With a recent study by the International Customer Management Institute (ICMI) and TalentKeepers stating that 70 percent of call center professionals expect unwanted turnover to increase or stay the same over the coming year, call centers could be facing an insider threat perfect storm. High turnover means low loyalty, which could indicate a risk in the call center to effectively secure customer data.

It has long been stated that the only truly secure computer is one locked up in a closet and powered off. While not a realistic objective, the data security approach in today’s call center environment parallels this with a paradigm that attempts to lock down services to the largest degree possible. This can lead to a false sense of security to the degree to which we must make services available to the end user.

A good example of this situation is with printers, which are often an underestimated risk. Either we shut printing off entirely, or leave it wide open to abuse. Ideally those users which handle customer data would still be empowered to print, but with a level of accountability. This is an objective that simply requires a deeper level of context over user data handling activity than exists in most environments today.

Problem: Lack Of Accountability Over Data Handling
This leads us to the biggest hole in security today; a broad based lack of accountability over data handling. In virtually all forms of sensitive business processes we have checks and balances, so why when it comes to data handling do we not? On the front end, at the point of access we place permissions controls but we lose all context over what happens to the data subsequent to access.

We have no visibility in to data activity at the desktop level where the data is most acted on. In most cases our breadth of understanding today is no more than a transactional log event from the source application or database at the point in which the data was accessed.

As such we have left users in control of the data from that point forward, and anytime your security model relies on end users for enforcement it is an inherently flawed strategy. Yet we continue to rely on written policy, which in effect depends on our end users to not only understand them, but to enforce them. Hardly a recipe for strong accountability.

Solution: A Holistic Approach
To begin with we have to reflect on all the possible services or vectors that we have made available to end users as potential points of dissemination. Once we have taken such an inventory we need to lock down anything that is not backed by some level of business justification.

The next step is to take a holistic approach to analyzing how data moves across all the remaining services or channels that we have exposed to our user base. Some organizations may argue against employee monitoring, but it is not necessarily what the user is up to that is so much in our interest, as much as it is auditing for where sensitive data is being moved. When it comes to endpoint data control, someone’s personal issues are the last thing we would want to have appear as a security event. In many environments an unexpected consequence can happen, as you may find users more than happy to be subjected to some additional level of accountability if it empowers them with greater access and control over computing resources.

By placing an endpoint agent on the machine that focuses on user interaction with the computer, and analyzes data as it moves from originating source to final destination we don’t get so caught up in specific protocols and low level detail. In this way we can focus our policy enforcement efforts in a more holistic fashion, covering the full breadth of user activity in a behavioral fashion.

You can think of the computing environment in terms of a series of trusted and non-trusted destinations. Destinations can include web site URL’s, email addresses or domains, applications, or file stores. If a user is to move sensitive customer data from a core banking application to an outlook window, and then send that data to a non trusted email location, that is something worth raising a security event about for review. It is all about having the capacity to first identify what sensitive data is, and then understanding the context of the situation and how the data is moving. Only then can we begin to establish true policy enforcement, and real world accountability.

Expand the scope of capability for a user to include a web browser or email and your lock down approach is eroded by orders of magnitude. Email has become less popular as a vector as it is known to be frequently filtered and more often than not recorded. While web content filtering is a common paradigm its focus tends to remain on what content is reachable, and what we should really be interested in is what data is going out via remote posts and file uploads. It’s easy enough for a perpetrator to send one of your users a web chat link and have them start posting sensitive data back via a browser based interface.