March 13, 2023 By Michelle Greenlee 3 min read

The old adage “cybersecurity is everyone’s job” is more true than you might imagine. While not every department is tasked with threat hunting or reviewing detailed vulnerability disclosures, each has a role in protecting the organization from fraudsters and cyber criminals alike.

Customer service is uniquely positioned as the face of the company. These departments work with customers to resolve order and service disputes, answer questions, process product returns, modify account information and much more. They form a crucial link between a company and its customers. As such, it’s also important not to underestimate the role customer service plays in cybersecurity.

Customer service departments make attractive targets

Depending on the business, a customer service agent may have access to a trove of customer information and company systems. They may even have access to change customer account information or take payments over the phone. Due to the combination of access and a job that requires helpfulness, customer service departments are a ready target for cyber criminals.

Customer service departments are often targeted with social engineering campaigns, tricking them into giving up information they wouldn’t otherwise share. According to the 2022 Data Breach Investigations Report, human actions are a direct factor in 82% of the breaches examined. In fact, social engineering facilitated 2,249 incidents where 1,063 of which resulted in data disclosure. Threat actors most often used phishing and pretexting to facilitate a breach.

The number of communication channels available to the modern customer far outnumber those available just over a decade ago. Depending on the technologies used, a company may interact with customers through live chat, social media, email, phone, SMS text messaging and other direct messaging channels. Some customer communications platforms can transfer conversations from one channel to another while keeping a log of the interaction from start to finish. In other instances, representatives can view detailed customer information in the course of addressing an issue.

Customer service agents must handle multiple competing priorities throughout the lifecycle of customer interaction. They must balance the responsibilities of providing accurate information quickly while verifying they are indeed working with the real customer. The customer service department is also responsible for preventing unintentional disclosures of company and customer data through its communications channels.

Building a risk-aware workforce

Customer service departments often experience high turnover rates and may lack appropriate resources for regular data privacy and cybersecurity training. Despite those factors, these departments function as an essential part of doing business. It’s important for the CIO to consider what resources the department currently utilizes and how they can be improved to ensure every employee has the knowledge and risk awareness necessary to prevent cyber incidents.

Customers entrust their personal data to companies they do business with; they expect every department with access to handle the data properly. Customer identity access management can help, but the human element must also be examined. CIOs are in a position to build a culture that abides by data protection regulations. Policies and procedures outline the company’s standard approach. The CIO lays the foundations for an organizational culture that balances excellent customer service and cyber risk awareness.

Better customer support through collaboration

The CIO can work with the customer service department to improve security controls, policies and training.

A careful examination of the current support systems and how customer service agents interact with them can reveal important deficiencies in the software itself as well as the security controls in place. CIOs can open a feedback loop with the department to encourage comments about improvements in software and customer workflows.

Adjusting security controls and customer interaction workflows can help eliminate steps that are unnecessary or provide too much information to a support agent who does not need it to perform their duties. Platform tweaks can be very helpful in preventing unintentional access to personal information. However, they do not fully protect employees from potentially urgent and emotional appeals for private information they may encounter.

The CIO should work with the customer service department to tailor a cybersecurity awareness training program to meet their needs. An annual cybersecurity basics training course doesn’t happen often enough nor contain the right information for a busy customer service department which frequently interacts with strangers through multiple channels. Training should happen often, be engaging, be relevant to the employee’s functions and teach risk awareness (rather than focusing only on the multitude of attack types).

In this way, an organization’s customer service department can work hand-in-hand with its cybersecurity team to the benefit of both.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today