Why VPNs Fall Short in Connecting Remote Agents and Call Centers
Author: Kurt Michel, SVP Marketing, Veea
Today, thanks to the COVID-19 pandemic, the business world has become increasingly remote, making online privacy and security for organizations more important than ever. With so many workers at home, potential attackers can gain access to an organization whenever an employee simply logs onto the internet.
The call center industry is no exception to this, with many companies turning to a work-from-home model to continue support for their customers during the pandemic.
Consider that since the COVID-19 outbreak, the US FBI reported a 300% increase in reported cybercrimes. Hackers leveraged the opportunity to attack vulnerable networks as office work movedremote. Data breaches resulted in 36 billion records being exposed in the first three quarters of 2020 alone, according to RiskBased Security research.
Remote work makes call centers more vulnerable by exposing multiple systems to the Internet and prying eyes, and every data breach is costly to a business. One study by IBM suggests that the average cost of a data breach is $3.92 million, and that number is on the rise.
Historically, Virtual private networks (VPNs) were the go-to solution for many call centers with remote workers. A VPN creates an encrypted tunnel between the remote employee’s computer and the company’s central systems, masking their identity and location while protecting both their own and their customers’ private data sent over a public, unsecured network. However, it’s impossible to monitor your employees to ensure they're only using secure connections in all of their work activities.
The truth is, one wrong move can seriously cost your business, and while VPNs may give you some protection, they have limitations.
Security Drawbacks of VPNs
Consumer-focused VPN services are not generally designed to protect business traffic all the way to the corporate data center. In fact, most consumer-focused VPNs are focused on hiding the user’s location so that they can stream content into restricted geographies (like making US video programming available outside of the US), or on shielding their data and activities from their ISP.
The connection between the remote worker and the VPN proxy server may be protected, while the connection between the VPN server and the company data center may not be. Call centers are not well served by these types of VPN solutions. Additionally, some VPN services are run by scammers and hackers with the sole intention of gaining access to a company’s servers. And Free VPN’s? We all know that nothing of importance is ever really free.
Then there are the VPN appliances installed at the edge of the corporate data center, which is a textbook example of castle-and-moat security. Once a user connects via VPN, they have effectively unrestricted access to the rest of the subnet, and for some enterprises, this means non-admin users have network access to critical infrastructure when they shouldn’t. Further, this castle-and-moat approach increases the risk of malware spread and data breaches.
To add granular security controls to remote access VPN solutions, call centers often have to deploy additional security point-solutions, adding cost and complexity while leaving plenty of room for misconfiguration and human error.
Finally, VPN technology has had limited recent evolution, even during the pandemic. The industry is moving to new data security solutions, and with remote work becoming the new normal, the savvy call center IT/security professionals know that they need more than a VPN solution to adequately protect their workers, their data, and their businesses.
Alternative Security Options
To ensure the best protection, especially with the shift to a work-from-home/remote worker culture, call centers need “beyond VPN” security solutions.
Firstly, a call center could use remote desktop connections. A remote desktop connection allows users at home to access their office-based computer. The communication between the home and work PCs is encrypted end-to-end. There are many remote PC access software programs available that allow businesses to provide secure off-site device access to their employees. However, this approach is still susceptible to credential theft, and there’s nothing in this approach to monitor the traffic for suspicious behavior. It basically trusts that if you have the login credentials, you are who you claim to be – and the (data-) world is your oyster.
Call centers may also turn to identity access management (IAM) systems to securely store identity and profile data. IAM implements a comprehensive verification process through multifactor authentication.
With IAM, the identity of individual users is established and authorized by the system, and they can only access pre-authorized materials.
Privileged Access Management (PAM) is a subset of IAM that focuses exclusively on protecting privileged accounts. Since privileged accounts hold the keys to an organization’s most critical assets, they are prime targets for cybercriminals. With PAM, accounts are granted to a small number of users who need access to backend systems, databases, and other places where highly sensitive information is stored. PAM adds another layer of security with measures such as storing privileged account credentials in a separate and secure repository to reduce the risk of theft or misuse, and administrator capability to restrict user access with time limits and other rules. Whereas IAM safely authorizes any user who needs access to a system, PAM limits access rights to the absolute minimum number of users necessary to perform authorized business activities.
Call centers also have the choice of a software defined perimeter (SDP) solution to secure their data while employees are working remotely. SDP’s, also known as “black clouds”, are based on the "need-to-know access" government model. Any critical files are stored in the black cloud and are inaccessible to unauthenticated users, while other aspects of the network are only accessed on a permission basis. An SDP can hide Internet-connected infrastructure (servers, routers, etc.), preventing external parties and attackers from seeing the network and assets behind it, whether it is hosted on-premises or in the cloud. SDP bases the network perimeter on software instead of hardware.
The most advanced solutions combine the benefits of the various security technologies above, while adding deep packet inspection, traffic behavior analysis, and centralized security management for all users through a web browser. They also simplify configuration and managment, reducing the need for dedicated IT support or security experts. Managers can establish whitelists and blacklists for user access to online content. Artificial Intelligence (AI) and Machine Learning (ML) techniques are used to detect traffic flows that fall outside of normal behavior and can flag and quarantine that traffic to thwart attacks. In addition, packet encryption technologies are evolving to meet the challenge presented by ever-improving crypto-cracking technology. Systems which leverage rotating keys and asymmetric encryption, if compromised, significantly limit the data exposure. These technologies are welcome additions for protecting data-in-motion, as it crosses the Internet. And all this protection is available through service-based subscription models, minimizing up-front cost.
Increased Cyber Attacks means Now's the Time to Prioritize Security
The use of malware increased by 358 percent through 2020, and ransomware usage increased by 435 percent compared to the previous year, according to a study by Deep Instinct. July 2020 alone saw a 653 percent increase in malicious activity compared to the same month in 2019. Not only are the number of security breaches going up, but that they are increasing in severity as well. And with the total cost for cybercrime globally set to reach $10.5 trillion by the end of 2025, call center managers must do everything in their power to combat this.
With the shift to remote working possibly being considered the “new normal” for customer service, remote sales, and other related call-center centric operations, call center managers and their IT teams must recognize that the era of VPN protection is over. The "pay me now or pay me later” adage applies here. Those who wait for an attack to bring down their businesses before improving their protection may find it difficult to recover.
Is this something you can afford?