Contact Center Security Best Practices for Leaders to Consider | Blog

The expanded remote work environment post-pandemic and increasingly sophisticated security threats have compelled organizations to increase their focus on protecting contact center data. Learn how to build a holistic framework of best practices for technology, the business, and agents to shape contact center security in this blog.

Securing the landmine of customer data – from credit card numbers to health records – that reside in contact centers is a top concern for all businesses, particularly outsourced customer support. Data breaches can have serious financial, reputational, and legal consequences.

As new security threats constantly emerge and regulations change, strengthening contact center security is like aiming at a moving target. Now with the increase in remote work and more intricate ways to compromise data, this challenge has become more critical than ever. Let’s explore how it can be tackled.

Contact center security focus areas

Organizations should implement many different types of contact center security best practices related to the following three areas:

  • Technology – Ensuring the organization’s devices, including bring-your-own-devices (BYODs), are up to date with the latest security systems, software patches, and firewalls. Companies also should have technology contingency plans for legacy systems that can’t be replaced
  • Business – Establishing the organization has clear control and governance over its security standards and effective policies, especially in the face of ever-changing security requirements and newly emerging malware attacks and cybersecurity threats
  • Agents – Providing training and monitoring of both full-time human agents and gig workers who work in the office as well as remotely

Delivery models

Contact center security protocols can vary based on the delivery model. The complexity has increased as contact centers have evolved from entirely brick-and- mortar-driven service delivery to remote service delivery with Work at Home Agents (WAHA) and BYODs, which allow agents to choose their work location and use their own devices to conduct work.

As organizations move from working at offices to remote locations, contact center leaders need to be more vigilant to keep customer data safe. While the WAHA and BYOD models bring more operational agility to the workforce, they add heightened security concerns around endpoint safety management and agent monitoring.

The below graphic illustrates how the complexity increases with the newer work models:


Illustration 1: Everest Group

BYOD security

Defining a BYOD security policy is critical to maintaining company security. Stakeholders from different departments are key to the policy planning process and bring important input. Leadership, human resources, finance, IT operations, and the security team should be part of a BYOD project management team and be asked to contribute to policy development.

Security patches

Failing to routinely update machines with the most updated security patches is one of the biggest cybersecurity risks. Often this failure is simply due to not having enough IT resources. Even with in-center deployments, manually patching each device is a huge drain on time and resources. This challenge is further complicated in a remote/hybrid working environment where the device is off-site.

The patching process is a key part of vulnerability management. By employing best practices that expose any conflicts with existing systems configurations on which the patch is being installed, potential downtime can be avoided. For organizations with tens of thousands of network endpoints, remote patch management offers greater control over potential vulnerabilities caused by outdated patch versions, wherever they may be located on the network. This help ensures the threat is resolved as quickly as possible.

An automated patch deployment feature gives system administrators the ability to deploy patches missing in their network computers automatically without requiring manual intervention. While automated patch rollouts seem like a no-brainer for WFH and BYOD models, they also must be considered for in-center models to reduce the resource strain on the organization’s IT department.

Identifying the most critical security issues and software updates requires strong asset and software inventory management, which can be achieved using an automated patch management tool.

After that, creating a dedicated remote patch testing environment identical to the production system (using virtualization) can help run “smoke tests” to ensure behaviors/programs do not fail before moving to production. Alternatively, an initial test can be applied to less critical systems and expanded if they perform as expected. Even with a thorough patch testing program, organizations should have a contingency and rollback plan in case something goes wrong so systems can be restored to their pre-patched state.

While most security practices are agnostic of the model in which operations are run, WFH and BYOD models require an additional layer of security considerations to stay clear of any potential cybersecurity threats.

Holistic framework

Contact center leaders must look at a holistic framework of technology, business, and agent best practices to shape their security organization. The below table encapsulates some of the strategies leaders should consider:

  In-center model WFH Model BYOD model
Technology related
  • Encrypt data including voice transactions using encryption layers such as Secure Sockets Layer (SSL) and Transport Layer Security (TSL)
  • Build a secure network infrastructure by implementing firewalls that monitor network traffic, using VPNs, anti-virus softwares, and password management software
  • Update technology by installing software patches and eliminating legacy systems
  • Regularly test and monitor networks using penetration testing tools, vulnerability scanning softwares and alert systems that can notify suspicious activity in real time
  • Consider role-based access that allows for gradually increasing employee access based on trust and their position within the company
  • Encourage use of secure cloud services (such as office 365) to store data
  • Conduct mandatory backups using mobile device management (MDM)/enterprise mobility management systems (EMM) to manage devices while also separating corporate from personal data
  • Consider PII redaction that uses speech analytics technology to prevent sensitive cardholder data from being recorded; automatically mute call recording when account numbers, security codes, and other sensitive information is spoken
  • Offer containerization in conjunction with or paired with MDM solutions. This method can segregate part of a device into its own protected bubble, protected by a separate password and regulated by a separate set of policies
  • Use endpoint validation and centralized endpoint management to ensure that applications, antivirus, and operating systems of endpoint devices are up-to-date. Endpoint management should be coupled with location awareness to dynamically adapt to a remote end user’s permission, based on centrally defined policies as well as the local network’s established security level
Business related
  • Develop an information security policy by working with the IT department to identify which technologies and procedures need to be implemented for the IS policy to work as intended and ensuring every employee is aware of their responsibilities
  • Adhere to common security frameworks such as IST 27001, NIST 800-53, and COBIT. Identify which framework is most relevant to your contact center and then map out the strict security controls required by the framework and implement them
  • Develop WFH cybersecurity standards including multi-factor authentication and firewalls
  • Manage devices that remote agents use to ensure that password and screen lockout policies are followed; security and other updates occur in a timely manner; and companies can perform forensics and place data under legal hold if needed
  • Define a clear service policy for devices under BYOD that covers the support IT representatives will provide for broken devices as well as  support for applications installed on personal devices
  • Determine what apps will be allowed and banned (whitelisting and blacklisting)
  • Set up an employee exit strategy that addresses how the company will enforce the removal of access tokens, e-mail access, data and other proprietary applications and information
Agent related
  • Train agents to be “human firewalls” when it comes to security. More frequent training sessions will keep security and privacy top of mind and also create more opportunities for companies to check in with remote agents and keep them engaged
  • Monitor agent activity regularly and have policies that restrict access to certain data recognizing that agents may pose a risk to the center if they have access to sensitive information and become disgruntled
  • Safeguard against employees mistakenly clicking on links or opening files that they shouldn’t, leading to the installation of malware or data theft. Have strong password protection and use security software that restricts the unintentional or intentional downloading of malware, copying or deleting data, or accessing programs or websites that have not been vetted by the IT department
  • Ensure temporary/gig workers that are hired to handle peak volumes or cover for sick employees are trained on the center’s policies and procedures

Illustration 2: Everest Group

As infrastructure and networks grow in size and complexity, manually managing security and compliance checklists has become increasingly difficult.

Manual operations can result in slower issue detection and remediation, resource configuration errors, and inconsistent policy application, leaving systems vulnerable to compliance issues and attacks. Automating security update rollouts can help prevent unplanned and expensive downtime and improve functionality.

This approach needs to be complemented with good governance of the security landscape, ensuring the contact center is following the latest security frameworks based on their industry. Finally, organizations need to train agents on these standards and track and monitor their devices in real-time to ensure no security gaps exist that potential cybercriminals can leverage.

To discuss contact center security solutions in more detail, please reach out to [email protected] or [email protected].

Learn more about cybersecurity, incident detection, investigation, and response in our blog, “Is Managed Detection and Response (MDR) the Holy Grail for Cybersecurity Services?

Subscribe to our monthly newsletter to get the latest expert insights and research.

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

"*" indicates required fields

Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.