Storm, Hurricane, Data Center Disaster, Contact Center: Which of these is the Riskiest to Your Utility?
- Jun 8, 2015 10:27 pm GMT
With a variety of legislations across the country meant to force utilities to open their eyes to the potential risk that internal breaches may create, the Federal Trade Commission's Red Flag Act has gone the furthest as it relates to the end customer. It does so by pushing all "creditors," which utility companies are classified as, to identify their "red flags" -- relevant warning signs of identity theft such as suspicious activity. In doing so, utilities were pushed to look at their most critical transactions, including service establishment, collection processing and payment processing.
So how does your utility go about finding the greatest weaknesses and mitigating the susceptibility? A bottom-up approach is the strongest method of enforcement when looking at exposure level. The contact center is both the primary face of the utility as well as its greatest risk for PII breach. It doesn't take long to walk through a utility's contact center and clearly see where some of the major risks are. The following are common issues and recommended solutions, simple in principle but often not put into practice, which could help your organization to avoid being put in a highly vulnerable position for a security breach.
- The "Printed Report": The need for reports is as ubiquitous as calls for utility service. However, are you sure the reports are always safely secured or destroyed when no longer needed? The need for regular report audits, where any report containing sensitive information is tracked against the user requesting that data, is essential. Treating the reports as sensitive information and thereby locking them up when not in use, shredding when completed, and not leaving them in unsecured areas is paramount to protecting the utility end-use customer. Finally, a strategy to web-deploy reports and restrict access in lieu of printing is critical to reducing risk of unauthorized access.
- The "Offending Notebook": This is by far the most common exposure of utility contact centers. Most of today's Off-the-Shelf Tier 1 and 2 Customer Information Systems (CIS) have addressed encryption, workflow, and visibility of PII; however, legacy applications were not necessarily designed with the true needs of the CSR in mind, meaning customers often have to repeat their information. To help improve customer service, CSRs have self-implemented notepad-based information capture as a method of reducing that repetition of data. Critical pieces of customer data are often scribbled down on paper that is tossed in the trash, left on an unsecured desk, or is not tracked at all. The true liability of the utility when considering the amount of untracked data that could be easily accessible far outweighs the average risk presented through network hacking.
What sophisticated outsourcers have secretly known is that to reduce the risk it is necessary to reduce the opportunity. The use of dry-erase boards to capture information for use during a call and immediately erase afterward is one of the quickest and cheapest options. Lockers, a contact center policy which addresses the need to eliminate the practice of writing down any sensitive information in hard-copy fashion, as well as a training program that addresses personal responsibility in the data that is accessed, is fundamental in reducing your exposure level.
- The "Don't Make Me Walk": As data breaches have grown over the past 10 years, one of the first major trends within contact centers was the addition of shredders for the destruction of sensitive information. Paper shredders certainly made life easier, but the placement of shredders within the contact center is just as important as the purchase of them. The lower the shredder to CSR ratio and shortest distance to access one, the more ubiquitous the act of shredding will become.
- The "Fax Machine Run Amok": The news today addresses several privacy concerns individuals have regarding their smart meter and the data transferred to the utility, yet there are customers who feel comfortable faxing that same utility company papers containing their social security number, bank account information or credit card data. When walking through utility contact centers, one can often see fax machines that have requests for service, menus from nearby restaurants, and screen prints from other areas of the organization sitting in their trays. What does all of this information have in common? In short, nothing. Sensitive information should be isolated from any public fax machine in an open office. The use of a digital fax service that will generate a secure notification to an office-designated email is important for not only transmitting information in a less public forum, but also for the purposes of workflow management -- the tracking of information from the time of inception until completion.
This is part one of a two-part article. In her next piece, Maria DeChellis will address a recommended approach and elements for a utility's data security plan.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.