No business is immune from the risk of insider fraud. The latest CIFAS Employee FraudScape report actually shows that 381 cases of fraud were committed by a company’s own staff in the UK in the last year alone – an alarming number. There’s no lack of examples, either. In 2018, healthcare leader Bupa was the victim of an employee breach. It has since been issued with significant fines by UK regulators for ‘systematic data protection failures’ after an employee attempted to sell 500 million client records on the dark web. Another strikingly similar example is a major broadband company which had to suspend a customer service team member following allegations of fraudulent activities on customer cards. The case is currently undergoing police investigation.
The risk of insider theft
In these examples, employees committed fraudulent account withdrawals using customer data that was gathered by the company. Although this type of data breach is quite worrying in itself, it often leads to scarier possibilities, such as “what if these actions weren’t noticed as quickly?”, “what if the transactions were for larger sums of money?” or potentially even “what if that employee sells on the customer data they got their hands on?”
Insider theft threats can seriously endanger a business’ reputation and credibility, especially with mandatory GDPR compliance and the threat of significant fines should a company not comply and fail to handle customer data securely.
Safeguarding contact centres
Most phone calls made to a company take place through contact centres. It’s the first-place customers turn to when they have a problem, which means these centres play a crucial role in shaping customers’ perception of a brand. Therefore, it is vital that they are at the forefront of financial security strategies and implement measures that will safeguard customers’ financial data.
Businesses must ensure that their customers’ personal data is protected from both internal and external sources. A critical first step is to remove agent access to payment card information. In today’s digital age, technologies have been created to ensure the contact centre agent is removed from the process of a phone payment. This is especially important when considering the robust PCI DSS and GDPR frameworks that are now in place in Europe to protect financial and personal data, and the penalties organisations face when breaches occur.
To offer the greatest possible level of compliance and to protect both their customers and themselves, businesses should equip their contact centres with payment systems that are GDPR-friendly and allow customers to connect directly and seamlessly to the card payment network to make payments while on calls. Payment systems can enable the customer to type in their credit card details directly through the phone keypad and share that information with the financial service provider straightaway, allowing for the contact agent to be removed out of the equation altogether. At the same time, it is crucial that while a customer makes a payment, they remain connected to the agent should any issues arise.
Customer trust is now what makes or breaks a brand. This means companies can no longer afford to take any risks with their customer’s data, especially at a time when the risk of insider fraud is so high. When companies implement secure phone payment strategies, they enable a positive customer experience that rests on trust and transparency, not to mention ensuring PCI DSS compliance. The priority for companies now is to make customer data safety a priority and remove the risk of insider threat.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.