Contact centers are a good target for bad– particularly bad actors attempting to steal customer data. BPOs store and process card data regularly, and many employees access the card data environment (CDE). In an industry with high employee turnover, preparing agents for the various cybersecurity threats they may face can be increasingly difficult. This presents a large attack surface for bad actors.
Contact centers employ many cybersecurity solutions to defend their systems, such as state-of-the-art firewalls, antiviruses, and authentication systems. But they’re primarily inadequate at preventing the most significant security risk: human error.
Traditionally, contact centers have used passwords and 2FA apps to secure their systems from unauthorized access. While they have protected contact centers to some extent, from attackers guessing passwords or using brute force tactics, they’re vulnerable to evolving security threats.
Currently, most cybersecurity attacks start with a social engineering aspect. Many contact centers are aware of this and have trained their agents against phishing, but they have yet to be able to eliminate the problem entirely. Meanwhile, bad actors are developing sophisticated social engineering techniques, even using deepfake technology to make convincing phone calls to contact centers.
The problem with traditional authentication solutions is that they can’t prevent employees from falling for many of these sophisticated social engineering attacks, resulting in shared passwords or prompt bombing MFA notifications being approved.
Another problem is that once the attacker has access to the systems, these authentication solutions cannot do much. According to IBM, on average, most breaches take 277 days before they’re detected. Of course, contact centers can configure their systems to send MFA challenges more often, but that will increase security friction and hinder agent productivity.
These conventional authentication solutions also do not work in a clean desk environment. While clean desk environments can reduce the risk of insider threats, employees cannot use their phones at work, making it impossible for contact centers to use mobile authentication solutions.
According to IBM’s 2024 report, the average cost of a data breach was $4.8mn. Failure to protect customer data can invite severe fines from regulatory bodies.
Besides fines from data breaches, contact centers that fail to protect customer data can also lose their clients. In the event of serious violations, affected customers could even file a lawsuit with contact centers, which can bring in significant legal expenses.
Contact centers may also have to suspend operations and hire experts to investigate the root cause of the breach.
While contact centers managed by large businesses may be able to manage the fines, smaller BPO firms may not survive such penalties.
Contact centers need a solution that continuously authenticates its users with minimal or no effort from the agents and can detect if an unauthorized person is using the system. Behavioral MFA may be the missing link that contact centers seek.
Behavioral MFA uses a user’s behavior to authenticate them. It is continuous and performs an MFA challenge every minute, unlike traditional systems, which at best perform a check every hour or when the user has been inactive for more than 15 minutes.
The best part is that all of this happens without any input or effort from the user. Twosense continuously monitors user behavior behind the scenes. If another person tries to use the system, a behavioral mismatch will occur and be detected within a minute, enabling security teams to take immediate action.
The system works as software and can be deployed quickly, making it perfect for clean desk environments. Agents don’t have to use an app to authenticate; it doesn’t affect their productivity or workflows since they don’t have to type in a password or code now and then.
Twosense monitors how a user types or moves the mouse while using the system. Based on this data, it builds a behavior profile for the user, also known as a trust model.
This process, on average, takes two weeks. It's important to note that Twosense doesn’t collect or store anything that the user types or clicks on. The system only observes how the user interacts with the system and never what they do.
Once the profile is ready, the system continuously compares the user’s behavior against this profile. Twosense will flag the behavior change as a mismatch if another person tries to use the system, detect the intruder, and inform IT.
Contact centers can configure automated workflows for the system when it detects another user. To ensure it's not a false alarm, they can use fallback MFA and ask the user to enter an OTP or code or request the user to contact their manager to approve them.
Security and convenience have a complicated relationship. A high level of security can make things inconvenient for the user. However, after a point, the inconvenience can cause users to bypass security measures and create vulnerabilities. Behavioral MFA is the perfect blend of security and convenience. It secures the system with minimal or no effort from the users.