Fraud and insider security threats are just the tip of the iceberg for Business Process Outsourcing (BPO) organizations, which regularly face a myriad of challenges. The fact that they are often targeted by malicious actors due to their access to clients’ data only exacerbates the situation. Additionally, BPOs must navigate a complex regulatory landscape, including compliance with PCI-DSS and GDPR. In this post, we'll explore the current state of cybersecurity in BPOs, delve into the threats they encounter, examine the hurdles in implementing robust security measures, and discuss potential solutions to these issues.
Importance and Adoption of Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) has long been recognized as a highly effective method for safeguarding data and accounts from unauthorized access. In the realm of cybersecurity, MFA has become a cornerstone, particularly in situations where user credentials may be compromised. Research indicates that MFA can thwart up to 99.9% of account compromise attacks. Despite its importance, MFA adoption has been sluggish within the intricate environments in which BPOs operate. Instead, many BPOs have relied on single-factor authentication, such as password-only knowledge-based authentication (KBA). This reluctance to embrace MFA can be attributed to several factors, including the complexity of its implementation, associated costs, and the potential for a less user-friendly experience that could lead to delays and reduced productivity.
However, the tide is turning as BPOs are increasingly adopting MFA in response to escalating security concerns and mounting pressure from clients and regulators. Nevertheless, it's crucial to note that incomplete or improperly implemented MFA systems can still leave the door open to five threats that plague the industry:
- Phishing
- Prompt bombing
- Credential misuse
- Complicit agent fraud
- Agents outsourcing work
Phishing
Phishing is a type of cyber attack that involves fraudulent attempts to obtain sensitive information, such as usernames and passwords, by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site. Although email and instant messaging are the most common, phishing attacks can be carried out through various other means, including SMS, phone calls, and even social media. Due to the nature of the threat that typically results in compromised credentials, it is considered to be part of a more complex attack. According to the 2023 Data Breach Investigations Report by Verizon, 74% of all breaches include the human element, and 49% of breaches by external actors involved the use of stolen credentials.
To mitigate the risk of phishing attacks, BPOs should implement security awareness training programs for their employees, use email filtering and anti-phishing solutions, and regularly update their software and systems. Furthermore, a phishing-resistant MFA is an absolute must.
Prompt Bombing
Prompt Bombing is a form of social engineering that leverages annoyance, fear, and trickery to gain access to target accounts. Attackers bombard targeted accounts with numerous Multi-Factor Authentication (MFA) push notifications, especially at inconvenient times, to catch users off guard and frustrate them into approving an MFA challenge-response. This method was notably used in the past to bypass well-known MFA solutions. Similar to phishing, prompt bombing is only a small part of a more complex attack.
To prevent prompt bombing, BPOs should consider implementing adaptive authentication, which uses contextual factors such as location and device posture. Furthermore, utilizing an effective MFA solution that does not involve prompts is one of the most effective means to avoid prompt bombing attacks.
Credential Misuse
Credential Misuse involves the unauthorized use of login credentials, often by disgruntled employees or those facing financial difficulties. In many instances, the involved employee(s) may be in the process of leaving the company. This form of insider threat typically involves the theft or manipulation of sensitive data for personal gain or to inflict harm on the organization. Malicious actions such as identity theft, data theft, or unauthorized access to customer information can lead to severe consequences – ranging from substantial fines to loss of customers and damage to reputation.
To prevent credential misuse, BPOs should implement stringent access controls, consistently monitor user activity, and enforce the principle of least privilege. They should also conduct background checks on new hires and provide regular training on security policies and procedures.
Complicit Agent Fraud
Complicit Agent Fraud is a type of internal threat in contact centers where an employee (the agent) knowingly participates in fraudulent activities or colludes with external threat actors to compromise the organization’s security. This can involve the agent providing unauthorized access to sensitive data, assisting outsiders in bypassing security measures or engaging in other activities that put the organization and its customers at risk. Complicit agent fraud is a serious concern for Business Process Outsourcing (BPO) companies, particularly those operating contact centers. Agents in these environments may be targeted by malicious actors due to the potential access they have to a wealth of customer data. There are known cases where agents have been either offered significant sums of money or blackmailed to assist in data breaches. The consequences of such fraud can be devastating for the organization, leading to data breaches, loss of reputation, legal action, and hefty fines.
To prevent complicit agent fraud, BPOs should implement robust screening processes for new hires, regularly monitor user activity, and enforce strict access controls. They should also provide regular training on security policies and procedures and foster a culture of security awareness. Furthermore, implementing behavior-based multi-factor authentication, which is “unlendable,” can entirely eradicate the problem.
Agents Outsourcing Work
Lastly, agents outsourcing work is a threat that materializes when rogue contact center agents, particularly those working from home (WFH), delegate their responsibilities to third parties. This can involve agents passing on their work to family members, hiring other individuals at a lower pay, or even securing multiple positions and outsourcing the work for each role. This practice poses significant security risks as unauthorized individuals gain access to sensitive data and systems. It can also lead to a decrease in service quality, as these unauthorized individuals may not have undergone the same training and onboarding process as the authorized agent. Known examples include a case where a young adult was taking calls on behalf of their parent, who was the authorized agent.
The potential consequences of this practice can be data breaches, non-compliance fines, damage to the organization’s reputation, and loss of customers.
To prevent agents from outsourcing work, BPOs should implement strict policies and procedures, regularly monitor user activity, and enforce the principle of least privilege. They should also provide regular training on security policies and procedures and establish a culture of security awareness. Lastly, a continuous authentication solution is an excellent way of combating such a threat.
Conclusion
The current state of cybersecurity in BPOs is one of heightened risk and complexity. MFA serves as a vital stepping stone towards fortifying sensitive data and accounts and meeting essential regulatory compliance requirements. However, it's crucial to select and implement the correct technology so that the risks are truly mitigated. One potential solution is behavioral biometric authentication, which offers continuous authentication without disrupting the user experience. Twosense answers all mentioned requirements without the associated problems:
- It satisfies PCI-DSS needs;
- It does not add any additional privacy concerns;
- It is phishing-resistant;
- It is a perfect fit for environments with a clean-desk policy, where any additional devices could be seen as a threat (smartphones with cameras, etc.);
- Unlike hardware tokens, it does not introduce logistical challenges.
This cutting-edge technology can aid in detecting and preventing many of the threats outlined in this post, making it a valuable asset for any BPO's cybersecurity arsenal.
That said, MFA is not a panacea. BPOs must also address the challenges associated with implementing broader, robust security and anti-fraud measures, all while remaining vigilant against the various threats that loom over the industry. By acknowledging and tackling these challenges head-on, BPOs can make significant strides towards securing their organizations and safeguarding their customers' data.
