Making contact centres sustainable cybersecurity ecosystems
All companies involved in customer contact, call centres in particular, analyse huge quantities of data whose management and security are of crucial importance. Managing these data, ensuring their governance and mapping the risks to which they’re exposed in order to better prepare for them is the daily responsibility of cybersecurity professionals in such companies.
Ensuring data integrity, confidentiality, continuity and traceability requires implementation of adequate security systems, along with optimal awareness-raising among and training of staff – in particular in an often multisite environment.
So how do you combine human and technological factors in order to make cybersecurity a priority at all levels? An analysis by Vincent Dupont, CISO at Armatis.
Isolate and certify ecosystems
As service providers, contact centres are often less subject to direct attacks than the major brands they work for. The risks are real nonetheless, and adequate technologies must be implemented in order to counter them.
First of all, it’s essential to ensure that data ecosystems are isolated. This is done by implementation of such classical but robust defence systems as antiviruses, firewalls and vulnerability scans – the goal being to detect threats quickly and limit the “door effect”, where a compromised environment may enable an attacker to penetrate other sectors.
In parallel, risk analyses must be carried out for all activities. These are especially important in the context of onboarding clients, as they enable identification of vulnerabilities and gaps in current security policies andsystems. Risk mapping during onboarding is also necessary in order to assist companies that are less “at home” with regard to cybersecurity, better anticipate their needs and help them get up to speed. Analysis is carried out concomitantly on each employee activity involved in the customer service.
There are several standards and certifications attesting to data system security, in particular ISO 27001 certification, an international reference standard for setup of an Information Security Management System (ISMS), testifying to the existence of data management procedures and processes to identify cyberthreats, control related risks, and implement appropriate protection measures so as to ensure data confidentiality, availability and integrity. Integrating such standards into the company’s activities ensures that a specific framework exists for data management and security, meeting its clients’ and partners’ expectations and requirements.
Although brands assess service providers on their security and the existence of such standards, certification is nonetheless not an end in itself, and sustainability of an ecosystem’s security is based on the ability to create interconnected environments within which all actors are made aware of the risks and are able to anticipate them.
Make security central to corporate culture
Any security system must be supported by strong, cohesive in-house security policies. Although protection strategies and technologies are essential, they must be coupled with real efforts to raise awareness and share information, with the aim of making data security and protection central to the company’s culture.
There are two watchwords in this regard: collaboration and training.
On the employee side, the aim is to improve knowledge and create reflexes vis-à-vis identified risks.
On the end-user side, the priority concern is raising awareness of these risks, through the employees themselves.
This involves close collaboration between all teams: human resources, training, management, security, internal and external communication, and operational alike must all be involved in the processes in order to ensure their effectiveness and homogeneity.
In the multisite environment typical of most customer contact companies, it’s also essential to “think global and act local”.
This must be achieved by investment in resources (e.g. training platforms and sessions) and setup of dedicated structures and teams on each site with a view to personalising awareness-raising actions during employee onboarding, disseminate information on risks and standards, and make sure that the necessary processes are all in place.
Global and local in-house communication also has an important role to play in ensuring visibility of the issues involved in security and maintaining all employees’ commitment in their regard. It can be reinforced by a corresponding strategy on the company’s social networks and digital platforms.
Making security a key component of corporate culture helps establish a stable framework within which all actors can evolve with confidence.
This is all the more important in a “just-in-time” context from a recruitment point of view: although it’s possible to alleviate matters through recourse to work-study apprenticeships and transferable profiles, it’s more than likely that companies will have to call upon external experts more often in order to meet their cybersecurity needs. If adequate systems are in place and security is a central concern, it will have no impact on continuity of activities.
So cybersecurity is everyone’s business! Threats to companies are increasing all the time, obliging them to act collectively internally and externally alike. As network security is more than ever essential to business continuity, all organisations have a duty to integrate a risk policy and culture in their business strategies.
