“Although no customer accounts were compromised, it was a really close call.”
This quote is from the first paragraph of a 2014 Chunkhost blog post. If you have ever worked in online customer service (or been responsible for customer data), you probably tensed up a little just reading it.
Customer trust plays a critical role in business success, and security compromises and data losses can erode years’ worth of hard-earned trust in an instant.
Storing, handling, and sharing customer information safely typically involves multiple departments both inside and outside a business. Even so, customer service teams are at particularly high risk of being a point of information security failure.
In this article, we’ll explore why, review the dangers, and share guidance on how to strengthen your customer service security defenses.
Why customer service teams are at risk of security failures
The job of a good customer service team is to solve problems for people — to find ways to get customers what they need as quickly and as kindly as possible. The combination of people who are primed to be helpful along with access to tons of customer information makes customer service a tempting target for attack.
Beyond the general attitude of service, there are several more specific reasons that customer service folks are a common point of entry in security breaches:
Pressure to be fast: When their job success depends on answering and resolving queries as quickly as possible, it becomes easier for customer service agents to overlook warning signs and give access where they should not.
Trust and empathy: Support team members are hired for their empathy for customers, and that empathy can be abused to induce people into believing lies or taking actions they would not otherwise take.
High turnover and limited training: Customer service roles tend to turn over quickly, so an attacker is likely to be able to reach someone who is inexperienced and more easily convinced to bend a rule or not notice a problem.
Lack of resources: Support teams often have limited tools for determining security risks and may have no access to real-time help in making decisions.
High levels of access: The nature of service, especially in SaaS support roles, means customer service staff can access and even change many customer details.
Customer service is also a highly accessible team in general, serving as the virtual front door for most businesses online. All of these factors combine to make contact centers a common point of entry.
The form that those attacks take can vary, but most common are variations on social engineering attacks.
The most common information security attack vectors used against support teams
Cartoons teach us that criminals are easily identified by their black eye masks and bulging bags labelled with currency symbols. Sadly, online criminals are rarely so easy to spot. They tend to use social engineering to get what they are after.
Social engineering is a form of attack that involves psychological manipulation of a person to gain access to private information or other valuables (as opposed to a technical or physical attack).
Social engineering can happen both remotely and in person. A typical example is persuading or tricking a customer service operator into giving account access to someone who is not the authorized owner.
Here are some specific methods attackers may use:
Attackers attempt to persuade staff by amplifying emotions and using that heightened emotional state to encourage poor decisions. Kaspersky lists several types of emotion that may be used:
Attackers will share stories intended to gain sympathy and build trust, or they may use bullying language to wear down staff. They will often also emphasize the urgency of the situation to create additional pressure and force a hasty decision.
Using preexisting information to create trust
If the attacker has already obtained details about the account or the person they are attempting to gain access to, they will try to build trust by sharing those details with the support person. This may help them pass through some of the usual security checks.
Masquerading as customer service staff
Sometimes your customers will be directly attacked by people who pretend to be from your own company to induce customers into sharing information with them. This is outside your control to some degree, but it must still be addressed.
Attackers may get access to a customer service team member's computer through malware, password theft, or other means and use it to access privileged information.
Theft of or unauthorized access to a team member's physical device can allow an attacker to access information directly or to insert additional software to create more access points.
These are only the most common angles of attack, but taking action on these will significantly increase your customer service security.
10 ways to secure your customer service team
If you search for customer service images, you’ll likely see a whole lot of smiling people in headsets. Being a welcoming face for a business is a key role, but as we’ve seen, they also need to play the role of club bouncer, keeping out the people with the security equivalent of the wrong shoes.
1. Train your staff on information security
The first step, on which all other improvements should be built, is to ensure the customer service team understands what information security is and why it matters. Without that context, they will always be tempted to work around constraints in order to help the “customer” in question.
Review your onboarding and ongoing training materials, and include materials on:
How to spot emotional manipulation.
Which tools and processes to use when verifying a person’s identity.
What to do if a customer reports fraud.
Which information is considered sensitive.
What legal requirements apply to their role.
Where it is not safe to share sensitive data (e.g., Slack or other third-party chat tools).
How and when to escalate security-related situations.
2. Be thoughtful about customer service metrics
The mentality of “the customer is always right” can lead to people bending security rules to be helpful, especially if they are afraid of getting a poor customer review.
Similarly, if your team is only measured by their speed, they may feel pressured to accede to dubious requests despite their misgivings. Make sure that taking action to carefully review possible security issues is seen as a positive action for their careers.
3. Make security part of your quality rubric
If you have a quality assurance process, include security-conscious behavior as part of your quality measurement.
4. Remove any unnecessary access
The simplest way to protect information from well-intentioned but manipulated customer service members is to make it inaccessible to them. If it is not strictly necessary, find a way to keep it separated or protected from them.
5. Track agents’ access and modifications
If access for customer service agents is necessary, logging their access to and modifications of customer information will help trace fraud and surface risky situations earlier.
6. Build security into your tooling
Whenever possible, build secure processes into the system rather than relying on people to manually follow the right procedures. For example, use a system that securely shares exported data only with the person who can log in to the account, rather than through a file that has to be attached to an email.
7. Keep sensitive information out of email
Customers love to send emails with their passwords or credit card information in plain text. Use tools that allow you to tag and remove those items quickly, and work on contact form copy and user interface checks to discourage them from being added.
8. Appoint a security lead
Establish a clear internal point of contact to review any potential security issues and make it easier for staff to consistently and quickly take action.
9. Have a security plan
Similarly, an easily accessible checklist of what to do if a security issue arises will make a timely and secure response much more likely.
10. Keep support teams informed
Well-trained support staff will constantly be looking for oddities and security issues. So if, for example, your engineering team is about to run penetration tests, make sure the support team is clearly informed. You do not want to create a situation where people assume any strange situation is probably an internal test.
Good security is good service
The better your frontline staff understand security risks and the more you build secure systems and processes into their daily work, the less likely a security failure becomes.
While it is true that good security practices may sometimes make for a slower or less convenient customer experience, it is vastly better than the experience of identity theft, fraud, or other consequences of a security failure.
Taking the necessary security steps is a tangible way of valuing your customers and their data. They may not appreciate it in the moment, but they will surely not tolerate its neglect.