📘 The Guide: How to choose secure contact center software
Contact center software you choose is vital to maintaining a secure operation. This guide is designed to help you and your team evaluate the cyber security readiness of cloud contact center systems in use.
Learn how to choose a truly secure contact center software for your organization 👉
Read more below ⬇️
Cyber security is vital to any organisation that handles customer data.
Cyber security is vital to any organisation that handles customer data.
Traditionally, cyber security has been viewed as a technical challenge although the human factor has been more recognised in the past decade. However, cyber security is a wide–ranging topic that goes far beyond the ICT team. According to the Finnish National Cyber Security Centre, the major long-term phenomena impacting cyber threats are:
🔹 International economic and political instabilities
🔹 Insufficient exchange of information within and between organisations
🔹 Unpatched vulnerabilities in devices and services connected to the internet
🔹 Lack of diversified cyber security expertise
🔹 Stolen access rights and credentials.
As the list above indicates, cyber security is a complex topic. With the vast number of cybersecurity risks and potential breaches today, no organisation is 100% safe from all threats. However, with the right systems, proper training, and certified processes you can minimise the impact of attacks and breaches on your operation.
What cyber security means in context of contact center operation?
Minimise cyber security risks
With a certified and secure contact center software in place, your orgaization in protected from cyber attacks and data losses.
Comply with all security requirements
You won't need to worry about EU, GDPR and other legal requirements by yourself as your contact center provider takes care of all the legal stuff.
Avoid system downtime
A reliable contact center provider should ensure >99.95% system uptime, always.
The Importance of Cyber Security in Contact Centers
Due to the nature of their business, both outbound calling contact centers and customer service teams are handling personal information. These organisations are therefore potential targets for a multitude of cyber security attacks.
Also, most cybersecurity attacks today are not designed against a specific company. Most of the time, hacker groups and individual hackers are casting their net as wide as possible by testing the security measures of thousands of organisations simultaneously.
For businesses and organisations operating in the European Economic Area, strict regulation is in place on how to deal with personal data. The General Data Protection Regulation (GDPR) places heavy fines for organisations that fail to keep their customers’ personal information safe or fail to sufficiently deal with breaches after they occur.
For these three reasons alone, cyber security should be high on your agenda. To minimise cyber security risks, the tools – for example the contact center software – and processes that customer service teams and outbound sales teams use need to be evaluated from a cyber security point of view.
As the contact center software you choose is vital to maintaining a secure operation, this guide is designed to help you and your team (such as the ICT team) evaluate the cyber security readiness of cloud contact center systems.
Security Accreditations and Certificates
The best way to ensure that a vendor organization is taking cyber security seriously is to ensure that they have been certified.
The SOC 2 accreditation and ISO 27001 certification are two of the most veritable signs that an organisation is managing their cyber security systematically and comprehensively.
Especially government agencies and large enterprises typically set either an SOC 2 accreditation or ISO 27001 certification as a minimum requirement in their RFP’s.
If you are concerned about the security of your customer data, you should only choose services with at least one of the certifications.
Learn more in the guideCyber security is an ongoing concern.
That’s why cyber security management should be an on-going process. The process should be clearly documented and include, among others, periodical information security risk assessments and tests.
SOC 2 accreditation
History
The roots of SOC 2 date all the way back to the auditing standards released in the 1970s. It has been developed by the American Institute of Certified Public Accountants and defines the criteria for the management of an organisation’s data. SOC 1 determines the controls for financial statements. SOC 2 does the same for customer data. Nowadays SOC 2 standard is managed by the International Standard on Assurance Engagement (ISAE).
Importance
Systems and Organization Controls (SOC) are reports written by an independent auditor based on their evaluation of how a company manages sensitive data in their everyday procedures. The SOC 2 certifies that an organisation has minimised the possibility of customer data leaks and security breaches.
The SOC 2 report is based on the five Trust Services Criteria for handling customer data: Security, Confidentiality, Processing Integrity, Privacy and Availability. It is designed for organisations that store, process or transmit any kind of customer data, for example SaaS companies or data hosting companies.
Principles of internal control and trust services criteria
The SOC 2 accreditation is based on 17 mandatory Principles of Internal Control and five optional Trust Service Criteria.
The Principles of internal Control ensure that the company has the right processes in place to keep information safe. Access to confidential information is restricted to only the relevant employees, risks are minimised through continuous training, systems are constantly monitored, and partners are consistently evaluated.
In short, a company that receives the SOC 2 accreditation:
🔹 Trains all their employees in information security
🔹 Makes sure anyone they purchase services from have similar information security protocols
🔹 Ensures all customer data is secure and backed-up
🔹 Restricts physical and digital access to that data and removes the data at the end of a customer relationship
🔹 Has procedures in place to rapidly respond to any incidents
🔹 Regularly audits information security procedures internally, and with an external audit.
Certification process
The SOC 2 report is audited by a certified external auditor. They assess the extent to which a vendor complies with the Trust Services Criteria. The SOC 2 has two types of reports, Type I and Type II. Type I describes the company’s systems, and the auditor confirms that the design of the systems meets the relevant Trust Services Criteria. A Type II report goes beyond that by studying the operational effectiveness of those systems, i.e., carrying out tests to ensure that the system works as stated.
The optional Trust Services Criteria are the building blocks of cyber security
Security
How is the system protected against attacks?
Availability
How can we ensure that the system works 24/7?
Processing integrity
Does the system work as intended?
Confidentiality
How can we limit access to, storage and use of confidential information?
Privacy
How can we safeguard sensitive personal information against unauthorized access?
ISO 27001 certification
History
The ISO 27001 was originally published in 2005. Revisions have been carried out over the years and the latest version is from 2018. The standard has been developed and published by the International Organization for Standardization.
Importance
The ISO 27001 is an information security management standard that sets the requirements for an Information Security Management System (ISMS). The set of requirements determines how organisations can manage the security of their information assets, such as intellectual property, customer data or third-party information.
Absolute protection from all cyber security threats is impossible, but the ISO 27001 is an internationally recognised sign of an organisation that follows the highest security standards.
Security controls and how they are built
A security control is any measure that’s aimed at increasing the cyber security of an organisations. Most organisations are using several: firewalls, automatic updates, passwords, incident management protocols etc.
The purpose of the ISMS is to ensure that the security controls of an organisation are effectively managed, and that the controls cover the entire spectrum of possible cyber security threats.
The ISMS needs to systematically examine the organisation’s security risks, setup additional security controls where needed and ensure that the controls meet the organisation’s needs on an ongoing basis.
Certification process
The first step in receiving the ISO 27001 certificate is to purchase the standard and study the requirements set for information security in it. When done for the first time, there is usually a need add and modify security controls to meet the requirements of the standard. Naturally, every security control needs to be documented.
Once the ISMS meets the requirements of the standard and Accredited Registrar is invited to carry out the audit. A preliminary stage 1 audit can be carried to see if the right processes and systems are in place. A stage 2 audit is a formal, complete audit.
The auditor will review the documentation to ensure that it meets the requirements set in the standard . Only then can the auditor grant a certificate.
To comply with the standard, on-going follow up reviews are required. The ISO 27001 audit is regularly updated, though the audit can also be carried out internally. For example, an internal auditee can audit the organisation annually while an external auditor is invited every three years.
External auditor
ISO 27001 is based on standards – long lists of cyber security guidelines to follow. Some organisations choose to follow the guidelines and best practices without getting certified as certification is not obligatory. While is this perfectly acceptable, only an external audition and the resulting certification is a true guarantee for customers and partners that the measures outlined in the standard are truly followed in the organization.
LeadDesk is trusted by security-conscious organisations – including organisations in the healthcare and finance industries.
LeadDesk has received both SOC 2 and ISO 27001 certifications. LeadDesk has also been evaluated against three of the most applicable Trust Service Criteria: security, availability, and confidentiality.
Learn more about LeadDesk:
sales@leaddesk.com
+44 203 8080 414
Summary
Contact centers are potential targets for cyber security attacks. They handle and store customer data and this data is extremely lucrative for cyber criminals. Targeted attacks are however not the only risk, as blind attacks simultaneously exploiting security gaps in thousands of companies have become common.
Cyber security conscious organisations should ensure that their software vendors are SOC 2 accredited and/ or ISO 27001 certified. These are generally accepted and externally audited signs that an organisation is taking cyber security seriously.
When creating an RFI or RFP for a contact center system or when evaluating the systems of different vendors, make sure you include these certifications in your evaluation criteria. For example, ask the vendor to:
🔹 Give an overview of their security controls
🔹 List the relevant certifications regarding those controls
🔹 List any other external audits or reports they have carried out.
