The old adage “cybersecurity is everyone’s job” is more true than you might imagine. While not every department is tasked with threat hunting or reviewing detailed vulnerability disclosures, each has a role in protecting the organization from fraudsters and cyber criminals alike.
Customer service is uniquely positioned as the face of the company. These departments work with customers to resolve order and service disputes, answer questions, process product returns, modify account information and much more. They form a crucial link between a company and its customers. As such, it’s also important not to underestimate the role customer service plays in cybersecurity.
Customer service departments make attractive targets
Depending on the business, a customer service agent may have access to a trove of customer information and company systems. They may even have access to change customer account information or take payments over the phone. Due to the combination of access and a job that requires helpfulness, customer service departments are a ready target for cyber criminals.
Customer service departments are often targeted with social engineering campaigns, tricking them into giving up information they wouldn’t otherwise share. According to the 2022 Data Breach Investigations Report, human actions are a direct factor in 82% of the breaches examined. In fact, social engineering facilitated 2,249 incidents where 1,063 of which resulted in data disclosure. Threat actors most often used phishing and pretexting to facilitate a breach.
The number of communication channels available to the modern customer far outnumber those available just over a decade ago. Depending on the technologies used, a company may interact with customers through live chat, social media, email, phone, SMS text messaging and other direct messaging channels. Some customer communications platforms can transfer conversations from one channel to another while keeping a log of the interaction from start to finish. In other instances, representatives can view detailed customer information in the course of addressing an issue.
Customer service agents must handle multiple competing priorities throughout the lifecycle of customer interaction. They must balance the responsibilities of providing accurate information quickly while verifying they are indeed working with the real customer. The customer service department is also responsible for preventing unintentional disclosures of company and customer data through its communications channels.
Building a risk-aware workforce
Customer service departments often experience high turnover rates and may lack appropriate resources for regular data privacy and cybersecurity training. Despite those factors, these departments function as an essential part of doing business. It’s important for the CIO to consider what resources the department currently utilizes and how they can be improved to ensure every employee has the knowledge and risk awareness necessary to prevent cyber incidents.
Customers entrust their personal data to companies they do business with; they expect every department with access to handle the data properly. Customer identity access management can help, but the human element must also be examined. CIOs are in a position to build a culture that abides by data protection regulations. Policies and procedures outline the company’s standard approach. The CIO lays the foundations for an organizational culture that balances excellent customer service and cyber risk awareness.
Better customer support through collaboration
The CIO can work with the customer service department to improve security controls, policies and training.
A careful examination of the current support systems and how customer service agents interact with them can reveal important deficiencies in the software itself as well as the security controls in place. CIOs can open a feedback loop with the department to encourage comments about improvements in software and customer workflows.
Adjusting security controls and customer interaction workflows can help eliminate steps that are unnecessary or provide too much information to a support agent who does not need it to perform their duties. Platform tweaks can be very helpful in preventing unintentional access to personal information. However, they do not fully protect employees from potentially urgent and emotional appeals for private information they may encounter.
The CIO should work with the customer service department to tailor a cybersecurity awareness training program to meet their needs. An annual cybersecurity basics training course doesn’t happen often enough nor contain the right information for a busy customer service department which frequently interacts with strangers through multiple channels. Training should happen often, be engaging, be relevant to the employee’s functions and teach risk awareness (rather than focusing only on the multitude of attack types).
In this way, an organization’s customer service department can work hand-in-hand with its cybersecurity team to the benefit of both.