Why is Customer Support a Target For Hackers?
The customer service department is an essential part of any successful business. CEOs and team leaders are aware of the importance of having a qualified customer service team to provide an excellent customer experience.
However, it’s not just about pleasing the customers. This job also comes with the major responsibility of safeguarding your customers’ data. Companies build their businesses on customer trust. And nothing says that your company is unreliable more than a data breach.
If data procedures are not carried out according to certain standards, the risk of a data breach grows. Furthermore, that means that the consequences of poor data protection, such as plummeting revenues and damaged brand reputation, are imminent.
You may have heard of last year’s Microsoft customer support data breach fiasco when millions of customer data records were stolen. This is a powerful company, but they still saw a drop in sales. The customer service department is the hackers’ main target usually due to inadequate protection strategies and low-budget solutions.
Are you taking your customer support data privacy seriously? If your answer is yes, then read on to see why customer support is a popular target for hackerss.
1. Data Collection
Customer data is a big business. Some companies have built their entire business model around data collection, such as agencies providing targeted ads. The majority of companies utilize gathered data for internal purposes. Customer support is at the heart of a data-collection machine that stores valuable Personal Identifiable Information (PII).
The PII database consists of demographics and behavioral customer profiles that help companies provide better services. This database enables business leaders to contextualize the data and draw insights from it. Leveraging this data increases efficiency and profitability.
In customer support, your customers have the opportunity to provide additional contextual information on the problem or question they are contacting you about. This can quickly blur into private personal details that your support operation may not be prepared to handle. Most customers outside of the tech world have little understanding of the risks associated with sharing information online.
Five types of PII:
- Personal data: This data includes highly sensitive data such as gender information, Social security number, IP addresses, device IDs (both for laptops and phones), and web browser cookies.
- Engagement data: This category includes information regarding customers’ interaction with your website, app, social media pages, customer service channels, and paid campaigns.
- Attitudinal data: This type of data includes metrics on product desirability, consumer satisfaction, and purchase criteria.
- Behavioral data: This data type encompasses PII on product usage, purchase histories, and qualitative data such as mouse movement.
- Disclosed data: This data type includes extremely sensitive information that consumers mistakenly disclose, such as credit card numbers, passwords, blockchain keys, account numbers, drivers license numbers, passport numbers and other highly privileged information.
When you get a customer’s consent, you are allowed to collect a large amount of quantitative and qualitative data that you can use to improve their experience. This analysis helps you sharpen your mind and strengthen the decision-making process.
However, you are responsible for the safety and security of the PII; it's your pain point, in other words, a hacker’s main target.
Customers frequently do not understand the risk of including disclosed data in their customer support communications. Once this information makes it into a support ticket, it may be stored in plain text, shared insecurely by email and viewed by unauthorized team members.
It is doubtful your support team is trained to properly handle credit card numbers to maintain PCI compliance, or on what to do when a customer discloses their PII in a support chat.
This kind of accidentally disclosed information is a literal goldmine for hackers and another reason your support department has a target on it.
2. Data Sharing
Collected data doesn’t just stay in the customer service department. Depending on its use and purpose, it is passed to other business areas which all have the company’s success and customer happiness as the main goals of their strategies and operations.
For example, the data can be used for marketing purposes, such as creating specific ads that a customer would like to see based on their previous purchasing experiences.
It can be used for the management of website users with intent to optimize the website experience or to protect both customers and employees. When your employees share data within the company and cooperate on multiple data projects, they are creating more opportunity for hackers.
In many companies, this data sharing extends to third party systems, outside your organization. This is particularly likely if any part of your organization makes use of cloud hosted software. Cloud hosted tools utilize shared resources and typically share data with additional third party services- creating a “web” of shared data that your organization has little control over.
Every time this customer support data is shared, it creates an additional “attack surface” or place where hackers may begin at exploit.
3. Data Storage
Even when you no longer need certain PII and decide to store it, your customer data is still at risk and represents an attractive target to hackers. You need strong security walls to protect your database.
All data collection, sharing, and storage fall under GDPR, CCPA requirements, and many other country-specific data privacy and security laws, which mandate maximum protection.
Privacy laws typically require that you have a legitimate purpose for data collection and storage. Additionally, you have to be transparent regarding the information you are planning to keep as customers may not approve of it.
In any case, you should minimize how much data you store when possible to reduce the loss in the event of a data breach. For instance, if you need their email addresses for a marketing campaign, you don’t necessarily need their physical or IP address.
Unfortunately, even when you follow all of the data privacy and protection laws, trouble can still occur. The best way to store your data is to use a private cloud solution with data policy compliance where you are the owner of your own lawful data storage. With a CRM you have multiple advanced features to run your customer support department, such as request automations and AI chatbot.
4. Weak security wall
Sometimes customer service departments can sacrifice data security, whether knowingly or unknowingly, to maintain a user-friendly interface and ease of communication. Their goal is to make cooperation seamless for both customers’ and employees. This is especially important for websites that include user login data that is highly vulnerable.
Is slightly improved ease of use really worth the lack of security? When you think about how a data breach could cost you more than $8 million, as well as, your prestigious brand identity, probably not. Additionally, there are minimally intrusive security solutions, such as two-factor verification, that you can utilize to keep your customers both secure and happy.
5. Large department
Customer service most often makes up a large portion of a company. This is the largest department and it also experiences the highest employee turnover in a year.
These employees are at the forefront of a company’s cybersecurity battle, so they need to be fully equipped and trained to be prepared for the security challenge. Unfortunately, it is difficult to monitor the activities of all agents, making the customer service department the weakest link.
Additionally, companies sometimes assume that their agents possess enough knowledge of security and privacy when the reality is the opposite. Make sure your customer service department looks less attractive to hackers by conducting frequent meetings and cybersecurity training sessions on the latest cybersecurity tech tools and techniques.
Luckily, according to a CX Network study, customer support reps are willing to improve the safety of the company’s data procedures – the key is giving them the tools to do so.
6. Helpdesk software not focused on security
Most customer support tools were not built with modern security and privacy needs in mind. In fact, many of the problems discussed in this post can be mitigated by using a data security focused helpdesk software.
This type of platform is usually what’s known as a “single tenant” solution, meaning the server and database only include your own data.
By moving customer support data away from shared SaaS providers, you can regain a tremendous amount of control over data storage and sharing. Implementing the security and privacy minded features described below will go a long way towards improving your data security:
a) Permissions- Least Privilege
There is an old security adage known as least privilege. To ensure the most secure operation, agents should only be able to access the bare minimum required for them to complete their jobs. Tier 1 agents should only be able to see tier one tickets, for example.
b) Single sign on
Preventing non customers from creating tickets and gaining access to your support team is a good first step in securing your operation. Using single sign on means access is made seamless and more secure by connecting it to a dedicated authentication service.
c) Data masking
Customers have an uncanny ability to put sensitive information into support communications. It is not uncommon for passwords, credit card numbers, social security numbers and other private information to find their way into tickets. Data masking solves this problem by automatically hiding these and other bits of information and preventing them from being saved.
d) Secure Email
Email is inherently insecure and a favorite target for hackers. The most secure support tools ditch email and instead route all requests through a secure web portal. Customers can still be notified of an agent's response by email - but instead of including the full answer in the message, the customer is prompted to visit the secure portal to view the agent's response.
e) Control over logs, backups, physical location, etc.
To ensure complete control over your customer support data security, you must lock down and retain control over more than just the database. Being able to delete, secure and keep control over the server log files and backups is equally important as they may include much of the same information.
f) Right to be forgotten requests
The GDPR and CCPA both require that you delete or anonymize all of a consumers data that you have collected or stored upon their request. Privacy oriented support software gives you the ability to do this easily with either a button or API request.
7. Separation from IT department
Companies that keep IT and the customer support department separate are making a huge mistake. IT employees are experts in data security, while customer support is the frontline for safety.
It is often the case that customers include their sensitive data, such as credit card numbers, or phone numbers, within support communications, making this information an attractive target. This PII is easy to access for hackers, but hard to protect for IT experts.
Thus, it only makes sense that leaders of the IT and customer support sectors should collaborate on security projects. However, if the company uses a secure customer support helpdesk as the main communication channel for both customers and agents, the chance that sensitive customer information ends up in in the wrong hands drops significantly.
IT professionals know how to communicate complex data security terminology using plain language that both customers and customer support reps understand. Therefore, any security manual should be created in consultation with them. It takes a company-wide effort to protect collected and stored data.