud Survey Report by Javelin Strategy and Research reports that the number of identity fraud victims has increased 22 percent to 9.9 million adults in the U.S., while the total annual fraud amount increased by seven percent to $48 billion over the past year. The reasons include profitability, safety and simplicity, explains Greg Young Gregory James "Greg" Young (born April 25, 1983 in Doncaster, England), is an English footballer who currently plays for the Conference National team Halifax Town. His position is Defender. , research vice president, Gartner. To limit ID fraud U.S. Federal Trade Commission requires financial institutions and creditors to comply with its new Red Flags; after much delay enforcement begins Nov. l, 2009. The regulations mandate these firms to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. Unfortunately firms have been launching new data-using processes without having the tools in place to adequately protect users and themselves. "The business uses of data have gone far beyond what the security architectures and procedures are designed for and these have not caught up," explains Young. "There is a disconnect disconnect - SCSI reconnect between what businesses do and intended to do with data and what security fence system is in place to enforce those policies." Also companies have been erring err intr.v. erred, err·ing, errs 1. To make an error or a mistake. 2. To violate accepted moral standards; sin. 3. Archaic To stray. in favor of not inconveniencing customers as opposed to security such as asking for authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. through passwords and answers to challenge questions. These methods have become more difficult because the secrets used for authenticating users via passwords are readily available. This matter comes to a head with contact center agents who face annoyed buyers on the phone and who have to keep handle times short. "There is a line between customer access and customer service that is tread more often than not on the customer satisfaction side, because firms don't want to make it difficult for customers to get at data and risk annoying them," says Young. Limiting the People Threat Contact center staff are on the data security front lines. Properly trained they can thwart intrusion. Unfortunately contact centers too frequently have environments that foster data loss and theft. Employees are typically low-paid and have minimal or no benefits, are often poorly supervised, rushed to meet metrics, and face enormous stress from demanding customers and management. Agents also tend to be young, sometimes immature, with little workforce experience and financially struggling. To limit the risk requires properly staff selection and management, keeping an ear for and acting quickly on any serious morale and performance issues. There needs to be work environments where employees look out for their company rather than looking the other way. Thomas L. Cardella and Associates applies background including credit and work experience checks on new hires. It also provides them an excellent work environment. Its pay is slightly higher than its competitors while benefits that are the same from the agents to the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. , and an employee stock ownership plan. These processes and features have helped the BPO BPO Business Process Outsourcing BPO Benevolent & Protective Order (of Elks of the USA) BPO Benzoyl Peroxide BPO Business Process Optimization BPO Broker Price Opinions BPO Buffalo Philharmonic Orchestra firm attract what CEO and founder Tom Cardella considers a superior quality agent. The average age is 34 years old, which is higher than some of its competitors, leading to a more conscientious and responsible work force, one that sees employment there as an investment in their future. "Having a vested interest Vested Interest A financial or personal stake one entity has in an asset, security, or transaction. Notes: For example, if you have a mortgage, your bank has a vested interest on the sale of your house. See also: Right in our company helps manage data security issues, because it isn't management' they are hurting either deliberately or through neglect but themselves," explains Cardella. Managing Data Access To prevent theft while enabling quality customer services requires carefully managing data access. There are many data access methods. Among them are data masking--which replaces confidential data with fictitious Based upon a fabrication or pretense. A fictitious name is an assumed name that differs from an individual's actual name. A fictitious action is a lawsuit brought not for the adjudication of an actual controversy between the parties but merely for the purpose of material--shortening identifiers, data obfuscation ob·fus·cate tr.v. ob·fus·cat·ed, ob·fus·cat·ing, ob·fus·cates 1. To make so confused or opaque as to be difficult to perceive or understand: "A great effort was made . . . and encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. . Axis Technology, which makes the DMsuite data masking mask·ing n. 1. The concealment or the screening of one sensory process or sensation by another. 2. An opaque covering used to camouflage the metal parts of a prosthesis. tool, argues that this method is far more effective than encryption because encrypted data is merely a puzzle that takes a little time to decode (1) To convert coded data back into its original form. Contrast with encode. (2) Same as decrypt. See cryptography. (cryptography) decode - To apply decryption. , explains company founder and president, delivery and operations Michael Logan
Michael Logan is a columnist for the weekly magazine TV Guide, with a specialty in analyzing soap operas. He has written the "Michael Logan On Soaps" column for the magazine since 1989. . In contrast masked data cannot be reversed if it is removed from its environment. Also, by using data masking, companies do not have to disclose if there is a breach because the private data is unable to be used by thieves, therefore eliminating the risk. Access management includes employee and user authentication See authentication. , and mere is a growing range of new biometric-based solutions to enable just that. For example Convergys has a new platform-independent on-demand voice authentication solution that is implemented by enrolling voice signatures. Companies can then authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. agent-assisted and consumer transactions more securely than with traditional ID + PIN authentications. The data access issue comes to a head with CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. systems because many more people have differing access to the vast amounts of valuable information to perform their tasks. This renders the traditional data control method of separating access by users unworkable. Larry Ritter rit·ter n. pl. ritter A knight. [German, from Middle High German riter, from Middle Dutch ridder, from r , senior vice president and general manager of Sage CRM Solutions, says for those reasons his firm incorporates multiple security models and tools into its applications. These allow customers to apply the appropriate layers of security to their business needs and the right balance of security versus accessibility to their CRM data. "For CRM, enforcing the appropriate role-based security along with functional/feature security is important for information management and interaction standards compliance," says Ritter. "From data access security, to segmented record views, to field-level security, to feature/functionality, role-based security and user grouping/management, any combination of security implementations may be relevant to one customer and overkill overkill Vox populi An excess of anything for another." Outsourcing, Hosting, Off-shoring and Home Agents There have been concerns raised by firms and customers whether there is a greater risk of their information being stolen by third parties, staff outside of the U.S., or in their homes. Fortunately these fears say experts may be overemphasized. Outsourcers have to comply by the same strict laws that regulate individuals' health information and payment card industry data security standards. It is also in their best commercial interests to do so; keeping their clients' customers' data safe and secure helps keep clients and attracts others. For example, InfoCision Management Corporation has become a Level II merchant by PCI (1) (Payment Card Industry) See PCI DSS. (2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). , which means that it can safely process between one and six million credit card transactions a year, reports Steve Brubaker, Senior Vice President, Corporate Affairs. It is now working on its annual audit to ensure compliance in addition to monthly audits. Level II firms must complete an annual self-assessment questionnaire. Hosted solutions such as contact management and CRM platforms are systems can be equally safe as their on-premises counterparts. And for similar reasons as outsourced live agent applications: because they have to be. "Hosted applications may not provide dedicated secure tunnels to the users' sites while premise solutions can be as secure as money can buy," reports Bernard Drost, chief technology officer of Innoveer Solutions. "[Yet with premises solutions] I usually see that security is an afterthought af·ter·thought n. An idea, response, or explanation that occurs to one after an event or decision. afterthought Noun 1. or the people deciding on how to handle security are not security experts. The good thing with hosted solutions is that a lot of very big companies host their CRM with the hosting providers so much research has been done to make the hosted system as secure as possible." Premises-based tools may require creating costly security updates involving patches or complex configuration changes that would need to be created, issued, and distributed to customers and then installed. Which may come too late if the crooks have figured out how to punch through the security. "If a security weakness is identified, the cloud computing (1) Running applications in or from network servers. Computing "in the cloud" may refer to a company's own network, but often refers to the Internet and the use of Web browser-based or rich client applications. model enables updates to be quickly identified and instantly updated to all customers," says Niall Browne, chief information security officer, LiveOps. "The cost of implementation, compliance and 24/7 security monitoring and support can be spread across multiple clients, so every client has the security benefits and controls at a fraction of the cost and effort of implementing them individually." There is little or no increased danger in having Americans' data handled by contact centers whether internal or outsourced in other countries, reports Gartner's Young. This includes popular contact center locations like India, the Philippines, Latin America Latin America, the Spanish-speaking, Portuguese-speaking, and French-speaking countries (except Canada) of North America, South America, Central America, and the West Indies. and Canada, which have similar if not more stringent laws and agreements that respect intellectual property and privacy. There is a risk, though of data loss if firms set up or do business with firms in countries where there is a culture for data and intellectual property theft and/or strong government controls, and industrial espionage industrial espionage Acquisition of trade secrets from business competitors. Industrial spying is a reaction to the efforts of many businesses to keep secret their designs, formulas, manufacturing processes, research, and future plans. . Young recommends performing due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. on these nations. Similarly home agents are at no more risk from data theft than those in bricks and mortars A store (shop, supermarket, department store, etc.) in the real world. Contrast with clicks and mortar. centers. If anything the threat is less because these individuals tend to be higher quality, better educated, older, and more responsible than those in traditional sites. They also treasure the privileges and are not about to endanger en·dan·ger tr.v. en·dan·gered, en·dan·ger·ing, en·dan·gers 1. To expose to harm or danger; imperil. 2. To threaten with extinction. them. The one common technology weakpoint in home offices, one that it also shares with traditional settings is wireless networks that can be a source of unauthorized access. These can be managed by prohibiting them or remotely shutting them down when agents are at work. A similar data armor chink, wireless keyboards, can also be prohibited. Firms can also deploy the same common authentication tools such as fingerprint, scan, and voice print scans and webcams as in bricks-and-mortar centers. For example West will soon be beta-testing voice biometrics for its "West at Home" agents. It is also evaluating webcams to ensure that its certified agents are in the seats. Home agent security has been bolstered by remote control tools that capture users' computers when they logon See login. 1. (jargon) logon - login. 2. (networking) logon - In ACF/VTAM, an unformatted session-initiation request for a session between two logical units. , preventing them from gaining unauthorized access to files and installing malware, relinquishing the units when they logoff See logout. . These tools have become more powerful. The latest version of West's internal solution, the West at Home Locked Down Desktop Security Environment 2.0 now restricts wireless networks and unauthorized ports or virtual machines. Self deleting code ensures that once the agents exit the Locked Down Desktop; no traces of the program or applications that run inside of it remain on the agent's computer. Code obfuscation blocks attempts to reverse engineer the program's proprietary code, thereby protecting intellectual property without affecting application functionality. Checking and Responding The best means to protect data are the most fundamental. These include checking to see if access credentials are up to date, frequent password changes, dumping unneeded sensitive data, and when staff members leave organizations, removing their permissions immediately. They also entail the virtual equivalent patrols using a combination of checklists and observations for anything out of the ordinary, such as increased traffic from a server that has been quiet. And if, or more likely when data is exposed, there should be a tested response plan, including handling calls and notifying customers in accordance with the laws. That procedure can involve having a third party pre-arranged on call to manage volume spikes. "We have been asked, on occasion, to help an organization who has experienced a data loss or breach in security," says InfoCision's Brubaker. "Typically we have assisted by providing inbound customer service for calls generated from security breach letters sent to those whose information might have been compromised." The following companies participated in the preparation of this article: Axis Technology www.axistechnologylic.com Convergys www.convergys.com InfoCision www.infocision.com Innoveer www.innoveer.com LiveOps www.liveops.com Sage www.sagecrmsolutions.com Thomas L. Cardella Associates www.tlcassociates.com West www.west.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion