Six security features your work from home agents can’t live without

Spoken | August 9, 2016

Hacker home agentReality check: how secure are your work from home agents?

Recently, an article in the New York Times Technology section warned that work-from-home employees were providing an open door for hackers, which in turn can put private customer data at risk. Nicole Perlroth wrote in the NYT that remote access systems used by telecommuters using connections on the open Internet were a vulnerability for hackers, who deploy software to hack remote credentials.

What does this mean for the call center cloud and remote agents who login using a remote desktop and softphone? Can a client be assured that work-from-home agents have all the security that a brick-and-mortar call center would provide?

What to look for in cloud call center provider security

In short, the answer is a firm yes. In fact, many cloud contact center providers that support work-from-home agents provide a higher level of security than is traditionally implemented for brick-and-mortar call centers. If you have remote agents or are considering a work-from-home initiative, just be sure that the following safeguards are in place:

  1. PCI compliance The Payment Card Industry (PCI) has developed a set of strict and detailed industry standards for data security. The best way to ensure data privacy and security is to use a cloud provider whose data centers are 100% PCI Level One compliant. PCI compliance entails a host of security requirements, including internal and external quarterly scans, internal and external penetration testing to explore vulnerabilities into the network and yearly security awareness training for all team members. Additionally, rather than hosting all data in one corporation location, dispersing data over at least two PCI-compliant data centers heightens security and reduces risk.
  2. Two-factor authentication Two-factor authentication provides the most secure means of identifying a remote user by combining two different elements in order to log in to a system. Typically, one element is something the user knows (such as a password or PIN) and the second element is something the user possesses (a token or card). While a password can be guessed or hacked (see #3 for ways to prevent this), the possessed element or token is usually something tied to the user’s location that cannot be easily replicated. For example, Spoken uses WikID with a secure token generated by the user’s machine and is only valid for 60 seconds. Additionally, it’s a good idea to lock out any user that fails authentication after three attempts to prevent hackers using high-speed software to guess at passwords.
  3. Secure password requirements Most people know that the most common passwords are “password” and “12345;’ you don’t have to be a hacker to guess those! For the highest level of security, make sure your cloud provider requires a secure password for remote agent login. (This is required for PCI compliance.) A password should require a password contain at least one capital letter, one number, one special character (such as *, @ or $) and be at least 8 characters long.

Unique contact center security challenges

Those three requirements are an excellent basis for ensuring secure remote agent access to the contact center. However, the contact center poses additional, unique challenges for security: what about call recording, remote agent desktops and live agent interactions involving taking down a payment card number? Skimming, or taking payment card information during otherwise legitimate transactions, can be a danger on live calls, in unencrypted call recordings and for work-from-home agents using a remote desktop.

To prevent skimming, consider cloud-based tools designed to keep the entire agent interaction secure:

  • For live calls Since any information taken by a live agent cannot be considered secure, consider using an automated Interactive Voice Response (IVR) system designed to securely capture credit card information. The Spoken Secure IVR, for example, is an automated system that takes caller information in a PCI-compliant manner; the payment card number, expiration date and other information is never seen nor heard by the agent, who simply receives a confirmation number noting that the system did receive a valid payment input.
  • For recorded calls First, verify that your provider encrypts all call recordings. Second, inquire whether the call recordings are encrypted during the live call or only after they hit the data center after the call is completed. For the highest level of security, select a cloud provider that offers on the fly call encryption, which secures live calls with at least AES 256-bit encryption to ensure that no malicious hacker will be able to capture information from either a live or a stored call recording. There should never be a single moment when the recording is unencrypted throughout the entire life cycle of the call, from dialing to storage to playback.
  • For agent desktop Remote desktops for work-from-home agents are a considerable convenience, but they can pose a risk if additional security measures are not implemented. In addition to requiring two-factor authentication for login, consider implementing desktop lockdown features, such as blocking the agents’ local desktop access while logged on to the remote desktop, blocking harmful key combinations (such as Print Screen) and blocking cutting and pasting onto the local desktop.

While it’s wise to remember that no solution will ever be 100% secure and that, as Vincent Berq of FlowTraq quotes in the original NYT article, “the weakest link in the information chain is the human that sits on the end,” these precautions can help ensure that your work-from-home agents will not be easy targets for hackers.