There was once a time when the idea of contact center agents working from home would cause one to laugh out loud, literally. Then, in 2020 as the world collectively faced a global pandemic, what was once an absurdity became a necessity. There are an estimated 2.8 million contact center agents in the United States alone, many of which transitioned to remote environments during COVID. While numerous BPOs have since returned to working on-premises, some organizations recognize the benefits of WAHA (work-at-home agents) and are proactively looking for security solutions to make WAHA more secure so that they can remain a permanent offering.
In addition to the changes as a result of the pandemic, the workforce has seen generation shifts in culture that are highly preferential to remote work, making WAHA a role that offers flexibility and agency. Organizations that use BPO contact centers for their customer support have seen benefits to remote agents, such as reduced overhead costs. However, having a remote workforce also comes with its own challenges– for contact centers, in particular, this comes in the form of security challenges.
While contact centers face various security hurdles, both on-premise and remotely, one in particular often goes unnoticed until it's too late: WAHA outsourcing their work to a 3rd party. This commonly occurs when an agent outsources their work to someone else within their household. For example, we have come across an instance where a young adult (underaged) was taking calls on behalf of their parent, who is the authorized agent.
Additional examples of this practice include:
- An agent outsources work to another individual, paying them less.
- One agent secures multiple positions and then outsources the work of each role.
There is still something more sinister to worry about: cyber adversaries may be putting compromised candidates into your hiring funnel specifically to gain access to your customers - a process the FBI has been warning the private sector about with their “Delta Protocol.”
The impacts of an agent operating as an illegal shadow BPO poses several threats to security, as well as the hidden impacts on the organization's reputation and its relationship with its customers. Work-at-home agents outsourcing their responsibilities is something that happens and occurs more than organizations are aware of. Often, it takes an event such as a data breach to bring to light that an agent has been outsourcing their work, or handing off access, to an unauthorized party. This is the worst-case scenario for a BPO.
For an agent to outsource their work, there would also have to be an organized process to counter pre-existing security measures like standard MFA that may or may not be in place. Even with mobile and/or unphishable MFA, an agent who is complicit in granting unauthorized access can still do so. Should a data breach occur that can be directly traced back to an unauthorized person, the organization would be exposed to a variety of compliance scrutinies, including if MFA has been properly deployed and configured. Should the answer to those questions be insufficient, the organization could suffer non-compliance fines, legal ramifications, or even criminal liability.
There is also the hidden impact of agents outsourcing work. The average WAHA goes through onboarding and formal training. Training ensures that the agents provide a certain quality of service, typically agreed upon in their contract. Having an unauthorized, untrained individual operating as an agent puts your organization at risk of delivering less than satisfactory service, negatively affecting KPIs (key performance indicators) and SLAs (service-level agreement), resulting in damages to the brand's reputation, damaging the organization NPS (net promoter score), and could even result in the loss of the customer entirely. While this is a massive detriment to the relationship with the customer, comparatively, it is on the mild side of the impacts.
The fallout for a BPO should a data breach occur as the result of an agent outsourcing their work would be catastrophic. Security negligence of this scale would devastate the business and its brand. Not only would the organization lose its credibility, but it would face server financial repercussions in the form of fines and even potential lawsuits from the customer.
So, what is the solution that ensures agents aren’t outsourcing their work? And why doesn't standard MFA stop this practice? The reality is that modern MFA is not designed for contact center environments, either on-premise or remotely. While mobile devices are most commonly strictly limited on the floor, it is much harder to manage security for agents off property. Suppose the organization opts to use standard MFA for remote agents that require a push notification. In that case, the agent could easily ensure the unauthorized individual has access to that device to authenticate throughout the day.
The best solution to ensure the identity of remote agents is to deploy a continuous, biometric multi-factor authentication solution that cannot be manipulated or fooled into believing that one individual is, in fact, another.
Twosense Behavioral MFA does precisely this. By leveraging machine learning and passive biometrics, Twosense is able to create a unique profile for each user. Each model continues to learn and adapt to changing behaviors whenever a user passes an MFA challenge. The more behavior is observed, the more confident Twosense can be that the user is who they claim to be. When the model is mature, Twosense can validate the user's identity and create a baseline of trust. That trust score is what is used to authenticate the user continuously throughout the day or flag suspicious behavior, even with a complicit or compromised agent.
Behavioral biometric MFA is the only solution capable of checking users' identities hundreds of times each day without requiring any participation from the users. In this scenario, it is assumed that the device the agent and the unauthorized individual would be using the same device, meaning that a behavior mismatch would be immediately flagged, ultimately making outsourcing their work impossible.