How to keep your CCaaS solution secure

Oct. 6, 2021
Growth in adoption of Contact Center as a Service offerings introduces yet another cyber vulnerability that can be exploited by hackers

According to AVANT’s annual 6-12 Report, a large proportion of businesses — as high as 75% in certain industries, plan to adopt a Contact Center as a Service (CCaaS) solution in the 12 months. In 2019, the global CCaaS market stood at $11 billion, with some estimates predicting spend to reach $56 billion by 2027.

Whether your organization already has a CCaaS system or plans to adopt one in the future, it’s important to keep security top of mind. In today’s increasingly remote world, a cyberattack is a matter of when — not if. Effective security must be interwoven with every CCaaS migration to reduce the likelihood of a successful cyberattack.

What is CCaaS?

Before diving into the security implications of CCaaS, let’s define what the solution is and its benefits. Contact Center as a Service is a type of cloud-based software that helps organizations better manage their inbound and outbound communication with customers. CCaaS combines the voice connectivity of legacy call centers with digital channels, text messaging and social media.

A modern CCaaS system includes an intelligent routing engine — often integrated with Artificial Intelligence (AI) — to route, manage, deliver and record customer interactions. In addition to AI, CCaaS systems typically include a call distributor, interactive voice response (CDIVR), outbound predictive dialers (OPDs) and analytics capabilities designed to improve a call center’s functionality.

CCaaS solutions help organizations respond to their customers more effectively and efficiently, improving customer satisfaction and retention. The solution reduces the number of administrative and operational tasks call center employees handle, enabling them to focus on providing high-quality service. For example, the system could allow for the caller’s name to appear alongside their phone number, helping employees access customer information before a call is connected. It could also predict customers’ questions and surface possible responses for the employee based on a keyword the customer shared during call intake.

AVANT’s 6-12 Report found that CCaaS’s accelerated adoption is being driven by enterprises’ need to upgrade legacy systems to enable remote work and enhance the customer experience. The top benefits businesses are seeking from CCaaS solutions include improved functionality (52%), more streamlined day-to-day management (46%) and unification of multiple technology systems (42%).

Why CCaaS Security is non-negotiable

CCaaS offers many benefits for your employees and the customer experience, but like any internet-enabled technology, it also has vulnerabilities. Securing CCaaS is critical for the following reasons:

  1. Compliance: Most organizations must satisfy specific compliance standards for a contact center solution. AVANT found that 69% of respondents require PCI compliance, 41% require HIPAA compliance, 14% require GDPR and another 33% fall into other regulatory requirements. If your CCaaS security isn’t compliant, you could face costly legal ramifications.
  1. Vulnerabilities: CCaaS systems are particularly vulnerable to attack given the high number of internal employees and external customers that access it via public or unsecured networks and Internet of Things (IoT) devices. Cybercriminals will try to attack via customer devices, registration patterns, offshore IP addresses, scanning and more. The volume of possible attack surfaces makes CCaaS a popular target for cybercriminals. 
  1. Customer data: CCaaS solutions handle sensitive personally identifiable information (PII), including social security numbers, credit card information and home addresses. So if a breach occurs and security is weak, it could easily compromise customer data — and your reputation. PII is the most common type of record lost in a data breach and also the most expensive, costing organizations $180 per lost or stolen record. 

How Bad Actors Threaten Your CCaaS

Now that you know why securing your CCaaS is so important, let’s take a closer look at the threats that you’re up against. The following security threats are specific to CCaaS and things you’ll need to be on the lookout for:

Fraudulent calling: Over a third of organizations say at least one in 10 contact center calls is fraudulent. In a tactic known as “traffic pumping,” fraudsters flood your service line with calls. The bad actors profit by creating a fake telephone company and billing your call provider for carrier fees from a portion of each call. They spoof the caller ID/ANI and enable call forwarding to international destinations with the goal of staying on the line as long as possible. Sophisticated attacks will vary the length of each call and overwhelm your lines with simultaneous calls, tying up your resources, wasting agent time and creating some level of a Telephony Denial of Service (TDoS) condition. 

To protect your CCaaS solution and minimize the effects of traffic pumping, make sure to get proper security systems like a unified communications threat      platform or BGP flow specification. In addition, enterprises should use artificial intelligence to monitor for signs of fraudulent calling, like the length of calls and any divergences from normal call patterns.

Insider threats: Your own employees pose both an intentional and unintentional risk. Financially-strapped or malicious employees may be tempted to access your CCaaS system in an attempt to obtain PII for monetary gain. Call center representatives will steal customer data — like payment information or account information — and either use it themselves or sell it to outside agents. Taking a zero-trust approach and closely monitoring CCaaS access for odd usage patterns can help mitigate these types of intentional security breaches. 

Additionally, human error is the number one cause of data breaches. One in three employees is likely to fall for a phishing scam like accidentally downloading a malware-infected email attachment. And one in five companies that suffered a malicious data breach was due to employee stolen or compromised credentials (like failing to use a strong password or reusing the same password for multiple accounts). To prevent employee mistakes it’s important to invest in cybersecurity training and education.

In addition to fraudulent calling and insider threats, enterprises need to be on the lookout for ransomware, which continues to make up a larger share of total cybercrime year-over-year. One in every two organizations was hit by ransomware in 2020 alone, costing victims an average of $1.85 million per attack.

The costs aren’t limited to just paying the ransom. Other costs associated with a ransomware attack include loss of data, post-attack disruption to business continuity, deletion of hostage data and systems, restoration of data and systems, reputational harm, legal ramifications and lost business.

4 Ways to Strengthen Your CCaaS Security Posture

There’s no one-size-fits-all approach to securing your CCaaS solution. Many of the same security precautions you would use across the network will also apply here. Your strategy should take into account a variety of factors like your company’s size, existing technology stack, resources, compliance regulations and risk tolerance. By performing due diligence and following best practices, you can strengthen your security and minimize potential risks:

1. Adopt a zero-trust approach

A zero-trust approach takes the default position that devices should not be trusted, even if they’re connected to a corporate network or have been previously verified.

Put measures in place to authenticate individual users each time they enter the CCaaS system, such as multi-factor authentication. Also, enforce the principle of least privilege by giving employees the minimum level of access needed to perform their role. This can minimize the likelihood that employees steal customer information or that hackers are able to escalate their privileges after gaining access to an employee account.

Organizations that deploy a zero-trust approach can identify the signs of an attack and take action more quickly than those that don’t. In the event of a data breach, zero-trust organizations also lose $1.76 million less than companies without zero-trust strategies deployed.

2. Know the signs of cyberattacks and establish an incident response

While some cyberattacks occur in less than a day, others can take weeks. By knowing the signs of an attack and establishing an incident response plan, you may be able to stop the malicious actors in their tracks or at least minimize the attack’s effects. For example, in the case of ransomware, nearly a quarter of organizations were able to stop the attack before their data was encrypted.

Look out for the following common (but not necessarily definitive) signs that cybercriminals may be in your network and are planning to launch an attack:

  • Sign-ins from unusual locations or at odd hours
  • Unexpected network scanners
  • Unauthorized access to an Active Directory
  • Software removal
  • Small-scale, test attacks

3. Educate your employees

Your employees are your first line of defense, so it’s critical to invest in their cybersecurity education. Incorporate security training into your onboarding process and conduct all-company training annually. Create a “security best practices” document that contains basic tips and reminders, including clear steps for employees ​​to report breach attempts, security incidents or anything suspicious to management. Also, be sure to set up a recurring reminder that requires employees to change their passwords after a set period of time.

You’ll also want to make sure your cybersecurity training incorporates phishing training. Ninety-one percent of cyberattacks begin with spear-phishing emails, so it’s important your employees are able to identify these messages. Share real-life examples by forwarding phishing emails (with the links disabled and attachments removed) to your employees as they enter your inbox.

4. Don’t go it alone.

DIY security is difficult and typically not cost-effective for most organizations. Cybersecurity professionals are in high demand and expensive to retain as full-time staff. When they inevitably leave your organization, you’ll lose valuable historical knowledge about how your systems are secured.

Instead, partner with a third-party Trusted Advisor that has the resources, network, experience and ongoing training to ensure your CCaaS solution is implemented with security in mind and remains secure moving forward. The right partner can provide guidance that’s tailored to your organization’s needs and help you scale as you grow. A Trusted Advisor will also alert you to new technologies and best practices to ensure your security is always up to date.

Like any technology, security is a primary consideration in a CCaaS solution. Internal and external threats are everywhere and can affect any organization, regardless of size or industry. By taking a proactive approach to CCaaS security and leaning on trusted advisory resources, you can minimize the effects of bad actors and help your organization maintain continuity, serve its customers and continue to grow.

About the Author:

Ken Presti is the Vice President of Research and Analytics at AVANT, where he develops the strategic framework and manages the process of leveraging AVANT’s internal data and external data to drive high-value market research designed to help consultants, agents, channel partners, and other members of the Trusted Advisor community more effectively help their business customers understand and evaluate Information Technologies (IT).

About the Author

Ken Presti | VP of Research and Analytics, AVANT

Ken Presti is the Vice President of Research and Analytics at AVANT, where he develops the strategic framework and manages the process of leveraging AVANT’s internal data and external data to drive high-value market research designed to help consultants, agents, channel partners, and other members of the Trusted Advisor community more effectively help their business customers understand and evaluate Information Technologies (IT).