Current Issue

Concerns around COVID-19 forced millions to adjust to stay at home orders in recent months, and many businesses began to enable their employees to work remotely from home—often for the first time. While economies are beginning to reopen, many companies plan to keep workers at home until the fall, and others have announced that employees may work from home indefinitely. However, suddenly transitioning to a remote working environment increases security risks, such as the risk of a data breach.

Organizations that are now having their customer service representatives (CSRs) or contact center agents work from home are perhaps experiencing some of the greatest risks. Many companies are experiencing increased call volumes during the crisis as consumers seek to change their travel plans, make healthcare appointments, contact their financial institutions to modify their payment schedules and more. The CSRs who are now answering these calls from home are entrusted with important personal and financial information, such as customer names, addresses, birthdates, Social Security numbers, payment card data and more. Now that these employees are working in potentially insecure environments, risk professionals need to be aware of the increased risks posed to the organization and what they can do to prevent a data breach. In particular, they should watch for the following employees:

  • The news-hungry employee. As the world seems to be changing on a daily basis, employees may experience increased levels of concern and stress and will be hungry for information, searching for the latest news and statistics on the pandemic and the economy. While this is understandable, this makes employees particularly susceptible to clicking on malicious links or phishing emails that could compromise their systems with data-stealing malware.
  • The juggling parent. With schools and daycare closed, parents are left to juggle work and homeschool their children at the same time. This adds another layer of difficulty as employees try to accomplish work tasks. Like the news-hungry employee, these individuals too are more susceptible to falling for phishing scams and other cybersecurity threats due to the many distractions in the home and therefore pose an increased risk.
  • The employee with nosey roommates or neighbors. Unfortunately, your employees are not the only vulnerabilities during this time. They may also have housemates or neighbors who can overhear sensitive information being spoken aloud over the phone, such as when a CSR or salesperson repeats back a customer’s credit card information to confirm payment. Otherwise, untrustworthy housemates might be more tempted than ever to steal this information due to dire financial distress during this time.
  • The employee working on an unsecured Wi-Fi network. As many employees work from home for the first time, they may not be prepared with secured devices and systems; working on an unsecured Wi-Fi network, or have unsecured IoT devices connected to the network can create additional cybersecurity vulnerabilities.   

There are a number of steps that risk managers can take to help reduce the risk of a data breach and improve security as employees work from home, including:

Refresh security training. Risk managers should make sure all employees have gone through thorough security training and understand what it takes to maintain the security of the systems, processes and devices they are using from home. For any employees that accept customer payments, facilitate purchases or handle payment card information, it is critically important for risk managers to conduct a refresher course on how to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). This will help them understand the proper ways to handle sensitive information while working from home, and how to recognize potential threats.

Implement security alerts. While training is important to manage the risks of remote employees, mistakes happen. To mitigate risk, adopt the principle of least-privileged user access, which ensures employees can only access the information necessary to do their job. Organizations can also implement security alerts that signal appropriate staff and flag when an employee views sensitive data unnecessarily.  Sometimes referred to as “break the glass” technologies, these solutions ask the employee to re-enter their password when accessing confidential information. Some even use sophisticated pattern recognition to automatically flag suspicious activity to higher-ups, such as when a customer service representative accesses information not typically used in their role, or is viewing an unusually large number of customer records, which could be a sign that they are looking for sensitive data to steal.

Adopt cloud-based, secure payment systems. To reduce the risk of a data breach, organizations should, as much as possible, try to keep sensitive data such as payment card information off of the business’ or employees’ home network as much as possible. By leveraging cloud-based, secure payment systems and technologies like dual-tone multi-frequency (DTMF) masking, secure payment hyperlinks and encryption, employees can securely accept payments over the phone, through email, webchat, social media and messaging platforms without ever handling or storing the payment data itself. The payment card data is encrypted and sent directly to a payment service provider for processing, bypassing the employee’s network and devices completely.

For sensitive data that cannot be kept out of the network completely, businesses should consider using tokenization to replace personally identifiable information (PII) with a meaningless equivalent. That way, even if a breach is successful, the hacked data will be of no value to the cybercriminal. Risk managers should also make sure that corporate VPNs are installed on all employee computers and use encryption methods such as WPA2 to secure Wi-Fi networks.

Increased work from home options will continue as long as COVID-19 poses a threat. Additionally, as many companies are experiencing the benefits of remote work, including reduced costs, nonexistent commute times and increased flexibility, they may choose to continue letting employees work from home and this trend may become the new norm. Like taking proper health safety precautions during a pandemic, risk managers should implement the data security best practices outlined above to keep their companies healthy and thriving. 

Gary E. Barnett is CEO of data security service provider Semafone.