Call-centers can't protect your data from own employees | InfoWatch

You are here

Call-centers can't protect your data from own employees

The on-going widespread of call/contact-centers in Russia scares Russian and foreign experts on information security. In their opinion, a lot of Russian clients and solution distributors do not give enough consideration to information security, while the main threat of the security comes from unfair employees.

Dangerous precedents

In developed countries, where the idea of call/contact-centers is widespread, centers being hacked is not such a rare case, although such incidents are usually kept in the dark. Sometimes, however, such data theft cases leak into the press. Amongst the latest examples of data theft, was a company called Seisint, which was robbed of information about 32 000 people, including their names, addresses, SIN numbers and drivers licenses. Around the same time, Retail Ventures declared a theft of its database, which included credit card numbers and other financial data.

Despite the sad worldwide experiences, information security continues to be neglected in Russian call-centers. A search for “call-contact-center security", "hacking of call/contact-center" or “attack on call/contact-center" in Russian search engines does not return any results, while a search for “call center security" in the English part of the Web returns around 700 hits.

The bad protection of operation centers is partly explained by the centers' owners' urges to minimize service call expenses, which does not only result in a high “leakage" of the operators, but a decrease in call/contact-center reliability and connected infrastructure.


According to Dmitri Kuzin, the head of Russian representation of Radware, solutions to the problems of the security of such services must be composed of two parts: first of all, a well-defined and thought-out work with the personnel, and second of all, providing network (information) security. “The goals of the personnel work are responsibility zones of the human resources department and the security department,- said Mr. Kuzin. — Personnel work is a complicated process, but a clear network security policy setup is also important. In this conception, “just an inter-network screen" and “intrusion detection system" are not going to help. This requires a more complex system, which will not only detect, but can also block malicious data in real-time".

Mr. Kuzin emphasizes that any operating system has criticalities of various levels, but such problems cannot be solved quickly on the OS level. This causes the necessity of the use of additional intrusion prevention systems, such as DefensePro, which allows to shorten in reaction time for vulnerabilities by using special content filters. The filtration database can be updated via the central control system, and includes signatures of more than 1 500 known attacks, such as various scanning methods and complexes, abnormal traffic attacks, and also worms and trojans.

“It is well-known that for every new defense mechanism created, a new way of hacking that defense is found, so the intrusion protection system should be an incredibly versatile instrument , with the capability to filter 98% of malicious “garbage", which has to be setup according to each specific task. - said Mr. Kuzin. – A versatile functional, similar to DefensePro, is found in all Radware products. Only the use of a complex approach to solutions of security problems helps in achieving the best results".

According to Alexei Lukatski, the business development manager of Cisco Systems in Russia and CIS, call/contact-centers today do not have enough protection for the clients' personal data. He believes that the call processing center is not the only thing in need of informational protection, all of the connected infrastructure, which is an essential part of it, requires the same. Mr. Lukatski states that Cisco Systems products' users do not necessarily need additional information protection, since it is already incorporated in the already existing elements, which have the required programming modules installed. He was talking about such IP-infrastructure installments of call/contact-centers (IPCC) as CallManager, IVR, ICM, IP-telephones, executable files, etc.

Mr. Lukatski did not agree with the idea that Windows 200 Server, the OS that IPCC CallManager is based on, is unsatisfactory from the security perspective. In this area, Windows is no different than Mac OS, UNIX, Linux, etc.; its security only depends on the qualifications of the system administrator. Mr. Lukatski also stated that CallManager environment is not a standard Windows 2000 Server distribution kit, it is a special, extended and specially protected environment, which, obviously needs to be updated from time to time.

CallManager has special software installed (Cisco Security Agent), which is designed to protect the device from hacker attacks and stops the information leaks via USB and other peripheral devices (CD/DVD drives, PCMCIA slots, etc.). The reliability of the solutions can be increased by using widespread Russian antivirus programs. Inter-network screens and special attack prevention systems can also be useful.

Vyacheslav Atamanov, the assistant general director of NAUMEN, however, thinks that with proper interactions with the databases and executable files, the call/contact-centers do not bring additional vulnerability to the system. In his opinion, one of the main threats to the security is applications that work with the databases, because those applications use authentifying information. The potential danger exists during the call to the operator, when the call-center can show some information from the CRM, on the registration stage, what sometimes happens is that the password information is saved in some intermediate software. The highest danger, in the opinion of Mr. Atamanov, is in the uncontrolled and unsanctioned distribution of the confidential information about the clients.

Alexandra Samolubova, the product manager of CRM Solutions, the Russian representation of Avaya, thinks that during the outsourcing of the operator center it is necessary to provide data safety both about clients of the client-company and about call characteristics, which were processed by the center operators. The risk of information leaks is proportional to the number of the center's employees who have access to it, and with the reduction of the amount of such people, the probability of leaks will decrease as well.

“About 400 authorized users can access the reference frame of Avaya CMS, but each user has his own password, which only allows him to perform a certain set of operations, - tells us ms. Samolubova, - this is why the supervisor of the operator group that processes the calls, which arrive for a certain client, will only see the data for that client".

In the “Svetetz" contact-center, the integration with the OS security system is used for solving security issues, and certified crypto-providers are used to encode personal data in the database. The keys are placed on alienable media (smart-cards, tokens, etc.); when client applications are connected to the databases, secure connections (SSL) are used. The system fixates the users' roles and the authorities of those roles, keeps logs of all the personnel actions, so they can be audited after.

The three pillars of security

Pavel Teplov, the director-general of FORTAX , thinks that only a complex approach can provide security. He distinguishes three security guarantees in an outsourcing call-center: networking, informational and organizational.

To insure network security, in his opinion, it is necessary to differentiate access rules on the “metal" level (connection channels, phone station, call and IVR distribution systems, auxiliary servers). Informational security is ensured by differentiating access to applications and data contained within. For example, the operators can only access the information they need for working with calls; the supervisors must be able to access the log files, which let them control the effectiveness index on the project in their group, and managers should be able to access the parts of information that is determined by interacting with the client.

Foreign expert's opinion

John Von Achen, the founder and president of SaleSolutions, expressed his opinion on the topic when he was asked by CNews.

“Yes, this problem exists, and it is a very serious one. – he said, - because the clientele database is by far, the most important of the company assets. You cannot economize on providing informational security".

After working in Russia for 12 years, this American is still shocked about certain things in this country, such as the fact that almost anyone can purchase cellular phone operators' clientele databases or the tax police information on CDs for virtually no money.

The term “organizational security" includes providing security on the “human factor" level. Mr. Teplov explains that it can be realized by controlling the realization of official instructions by the outsourcing call-center's personnel. In particular, this includes using hardware means of controlling personnel actions on the project, regulations regarding creation and storage of project documents, internal security audit of the call-center and independent audit of the client. It is also necessary, in Mr. Teplov's opinion, to establish personal responsibility of each employee on the legal level.

A group of experts says that the “organizational term" is the most important one in prevention information leakage from call processing centers. According to Valeri Tarasov, project leader of Adventus-M, this way, client databases can be protected to such an extent that unauthorized access will not be worth the content of the information. In most of the cases, information leaks are caused by the employees that have access to it.

Mr. Tarasov suggests checking call-center work quality and its decency towards the use of clients' databases by using “bookmarks" — entries with coordinates of the people that inform the information's owner about the use of it with inadequate applications. He also mentioned that the risk of information leaks will exists as long as the information will be handled by third-party persons.

Alexander Uchenov, development director of Infra Telesystems, agrees with the idea that the main threat for informational security comes from the inside, that is, from ill-minded employees. “The transmission of the client database to an outsourcer by the company can raise the risk of “leak" of the base, because the company has a lot less control of the outsourcer's personnel", — he says. The situation gets worse, because thanks to a existing mentality, sending the confidential data to the call center is rarely supported by a signing of official documents.

In Mr. Uchenov's opinion, the external threats are not that much of an issue as long as the call-center performs the standard information security measures with its network and informational resources. He believes that the call-center's informational security is ensured with mostly effective control of the center, and, only after that, the technologies.

The opinions regarding information security questions in the Russian integrator-company CROC tend to lean towards the complex approach. According to its employees, it is important to not only demarcate information and application access rights, it is also necessary to ensure physical security, such as operators' workplace security. Also, to minimize risks, associated with CRM-solution information security, system integrators often offer a complex solutions form two different companies, such as Oracle Interaction Center (based on Oracle E-Business Suite) and Cisco IPCC or Avaya AIC/CCE.

In research institute “Protei" they think that informational security of call-contact centers should be looked at on two levels. First of all, it is necessary to estimate the possibility of unauthorized access to the LAN, which includes functional servers and databases. Second of all, it is necessary to control the competence and conscience of the personnel of the call-center, which is usually a much more complicated and important task.