Complicit agents and insider fraud is something most contact centers refuse to acknowledge publicly, and it makes sense. No BPO wants its customers to know that there is an inherent internal risk when it comes to outsourcing customer service. Contact center agents are often the targets of malicious activity because if an agent's account can be compromised– or accessed with the help of a complicit agent– it opens the doors to a treasure trove of the BPO's customers' data.
The team at Twosense has written about complicit agents in the past, specifically regarding outsourcing contact center roles and agents essentially operating as shadow BPOs. To read that article, click here. But there is something even more ominous lurking in the contact center world: collusive threats. Collusive threats are a subset of malicious insider threats where one or more insiders collaborate with an external threat actor to compromise an organization. Our team has been told by senior-level BPO leaders that agents have been offered upwards of $20,000 to help a threat actor access confidential customer information.
A username, password, and a complicit agent allow an unauthorized individual to access their device via remote desktop, and just like that, the organization has suffered a massive data breach. Although this scenario has largely been kept out of the public eye, it is happening, and the consequences are disastrous. In one example, we heard a criminal organization colluding with several insiders to gain access to Telecom’s user data and perpetrate millions of dollars in fraud against the organization. “We didn’t know until one day the US Secret Service was at the door. They shut down the facility, interrogated the staff, and made several arrests. That facility never recovered from the financial and reputational damage of the event,” said a source who worked and wished to remain anonymous.
An agent participating in facilitating a data breach can single-handedly destroy an organization's reputation, resulting in the loss of its clientele and even government intervention. Additionally, the company may face legal action and hefty fines for failing to protect customer data adequately. PCI DSS Requirement 8 focuses solely on identity security, and if the organization was also non-compliance when the breach occurred, the organization can be facing additional fines upwards of $500k. A data breach of this nature – and the subsequent consequences on the business– is literally a worst-case scenario for any BPO.
Collusive threat doesn’t just happen, though. There are numerous variables that go into creating an environment where something like this can be feasible. Underpaid and overworked agents are hard-pressed to say no to a one-time lump sum payout. With an average industry churn of 150% and a high-stress customer-facing role, agents may be compelled to accept such an offer because they know they can go find a new role elsewhere– if they aren’t caught.
This is just one reason why organizations must provide agents with adequate salaries and benefits. The first and most important line of protection when it comes to preventing and mitigating collusive insider threats is your workforce.
There are also technical hurdles to overcome in this scenario. BPO contact centers are dealt a challenging hand when it comes to being able to prevent this. Implementing identity security for contact center agents is extremely difficult for BPO security teams. Our experts have extensively covered why contact centers need more than traditional multi-factor authentication as part of their identity security policies.
This is especially true for work-at-home agents. Since the beginning of the COVID-19 pandemic, an estimated 2.8 million contact center agents have transitioned to remote environments, with more than half remaining remote. Since that transition, contact centers have been trying everything from webcam monitoring systems to voice biometrics in order to secure their remote workforces. Neither of these has been successful for any organization.
How does a BPO solve this problem in a way that authenticates agent identity and prevents unauthorized access? The best solution to ensure the identity of remote agents is to deploy a continuous, behavioral biometric multi-factor authentication solution that cannot be manipulated or fooled into believing that one individual is, in fact, another.
Twosense Continuous MFA does precisely this. By leveraging machine learning and passive biometrics, Twosense is able to create a unique profile for each user. Each model continues to learn and adapt to changing behaviors whenever a user passes an MFA challenge. The more behavior is observed, the more confident Twosense can be that the user is who they claim to be. When the model is mature, Twosense can validate the user's identity and create a baseline of trust. That trust score is what is used to authenticate the user continuously throughout the day or flag suspicious behavior, even with a complicit or compromised agent.
That means should a collusive threat occur either on-prem or remotely where an agent attempts to allow a threat actor access to their device via a remote desktop session, Continuous MFA will immediately detect the behavioral mismatch and terminate the session. Protecting both the BPO and its customer's data from malicious activity.