Cyberattacks are increasingly frequent and expensive (up to $4.4M in ‘22). Research shows that in almost all of these breaches, roughly 88% are just people making mistakes, and a quarter of them start with a social engineering or spearphishing attack. For BPOs, this is particularly devastating news because contact centers are filled with people who are their greatest asset. They are also becoming their greatest liability, as each one represents a social engineering and spear-phishing target.
Over the last two years, phishing-resistant MFA has become a mandate in other industries and will eventually become a mandate in the contact center environment. But, that creates an unsolvable problem for BPOs who cannot adopt phishing-resistant technology like hard tokens and mobile cryptographic certificates.
Social engineering and phishing are nothing new to BPO contact centers or their agents. Both are security threats that are inherent in their scope of work. Contact centers are constantly under attack by threat actors looking to breach their systems because breaching a BPO gives the attacker access to the BPO’s customers’ infrastructure. In addition to access to their infrastructure, the threat actors would gain access to a trove of personal identifiable information (PII).
MFA is already a mandatory security measure for contact centers in order to stay compliant with Payment Card Industry Data Security Standard 3.2.1 and the coming–stricter— requirements of v4.0 which takes standard in March of 2024. MFA was once thought to be the antidote to phishing - even if a user's credentials are compromised, MFA was the last line of defense, but contact centers need more than traditional MFA. If the coming standards are any indication, it is reasonable to assume that phishing-resistant multi-factor authentication will become necessary in the future.
In 2022 contact centers saw a significant increase in cyber attacks, with roughly 4,100 publicly disclosed data breaches occurring and 22 billion records being exposed. Last year some of the most prominent names in the BPO space experienced data breaches, most of which occurred as the result of MFA fatigue. Prompt Bombing is a form of social engineering that leverages annoyance, fear, and trickery to access target accounts. These tactics were used in the infamous Solarwinds hack and were used to bypass Microsoft and Okta’s MFA last year.
As threats evolve, so must security. Phishing-resistant MFA helps to prevent phishing by requiring additional forms of authentication beyond a username and password– such as biometric verification.
The move towards biometric, phishing-resistant MFA won't be a sudden or new initiative. The Office of Management and Budget (OMB) has advocated adopting phishing-resistant multi-factor authentication (MFA) for several years. In 2021, the OMB issued a memorandum outlining a new policy requiring federal agencies to implement MFA for all privileged users and all users accessing government systems from outside the agency's network. The policy also encouraged the use of phishing-resistant authentication factors such as biometrics. While this particular memo was issued and directed at federal agencies, phishing-resistant MFA and building a security posture around zero-trust principles are encouraged as best practices across sectors.
Based on current security trends and the increasing sophistication of cyber threats, it is reasonable to assume that phishing-resistant MFA will become a required security measure for many organizations in the future.
Researchers at Stanford University found that 88% of security breaches had an element of human error. The same research determined that 25% of breaches resulted from social engineering or phishing emails. This highlights why traditional MFA cannot provide contact centers with the necessary security. While agents may not intend to fall for a phishing email or approve a prompt bombing MFA challenge, they are still human and will inevitably make a mistake.
Ultimately, unphishable MFA will make its way to the contact center as a requirement. Still, implementation hits the same immovable object when it arrives. Contact centers adhere to strict clean desk policies, meaning they can't utilize mobile phones. Hard tokens are expensive and difficult to manage, making them inefficient in the contact center environment. Most biometrics require hardware for retina/face scans, fingerprints, etc., which is simply too expensive to deploy. Finally, staff turnover is so high that even employee training on phishing, prompt bombing and other forms of social engineering are ineffective. Essentially, preventing spear-phishing is infeasible and unaffordable for BPOs using standard technology.
That is why Twosense developed a cutting-edge software-only, phishing-resistant MFA. Continuous MFA leverages behavioral biometrics and machine learning to develop a trust score, which is then used to authenticate agents continuously throughout the day. Twosense is unique because the user does not actively participate in the MFA challenge. Everything is done invisibly to the agent. The consequences can be severe if a user mistakenly grants an attacker access. Even temporary access to secure systems can be enough for an attacker to register their device and have all future MFA challenges come to their device. This means permanent access to your network.
Continuous MFA is entirely unphishable as no keys or codes can be handed to an attacker in the event of a phishing attempt making phishing-resistant biometric MFA the next big requirement in contact center security.