Security awareness

Security Awareness for Customer Service Representatives

July 7, 2017 by

Customer service representatives are considered the frontline for your company. They have a huge effect on customer satisfaction so organizations usually spend a lot of money training them on how to treat these people well. While this makes sense, be certain that security awareness is a priority, too.

What Does Security Awareness Entail for Customer Service Representatives?

Below, we review in detail what security awareness must mean for your company’s customer service representatives. Suffice it to say, though, these employees represent a very specific type of target for criminals.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

We’re going to cover why, in a moment, but it’s worth pointing out that these employees tend to be at the bottom rung of the organizational infrastructure. There’s nothing wrong with that, of course.

The only reason we point it out is because it’s often easy to think that they don’t represent a real vulnerability because they don’t have any access to the types of sensitive information criminals tend to go after.

However, this is exactly the kind of attitude criminals want you to have. In reality, they make perfect targets and actually represent a very real opportunity for criminals to get their hands on all kinds of information.

Also, if nothing else, the sheer number of customer service representatives you employ make them attractive targets. Malicious parties can target one after another until they get what they want. This would be much harder to do with other targets.

Ensuring that Customer Service Representatives Understand Why They’re Targets

Of course, it’s equally important that your customer service representatives understand why they will be targeted. Amongst other things, this will help ensure they take this very real threat seriously and remain vigilant while at work.

Again, the numbers game comes into play. They make good targets because there are so many of them to attack.

On top of that, most of them have access to sensitive information. Much of this information may not even seem like that big a deal, but a savvy criminal will have an easy time leveraging it into a weapon.

Some examples of the types of information they may be after include:

  • Birthdays
  • Addresses
  • Phone numbers

Obviously, any information related to a business account or a social security number would fall into this category, too. At least, most employees understand why that kind of data is best kept under lock and key.

Still, those three seemingly innocuous forms of information could be patched together by a criminal to take someone else’s identity. They may not use it on your company, but they could take this information on another and pretend to be their victim by rattling it off when asked. Once they’ve “confirmed” their new identity, it’s no great challenge to get access to the truly sensitive information they’re after.

The big takeaway from this section is to regularly remind your customer service representatives that they absolutely will be targeted at some point because they represent a gateway to valuable information, even if it sometimes doesn’t seem that way.

Implementing a Security Awareness Policy Is a Must

Just about every company has some sort of policy that addresses the need for employees to support appropriate security measures. The problem is that this is generally about as far as their efforts go.

Your company needs to have a security policy that speaks directly to the unique traits of customer service representatives. Think about the types of challenges they face.

Though everyone’s company is different, your policy should include some version of the following:

  • Goal – Obviously, you want to keep your company safe, but this is a good time to point out why customer service representatives make such attractive targets.
  • Rules – Being a customer service representative sometimes requires a bit of wiggle room on how to respond to clients. That being said, leave as little room as possible for this when it comes to security awareness.
  • Compliance – If you do a good job of stressing the importance of security for your company, you would hope customer service representatives will simply do their best to keep your organization safe. Still, there need to be consequences for people who put your company at risk. Make sure they are spelled out in your policy.

Your policy won’t do any good if your staff doesn’t know about it, though. Security awareness should occur during orientation. Employees need to read the policy and sign off that they have done so.

This policy should be regularly reviewed, as well. It should go without saying, but this definitely goes for any updates might be made.

Your Staff Should Never Trust Someone They Don’t Know

If more employees followed this one simple piece of advice, the success rate for cyber criminals would fall dramatically almost overnight. Customer service representatives who are too quick to assume someone is who they say they are are the reason phishing attacks and similar scams are so prevalent.

It’s worth pointing out that this doesn’t mean customer service representatives are gullible, per se. For the most part, the problem seems to have more to do with the fact that these employees become lulled into a false sense of security. They fall into a routine, so it becomes easy for a criminal to take advantage of their mental state if their requests don’t immediately raise any red flags.

Your customer service representatives should always feel comfortable asking someone for proof of who they claim to be. If it’s a customer, this might feel awkward. Tell your employees that they can simply let the person know that this extra layer of caution is for their own good. All they’re doing is making sure that customers’ data remains safe.

Many criminals know that customer service representatives face this kind of challenge. The majority of them are trained to go out of their way to keep customers happy. For that reason, a criminal may call and speak with a thick “accent” that makes understanding them very difficult.

This way, if they’re asked to answer questions to confirm their identity, they can use the customer service representative’s good nature against them. Not wanting to offend the supposed customer, the employee may simply assume they’re answering correctly.

Phishing Is a Serious Threat and Can Happen Over the Phone Too

Phishing attacks aren’t going away anytime soon. After all, they’re extremely easy to pull off and can give the attacker all kinds of sensitive information.

In case you’re not familiar, phishing attacks are when someone pretends to be someone else to extract the data they need or get an employee to comply with their wishes.

As an example, a criminal may email an employee pretending to be a coworker who needs a certain file sent to them. They could claim to be from the IT department, too, and give instructions to change their password to something specific.

The list goes on and on, but the idea is to use social engineering against employees to trick them.

These attacks usually happen through email, but your customer service representatives should know that this isn’t always the case. Phishing can also occur over the phone. This is especially important to appreciate if you have customer service representatives who answer them as part of their jobs.

Aside from the fake accent we mentioned earlier, another common way to phish employees is by collecting data on the people whom the attacker wants to impersonate.

This goes back to our earlier point about how customer service representatives really do have access to sensitive information. Someone may call and ask what address your company has on file for them because of a recent move.

A customer service representative who is trying to be polite and compliant may dutifully answer without giving it much thought. After all, what could that person possibly do with such innocuous information?

Well, for one, they may be completing a profile of their next victim. They could be calling several companies they know their target has accounts with and piecing together enough information that they can then pretend to be them elsewhere.

They could also simply call back at a later time, “Hello, this is John Smith, my address is 1234 Main Street, Nashville, Tennessee, I need to…”

This represents the social engineering aspect of phishing. Your customer service representative may have security questions they’re supposed to ask, but because the person on the other end knows their correct address, sounds confident, and moves onto their demand, your employee may simply comply.

Again, imagine if this person had their address, phone number and date of birth.

Learn from Successful Attacks

Although educating your staff about phishing is important for security awareness, so, too, is bringing their attention to successful attacks when they happen to customer service representatives.

Sadly, you’ll find this happens fairly often.

The point of telling your employees about them is twofold. First, you want them to understand the different types of attacks that are possible. Even though phishing represents the main threat, it’s actually a fairly diverse form of attack. We’ve barely scratched the surface describing it here.

Second, it’s always a good idea to remind your customer service representatives that these attacks represent very real threats. They can’t become complacent or your company will be in jeopardy.

Always Audit Your Efforts to Ensure They’re Effective

Earlier, we brought up a customer service representative security policy and the importance of making people aware of it. While this is important, you need to put in guidelines for how you’ll ensure that people are following the rules.

We’ve talked about the need for security risk assessments before. This is similar.

There are a number of ways you can do it, too. The simplest is with tests. These don’t have to be time-consuming ordeals, but regularly giving your employees tests will help you understand to what degree they understand the demands of quality security measures.

Of course, you can also test employees through fake attacks. You can hire out for this or have someone within your company do it. Either way, some trustworthy individual could contact one of your customer service representatives and see how successful a real criminal would be with their attacks. It’s hard to think of a better way to assess the success of your efforts.

Encourage People to Come Forward

No one wants to report a possible incident if there’s a chance it’s not the real thing. As we’ve touched on before, customer service representatives are trained to keep people happy, so they might be even more likely to say nothing if they aren’t 100% certain.

To overcome this problem, let your people know that they should not be embarrassed for being suspicious.

Furthermore, tell them that you will support their vigilance even if it means an actual customer becomes annoyed because their demands are delayed.

None of your training or investments in security awareness will have the effects you desire if people don’t come forward when they think they’re dealing with a criminal. Most of the time, it probably won’t be very obvious, so you should encourage their scrutiny.

Discourage Talking to the Press if a Successful Attack Happens

Even if you do all of the above for the sake of security awareness, one of your customer service representatives may become a successful target. For that matter, anyone in your company could be responsible for allowing an attack to succeed.

In any case, if that were to happen and the press were to find out, your company will most likely be contacted for an opinion. There are a number of reasons you wouldn’t want to respond, at least not at first.

Make sure your customer service representatives aren’t the ones who inadvertently break the silence.

If an attack is successful, let your employees know ASAP. You don’t have to go into details, but you should tell them and also let them know that they are not to talk to the press or anyone else.

The press isn’t bad at phishing either. Reporters may call posing as concerned customers and ask questions. Your customer service representatives must be ready for these attempts.

Unfortunately, 2016 showed that cybercrime is on the rise. For this reason, you must take the need for customer service representative security awareness seriously. Begin today by creating/updating your policy and making sure your staff understands it ASAP.


See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.