Here’s a handy checklist to keep operations and member data secure
IT security is complex, and this is particularly true for your credit union’s contact center. To demystify it, we’ve created this security best practices checklist to help strengthen credit union and member data security and privacy.
For every credit union, security is an omnipresent challenge. Insufficiently addressing security leads to serious consequences like:
- Breaches that impact reputations
- Downtime that impedes member experience
- Diminished agent experience and higher turnover
- High legal fees and penalties that hit the bottom line
- Lost members and revenue
Your Contact Center Agent Security Checklist
Great cybersecurity includes people—including on-premises and remote agents, processes and technology. It also covers what is expected from CCaaS partners in this regard.
- Create a well-documented security policy. Make sure it covers role-based access, including sensitive member data, email and communications, remote access and device use, encryption, and privacy.
- Practice agent endpoint security basics. Require the use of credit union-provided laptops. Keep agent computer operating systems and software updated. Also make sure agents maintain and change strong passwords. Ensure they use up-to-date antivirus software; provide them with split-tunneling virtual private networks for access to internal corporate resources.
- Train contact center supervisors and agents on good security behaviors. Regularly train your team on good security practices, such as never opening unsolicited emails or attachments or clicking links.
- Offer self-service via interactive voice response. Collect sensitive data, like member account numbers or Social Security numbers by prompting a member to press a phone keypad number to input data.
- Use dual-tone multi-frequency masking. Protect sensitive member data by using a technology that allows members to enter personally identifiable information via phone keypads to eliminate the possibility of being heard by an agent or recorded.
- Implement and enforce role-based access controls. Limit who gets access to sensitive data. Know why it’s needed by a particular person, which endpoints each agent is authorized to access, and which devices interact with which applications.
- Enforce agent use of multi-factor authentication. Prevent theft of agent access credentials by using one-time passwords or voice prints, or authenticating agent identities via email or text to a mobile phone.
- Monitor file-sharing settings to prevent unauthorized or inadvertent sharing. Use technology that allows supervisors and IT to see data or files shared to other users or members via email, text or social channels.
Your Cloud Contact Center Partner Security Checklist
This checklist contains essentials every credit union should demand from their cloud contact center partner or seek in a future partner.
- Easy integration with your identity or single sign-on provider. Your CCaaS provider should have native integrations to solutions like Active Directory, Okta, Sailpoint or any authentication provider you use.
- Extensive use of encryption from the agent browser for data that’s in transit and stored. Your agents should use secure, encrypted browser sessions that support TLS1.2 for session lockdown and DTLS-SRTP for calls delivered into agent browsers. Data in-transit and at rest should be encrypted as well, including all member interactions, credit card or personally identifiable information. Encrypt and store call detail record data, as well as recordings on choice of shared or dedicated storage drives.
- Strong infrastructure security. You should expect your CCaaS provider to continuously monitor the perimeter with state-of-the-art firewalls and intrusion protection/intrusion detection devices. They should protect server clusters with anti-virus scans for vulnerabilities. If any are detected, they should be remediated as severity level dictates. They should also conduct regular, independent external penetration testing to proactively identify security weaknesses.
- Detailed logs and audit trails. Your cloud contact provider should continuously log all changes by time, date and user, and provide audit trails to know who made what change to what application, so you can quickly and inexpensively prove compliance.
- Up-to-date compliance certifications. Your cloud contact center should comply with major regulatory and standards bodies including ISO 22301 for business continuity, ISO 27701 for privacy, PCI DSS v3.2.1 Level 1 Service Provider for secure payments, as well as Cyber Essentials Plus and SOC 2 Type 2 for cloud security.
- Strict backup and disaster recovery processes. You should ensure that your cloud contact center makes differential backups every five minutes and full backups every 30 days, plus stores them for resilience. Furthermore, they should use backup/DR services from a well-known vendor and test them according to policy.
- Contact center services built on private cloud infrastructure. You should make sure your CCaaS solution is not hosted on third-party infrastructure like AWS because it puts yet another company between you and your members’ security and performance. Why? complete control belongs to the third party—not you.
Trust Your Security to a CCaaS Built on its Own Infrastructure
If you follow these 15 security essentials, both your members and your credit union will thrive. But especially go with a CCaaS that hosts on its own private infrastructure in its own data centers around the world. When you do so, you will be assured of higher performance, but you can also speak directly to the team that helps provide your members with a secure, high-quality member experience.
Andrew Casson is a longtime network engineer and telecommunications and contact center architect. He’s currently a VP for CUESolutions provider Content Guru, Campbell, California, maker of the highly-acclaimed storm®, an all-in-one contact center-as-a-service solution with industry-leading functionality, performance, reliability and flexibility.