Top 5 CISO tips for call centre security

Customer support and front-line call centre staff have become the target for initial attacks or breach attempts at an increasing rate over the last few years. Malicious actors have recently shifted back to phishing, both through phone and email, to gain access to sensitive data. Several of the largest breaches in the last two years have been the result of malicious actors taking advantage of human nature; the call centre employee’s desire to help.

This shift has caused many companies to reevaluate their security control posture and their risk.

For some time, customer service teams were deemed to be lower risk than leadership or engineering teams. (Due to the thought that they do not have much access to vulnerable information.) This is simply not true anymore.

Indeed, many customer support teams have access to sensitive data, ability to reset users, and even internal support capabilities that allow for broad access. In several recent attacks, hackers called the customer support team. Therein, they convinced employees to install remote desktop tools. And these tools allowed the malicious actors to control their desktop and take over accounts.

So, with the focus from malicious actors shifting to call centres and customer support, what can an organisation do? Below are 5 CISO tips to increase the security posture of your call centres, from Chief Information Security Officer Nathaniel Cole.

Email security

Generic inboxes that send messages to tools like Salesforce or other CRMs are a weak point for many organisations. Once the email is sent from your exchange server to that CRM tool, it is now outside of the control of your built-in phishing, malware, and spam detection tools. As such, you need to train your teams to understand that emails coming into the CRM tool or the customer queue are not always sanitised or safe.

General best practices for email security still need to be followed.

Further, you may need to set up an out of band process to account for triaging and remediating these emails in your CRM tool. Look for a partner that can provide additional layers of security for your email system. This, in turn, will help you be more proactive in detecting and removing malicious emails.

VLAN isolation

Having your call centre operate on an isolated VLAN with limited access to systems and assets is another great approach. This serves as a two-fold benefit for your organisation.

First, it limits the access that a malicious actor could have if they were successful in phishing or social engineering.

Second, if you take brand label credit cards, it limits the scope for your PCI audit to that VLAN. In fact, if you are going to allow customer support to take brand label cards, you should limit it to a smaller set of people and have them on a smaller VLAN. This further shrinks the scope and cost of your PCI DSS audit.

SSO integration

Much like VLAN isolation, SSO integration serves two purposes for your organisation.

First, it will enhance and improve the workflow for the call centre. Having a single set of credentials that can access multiple systems provides for fewer password changes, password entries, and password reuse. In fact, many SSO capable solutions may limit the total number of requests for a user. They are able to manage multiple authentications through session management.

Secondly, SSO integration will provide your security team a single point to review activity for users, to detect anomalous activity, and to quickly remove access. The more systems using the same identity management system, the more efficient logging and behaviour analysis is. Further, when a user leaves the organisation, it streamlines account disablement to a single source. (Rather than to disparate systems.)

Remove local admin

How often do your call centre employees really need to install software? How critical is it to providing quality support to your customers? Odds are that removing local admin rights will not be a big impact for your organisation.

To lower the impact of not having the ability to install or make system configurations, your organisation can implement a curated list of approved software that can be installed (via a tool or self-service portal) for the end users. Your call centre teams likely only need a few applications installed on the end point.

The largest benefit to removing local admin is that it is a common exploitation path in the attack chain. Malicious actors are looking to use the local admin rights to further their access and create a foothold on your network. Without entry, you eliminate many attacks.

Automated payment card system

The final recommendation is to use a self-service web, chat, or phone-based payment system. This not only limits scope for PCI DSS, but it also eliminates the risk of having helpful call centre employees taking card details over the phone.

The chances that numbers will be written down or added to notepads on the desktop are eliminated. Smooth payment systems are extremely common these days, and most customers will have no issues with making payments in this manner.

CISO tips and final thoughts

With increasing attacks on call centres and customer support, it is important to keep sight of the risk that cybercriminals can introduce to the organisation through your customer facing teams.

While this article says top 5 CISO tips, I cannot help but add one final item. Quality security awareness training and phishing training is critical for your call centres. Ensure that everyone understands their role in, and the importance of operating a security program across the enterprise.

As you look at your security program, continue to evaluate and assess the current threats that exist for your organisation to properly implement security controls. Many other tips can be provided; these are just the top 5 from a CISO’s toolbox. They are meant to help limit scope in audits, reduce risk, and eliminate impact of breaches or incidents by shrinking the attack surface of your organisation.

Useful links

Author bio:

Nathaniel Cole is a Chief Information Security Officer with more than 15 years’ experience building & operating modern security programs. He writes a cybersecurity advice column for businesses at Network Assured.