By Dave Waterson, CEO, SentryBay
Insurance and banking industry call centres, like organisations in every other sector, were forced into dramatic lockdowns in March thanks to the growing spread of the Covid-19 virus. The specific difficulty that many of them faced, however, was how to balance the safety of employees and support them working remotely, with a lack of access to secure systems that could connect them to customer files, policy documents, and payment processes.
It’s no secret that the insurance industry, in particular, was struggling with digital transformation pre-Covid and the legacy systems that still dominate the sector were, in most cases, simply unfit for migration to a remote model in such a short timeframe. This situation was further exacerbated, however, when it became obvious that in order to offer a claims service, staff and agents in many call centres would be receiving calls diverted to them on their mobile phones as they worked from home.
For industries that are immersed in handling personal data and financial transactions like insurance and banking, this presents two immediate issues – how to manage data securely, and how to ensure compliance.
Rise in cyber-crime
Security has been an important factor for most organisations over the past few months. Very few had time to provide secure laptops or dedicated tablets with security built-in for remote use. News headlines have attested to the resulting rise in cybercrime as malicious actors sought to take advantage of vulnerable technology once it was outside the protection of the corporate perimeter.
It is a fact that unprotected endpoint devices – laptops, home PCs and mobile phones included – are the weakest link in the security chain. According to a report published last year, 70 per cent of breaches originate at the endpoint, and 42% of endpoints are unprotected at any given time. When it comes to smartphones, the danger is less to do with malware, and more to do with data leakage, but however the breach happens, once a customer’s personal data is exposed, there are serious implications for those involved.
Meeting standards
For banking and insurance company call centres, the situation is further complicated by their obligations to meet the Payment Card Industry Data Security Standard (PCI DSS). This seeks to protect customer credit card data over landlines, mobile phones, through Chat or use of apps. Normally managed within the call centre estate, PCI DSS ensures that wherever agents are required to process cardholder data, the transactions are monitored, logged and secured.
Even under normal circumstances adherence to PCI DSS is sporadic, partly because of legacy technology, or conversely because organisations are adjusting to new cloud-based systems or are in the process of outsourcing their IT infrastructure. Any chink in the armour can see data lost in moments or websites and mobile apps hacked with devastating consequences. While PCI DSS is not enshrined in law, fines for non-compliance can still be considerable and since data breaches are commonly reported, there is the potential for serious brand and reputation damage that no insurance company would welcome.
The situation presented by Covid-19 therefore meant that compliance with PCI DSS or indeed any other regulation, was made even more challenging, with the onus on financial service companies to supervise agents working from home to ensure they were handling and storing sensitive customer data appropriately, not least by using secure endpoints.
Five months on and many call centre agents still find themselves working from home. The appetite from both employees and managers to a full return to office buildings has waned along with the ongoing threat of infection. As a result, organisations are now in a position to properly address some of the issues over which they applied a metaphorical sticking plaster back in March, and securing workers’ endpoint devices is an important example.
What can they do?
Any smartphones, tablets, home PCs or laptops that are being used by agents to process and access customer data should have, at the very least, the same security posture as the managed devices that reside within the insurance company perimeter. This includes ensuring that SaaS applications are isolated or ‘containerised’ from the rest of the potentially-compromised unmanaged machine or endpoint.
Standard anti-virus products will not do the trick. The particular vulnerability of endpoints means that solutions have to specifically protect data entry on BYOD and unmanaged devices, particularly into remote access apps like Citrix, VMWare, WVD, web browsers and Microsoft Office applications. Browsers that access the corporate network should be locked down, including URL whitelisting, enforced certificate checking and enforced https.
Whilst this sounds time consuming and expensive, in practice it is neither because no special configuration is required. Instead, a simple download and install from pre-configured software will deliver a far more effective and speedy resolution to the threat. Call centre IT managers can select proven anti-keylogging software that can protect every keystroke into any application and prevent screen-scraping malware from stealing customer credentials, payment and sensitive personal and credit card data. It is also important that there is access to a portal that allows simple configuration by administrators – this is after all something that needs to be managed remotely.
Looking ahead
As life begins to take on some semblance of normality again, banks and insurance company customers will be expecting high standards, regardless of whether the agent they speak to is working in a physical call centre environment, or from their kitchen at home. Increasingly, it will become unacceptable to use Covid-19 as a reason for not delivering a secure, compliant service. Now is the time for companies to address areas of weakness and take advantage of the opportunity to implement processes and changes that will allow agents to work remotely with confidence in the future and ensure that customer data is fully protected at every stage in its journey through the banking or insurance system.