📘 Leitfaden: So finden Sie eine sichere Contact-Center-Software

Cyber ​​security is a fundamental issue for any company that works with customer data.

Cyber ​​security is a fundamental issue for any company that works with customer data.

Traditionally, cybersecurity has been viewed as a technical challenge. Only in the last decade or so has the focus on the human factor increased. However, cybersecurity is a far-reaching issue that goes far beyond the ICT team. According to the Finnish National Center for Cybersecurity, the following phenomena have the greatest impact on cyber threats:

🔹 International economic and political instability

🔹 Lack of exchange of information within and between organizations

🔹 Unpatched vulnerabilities in devices and services connected to the Internet

🔹 Lack of diversified expertise in cybersecurity

🔹 Stolen access rights and credentials.

The list above shows that cyber security is a complex topic. With the multitude of cybersecurity risks and potential security breaches today, no organization is 100% secure from all threats. However, with the right systems, training, and certified processes, you can minimize the impact of attacks and breaches on your operations.

The importance of cybersecurity in contact centers

Both outbound contact centers and customer service teams work with personal data. These organizations are therefore potential targets for a variety of cybersecurity attacks.

In addition, most such attacks today are no longer aimed at individual companies. More often than not, hacker groups and individual hackers cast their net as far as possible, testing the security measures of thousands of companies simultaneously.

Strict regulations apply to companies and organizations operating in the European Economic Area regarding the handling of personal data. The General Data Protection Regulation (GDPR) provides for heavy fines for companies that do not keep their customers‘ personal data secure or fail to adequately correct breaches.

For these three reasons alone, cybersecurity should be at the top of your agenda. To mitigate cybersecurity risks, all tools – e.g. B. the contact center software – and all processes of customer service teams and outbound sales teams are evaluated from the point of view of cyber security.

The contact center software you choose is critical to secure operations. Therefore, this guide will help you and your team (e.g. the ICT team) to assess the cyber security properties of cloud contact center systems.

SOC 2 certification

A look back

The beginnings of SOC 2 date back to the exam standards published in the 1970s. Developed by the American Institute of Certified Public Accountants, the certification defines the criteria for an organization’s data management. SOC 1 establishes the controls for financial statements. SOC 2 does the same for customer data. The SOC 2 standard is now regulated as part of the International Standard on Assurance Engagement (ISAE).

The importance of SOC 2

System and Organizational Controls (SOC) are reports prepared by independent auditors that evaluate how a company handles sensitive data. SOC 2 certifies that an organization has minimized the likelihood of customer data leakage and security breaches.
The SOC 2 report is based on the five Trust Services criteria for handling customer data: Security, Confidentiality, Processing Integrity, Privacy and Availability. It was developed for all companies that store, process or transmit customer data – e.g. B. SaaS companies or data hosting companies.

Internal Control Principles and Trust Services Criteria

Die SOC 2-Zertifizierung basiert auf 17 obligatorischen Grundsätzen der internen Kontrolle und fünf optionalen Trust Service-Kriterien.

Die Grundsätze der internen Kontrolle stellen sicher, dass das Unternehmen über geeignete Prozesse verfügt, um Informationen zu schützen. Der Zugang zu vertraulichen Informationen ist auf die entsprechenden Mitarbeiter beschränkt, Risiken werden durch kontinuierliche Schulungen minimiert, Systeme kontinuierlich überwacht und Geschäftspartner konsequent bewertet.

Zusammengefasst muss ein Unternehmen folgende Kriterien erfüllen, um die SOC 2-Zertifizierung zu erhalten:

🔹 Schulungen zum Thema Informationssicherheit für alle Mitarbeiter

🔹 Gewährleistung, dass alle Unternehmen, von denen Dienstleistungen eingekauft werden, über ähnliche Informationssicherheitsprotokolle verfügen

🔹 Gewährleistung, dass alle Kundendaten sicher sind und Sicherheitskopien erstellt werden

🔹 Beschränkung des physischen und digitalen Zugriffs auf diese Daten und Löschung der Daten, wenn eine Kundenbeziehung beendet wird

🔹 Etablierte Verfahren, die eine schnelle Reaktion auf Zwischenfälle ermöglichen

🔹 Regelmäßige interne und externe Prüfung der Verfahren zur Informationssicherheit.

Der Zertifizierungsprozess

The SOC 2 report is audited by a certified external auditor. This auditor assesses the extent to which a provider meets the Trust Services criteria. SOC 2 includes two types of reports: Type I and Type II. Type I describes the organization’s systems. The auditor confirms that the design of these systems meets the relevant Trust Services criteria. Type II reports go further: they examine the operational effectiveness of these systems, i. H. they run tests to make sure they work as advertised.

The ISO 27001 certification

A look back

ISO 27001 was first published in 2005. Revisions have been made over the years. The latest version is from 2018. The standard was developed and published by the International Organization for Standardization.

The importance of SOC 2

ISO 27001 is an information security management standard that specifies the requirements for an information security management system (ISMS). The requirements specify how organizations can manage the security of their information assets, such as intellectual property, customer data, or third-party information.

Absolute protection against all cyber security threats is not possible. However, ISO 27001 is an internationally recognized mark of an organization that meets the highest security standards.

How security controls are set up

Eine Sicherheitskontrolle ist jede Maßnahme, die darauf abzielt, die Cybersicherheit einer Organisation zu erhöhen. Die meisten Unternehmen verwenden mehrere Sicherheitskontrollen: Firewalls, automatische Updates, Passwörter, Protokolle für das Incident Management usw.

Der Zweck des ISMS ist es, sicherzustellen, dass die Sicherheitskontrollen einer Organisation effektiv verwaltet werden und gleichzeitig das gesamte Spektrum möglicher Cybersicherheitsbedrohungen abdecken.

Das ISMS muss die Sicherheitsrisiken der Organisation systematisch untersuchen, bei Bedarf zusätzliche Sicherheitskontrollen einrichten und sicherstellen, dass die Kontrollen den Anforderungen der Organisation fortlaufend gerecht werden.

Der Zertifizierungsprozess

Der erste Schritt zum Erhalt des ISO 27001-Zertifikats besteht darin, die Norm zu erwerben und die darin enthaltenen Anforderungen an die Informationssicherheit zu verstehen. Beim ersten Mal ist es in der Regel erforderlich, Sicherheitskontrollen hinzuzufügen und zu ändern, um die Anforderungen des Standards zu erfüllen. Natürlich muss jede Sicherheitskontrolle dokumentiert werden.

Sobald das ISMS die Anforderungen des Standards erfüllt, wird der akkreditierte Registrator eingeladen, die Prüfung durchzuführen. Es kann eine vorläufige Prüfung der Stufe 1 durchgeführt werden, um festzustellen, ob die richtigen Prozesse und Systeme vorhanden sind. Eine Prüfung der Stufe 2 ist eine formelle, vollständige Prüfung.

Der Prüfer überprüft die Dokumentation, um sicherzustellen, dass sie den Anforderungen des Standards entspricht. Erst dann kann ein Zertifikat ausgestellt werden.

Um den Standard zu erfüllen, sind fortlaufende Nachprüfungen erforderlich. Die ISO 27001-Prüfung wird regelmäßig vorgenommen, kann aber auch intern durchgeführt werden. Ein interner Prüfer kann zum Beispiel eine jährliche Prüfung durchführen, während die externe Prüfung nur alle drei Jahre stattfindet.

Externer Prüfer

ISO 27001 is based on standards – that is, long lists of cybersecurity guidelines to follow. Certification is not mandatory. As a result, some organizations choose to follow the standard’s guidelines and best practices without becoming certified. There is nothing wrong with that. However, only an external audit and the resulting certification are a real guarantee for customers and partners that the measures described in the standard are actually observed in the organization.

Summary

Contact centers are potential targets for cybersecurity attacks. They process and store customer data – data that is extremely lucrative for cybercriminals. However, targeted attacks are not the only risk. Blind attacks that simultaneously exploit vulnerabilities in thousands of organizations have also become common.

Companies should therefore ensure that their software providers are SOC 2 and/or ISO 27001 certified. Both certifications are widely recognized and externally audited signs that an organization has cyber security in mind.

If you are creating a request or RFP for a contact center tool, or evaluating the systems of different vendors, you should include these certifications in your evaluation criteria. For example, ask the vendor to:

🔹 An overview of its security controls

🔹 A list of relevant certifications for these controls

🔹 A listing of other external audits or reports.