On September 11, 2023, MGM reported a “cybersecurity issue” affecting some of its systems. The disruptions were caused by a cyber-attack on MGM’s IT help desk. A hacker, impersonating an IT employee, called and talked an employee into divulging secured data, including customer names and social security numbers.
This is one of many news stories about a security breach that came through a customer service employee. When data breaches happen, they often start unwittingly with humans. People make mistakes, want to help, and can be manipulated into saying more than they should.
The growing threat of call center cyberattacks
Like other large businesses, carriers face significant risks from cybersecurity threats, which can sneak in through the customer service desk. The employees who man call centers are hired to answer customers’ questions. However, the qualities that make them excellent customer service representatives (CSRs) also make them attractive targets for cybercriminals.
Call center employees in insurance companies are:
- Ready to help. An excellent CSR wants to find a resolution and will listen carefully to a customer’s complaints and inquiries. These empathetic responses make them vulnerable to a bad actor skilled in manipulation.
- Pressed for time. Everything they do is measured—time on the call, minutes to a resolution, and number of calls per day. Because they are always in a hurry, they make mistakes when pressed for secure information.
- Ready for comprehensive cyber training. These employees are usually well-trained in insurance customer service but not in cybersecurity, detecting manipulation, social engineering, and data breach tactics.
Securing the help desk to protect client data
Human vulnerabilities may cause weak spots in cybersecurity, but taking people off the customer support center is not a solution. The qualities that make employees susceptible to data breach attacks— compassion, a willingness to listen, and a desire to fix a problem—make them excellent CSRs. Therefore, shoring up the help desk's weak spots depends on a company-wide commitment to training and reevaluating the time pressures CSRs work under.
Training beyond insurance service
For carriers and other large insurance companies, rigorous and regular employee data security training is a first-line defense against cybercrime.
For many companies, employee security training is often a check-the-box requirement. These trainings usually occur annually and include basic data security information like “Don’t leave your badge out” or “Close your computer when you’re away from your desk.”
But, in this new age of cybercrime, customer service employees require a robust education that teaches them about the potential risks entering through customer service. For example, a request for sensitive data might be cloaked as a friendly conversation from a kind customer. Or someone on a call might have scoured a CSR’s social media, looking for ways to gain trust. These scenarios are not included in typical corporate training modules but are critical for teaching employees about malicious social engineering techniques.
Additionally, critical security training is ongoing and updated continuously. Once-a-year updates can never keep up with criminals working at the speed of the Internet. Learning programs written when dial-up modems were the hottest technology will not hit the right notes as cybercriminals upscale their methods.
To improve security, check the metrics
In the past, call centers were measured in terms of time, and faster has always been better. A resolution that comes in 60 seconds was better than one that comes in 90.
Today, these “faster-is-better” measurements might cause a data breach. Measuring employees with time metrics that press them to move faster might make sense from a strict cost-savings analysis, but the security losses that may occur outweigh any savings.
In his article, “SaaS companies excel at customer success. You can too...” Vertafore’s VP of customer support, Andy Mickelson, explains the value of using qualitative metrics to measure customer service efforts.
“Customer satisfaction scores – along with freeform comments, indicate whether the customer’s needs for overall quality of service (QoS) were met. Instead of judging effectiveness using metrics like first-touch resolutions and call duration—which can be easily manipulated and ultimately don’t determine QoS—SaaS providers find success in measuring ASA and overall satisfaction.”
Call desk employees who can take their time and apply the “smell test” to customers' requests become guardians of sensitive data, while those who need to move quickly to the next call become sieves.
Well-trained customer service employees are invaluable. They are the people who stand on the line and are often the only voices customers hear. No business can operate without them. However, the new frontier for carriers’ cyber protection is ensuring that the people who answer the phones and solve the problems do not have data security vulnerabilities.