Contact centers play a huge role in customer satisfaction and are essential to operations for large consumer-facing businesses. However, they can also be an entry point for bad actors and a treasure trove of customer data and payment information. The sheer number of people regularly accessing and working with customers’ personally identifiable information daily makes contact centers a prime target.
At Twosense, we’ve been at the forefront of securing contact centers through innovative authentication. In this article, we’ll discuss the importance of identity security in contact centers, the current security landscape, and how continuous authentication strengthens protection without disrupting operations.
The most apparent reason for securing contact centers is to prevent various cyber attacks. Contact centers face data breaches, DDOS attacks, ransomware attacks, attacks that infect devices with malware bots, and others. According to IBM, the cost of a single data breach in 2024 will be $4.88M.
Cyberattacks often render contact centers inoperative, costing both the organization and its clients. Contact centers also store customer information, such as payment information, which can have catastrophic consequences if lost or compromised.
Another aspect is that regulatory authorities require contact centers to follow specific cybersecurity standards such as PCI and GDPR. They specify measures and steps that contact centers need to implement within their workplaces and systems. For instance, PCI 4 requires contact centers to require agents to reauthenticate if their system was idle for more than 15 minutes.
These standards are designed to keep data safe and, in many cases, come with penalties if you fail to comply. Failure to comply with GDPR can result in fines as high as ten million euros or up to 2% of a company’s global turnover. Target had to pay $18.5 million in addition to legal fees for a data breach in which it lost the credit card data of 40 million customers.
According to PCI 4, contact centers are required to change passwords at least once a year. But this is only for contact centers that have multi-factor authentication or you can show auditors that you’re dynamically assessing identity risk in real time. Otherwise, you’ll have to change the passwords every 90 days.
Contact centers are also required to set up MFA for all employees who have access to a cardholder data environment (CDE).
Besides PCI requirements, contact centers may implement additional security measures. For instance, some contact centers are required to maintain clean desk policies. This means agents are prohibited from having phones or other electronic devices near or at their desks while working. This is to mitigate insider threats, prevent data breaches through devices infected with malware, or, worse, complicit agent fraud.
Contact centers use authentication to protect their systems and, in turn, customer data from unauthorized access. Contact centers can have more than 100 employees working in the same space, and companies need to ensure that they have access only to their own systems. Insider threat—a threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates—increases drastically without authentication.
There’s also a risk of malware bots infecting systems, stealing data, bringing operations to a standstill, or using customer data for scams.
Authentication is also necessary to implement access roles in contact centers. To reduce risk, employees are given access to only the data they need for their tasks. With so much at risk, contact centers must have robust authentication to implement these checks and controls.
As a first line of defense, contact centers require their employees to change their passwords every 90 days. They also offer training to help their employees defend themselves against common phishing and malware attacks.
But passwords alone won’t cut it. In most industries and for all companies that process credit or debit cards, regulations require contact centers to implement multi-factor authentication. Companies commonly use fingerprint scanners, 2FA apps, and physical security keys for MFA.
2FA or two-factor authentication apps generate random codes that would be valid only for a short period of time and users enter this code to authenticate themselves. Physical security keys store login information and users plug this into a USB port on their systems or an NFC scanner to log in.
But hardware security solutions tend to be expensive and require regular maintenance and asset management.
Another problem is if a bad actor gets into the system after authentication. For instance, if a bot infects a device and alters customer data pretending to be an employee, the system will be defenseless. Since traditional authentication solutions only authenticate once, there’s nothing to prevent a bot from working in the background once an employee authenticates themselves. Contact centers also have a high employee turnover, leaving customer data and other systems vulnerable to disgruntled staff.
As the name suggests, continuous authentication authenticates users continuously. It monitors the system's actions to ensure that only the authenticated and authorized user performs any actions within the CDE.
Twosenses Behavioral MFA uses behavior to authenticate users. It continuously checks user behavior, such as how they type and move the mouse, how they interact with their system, and other factors, to authenticate the users. They can check typing cadence, typos, how users execute actions and tasks, and even cursor movements to see if the user is legit.
These behaviors are unique to individuals just like fingerprints or iris scans. But unlike these conventional biometrics, continuous behavioral authentication doesn’t need special hardware and it is not susceptible to replay attacks. It is deployed as software and will work behind the scenes to authenticate users and automate the MFA challenge response, reducing security friction.
Continuous authentication isn’t just more secure; it’s a better fit for the dynamic environment of contact centers. It ensures compliance with security regulations like PCI, mitigates insider threats, and provides peace of mind that no unauthorized user can access sensitive data.
Twosense’s Behavioral MFA makes security scalable, seamless, and significantly more efficient for large workforces–distributed or on-prem– reducing the need for cumbersome hardware and manual processes.