I get it. Rarely a week goes by that we don’t read about the latest data breach at a large corporation that has compromised thousands or millions of customers. As an executive or someone responsible for weighing the risks and making decisions that have some similar security concerns, it’s difficult not to immediately wonder who’s responsible and think of the wrong turn their career probably just took. No one wants to be THAT person.
When we begin to manage our business from a point of fear rather than creativity or customer convenience, security shifts from being one of the top considerations to being THE gating factor deciding what projects can pass. After all, who is going to champion a project that was killed for being a security risk?
This is how you, as a consumer, end up in an IVR that requires you to authenticate before allowing you to pay your own bill. Or when speaking to technical support, you are required to prove you are the account owner before getting help to troubleshoot your home internet connection (one you feel you are already paying too much for).
But, there are some practical steps a business can follow to ensure security, enable customer convenience, and empower business innovation.
Not all risks are created equal
The first step is to understand what exactly is at risk. Face it, every time one of us puts our credit card down at a restaurant, we take a security risk. You’re unlikely to ever launch a new customer facing project that has zero risk. If you think you have, it probably means you missed something. That being said, you can get a good gauge considering these basic points:
- Are there legal requirements or Government rules that apply? PCI compliance and the handling of PII (Personally Identifiable Information) are two areas that stand out. The important part here is that you really understand how these apply to your project. PII rules, for instance, govern privacy and make sure you’re not giving this information out unless the proper credentials are supplied. For most customer support and self-help projects, you aren’t giving this information out, so it doesn’t apply.
- What’s the scope of the risk? Are we talking about exposing hundreds or thousands of accounts at once (such as exposing a large database) or is it a single account? Going back to the IVR authentication issue above, while it’s possible someone would steal a credit card and then use it to pay for someone else’s cable bill, the risk (and subsequent damages) are small. It doesn’t make sense to make all your customers go through this process.
- Can you ‘layer” your project? When you start a project, especially a self-help application, it’s important to consider three layers: Generic, Identified, Authenticated. Generic information is that which you can provide without knowing specifically who the customer is (or verifying that). Things like where to find their balance on their bill or how to reboot their router are good examples. Identified information is account specific and requires some form of identifying, usually the account phone number, but falls short of requiring a “secret”, pre-established means of authenticating. This information can often allow you to do something as simple as telling a customer what speed tier they have or as complex as allowing them to pay your bill. Authenticated information is the most secure, but also the most difficult for customers to access. This should be used for things like making account changes or before releasing any PII information. As a general rule in self-help, you should expect to lose about 25-33% of your users for each step you require, meaning you’ll only get 66-75% of your users when you force them to identify and 50%-66% when you force them to authenticate.
- What does your legal and/or security team think? While you should always engage these teams when available, it’s important to remember their job isn’t customer support or sales. I’ve learned that their role is to rate your risk on a scale of 1 to 10, where 1 means “Too risky, you probably shouldn’t do it” and 10 means “Too risky, you DEFINITELY shouldn’t do it.” Don’t use them as a scapegoat or an excuse. Work with them diligently to understand their concerns and find legitimate ways to meet both your needs.
It’s here to stay, so you might as well get good at it!
As technology continues to expand and enhance contact centers, there is no doubt that security concerns will continue to grow at an equal (or faster!) pace. The better you get at managing these concerns, working with the correct internal teams, and continuing to roll out effective enhancements, the better off your company (and you as a sought-after resource) will be.