In all businesses, regardless of industry and irrespective of size and available budgets, human error is the most common reason for a potential cyberattack’s success. No matter how well a security team mitigates inherent risk across an organisation, unless the mitigation extends to minimising the possibility of risk, or decision-based mistakes being made, then the door is always potentially open to attackers.
Frequent and targeted training will help employees understand how to perform their roles safely, but training alone is simply scratching the surface. Because when people are under undue stress or pressure, when they don’t have access to the right or sufficient resources, or if they are trying to work within a negative or unsupportive environment, they are less likely to be completely focused or engaged and as such, more likely to make mistakes that carry cyber consequences.
Employee experience and cyber security
Investing in a positive employee experience can make a huge difference in this respect. Business is by nature a form of competition and so something that can never be stress- or challenge-free. But when employees know they’re being supported and recognised in moments when the pressure mounts, stress becomes a fuel for meeting targets or achieving objectives, rather than the reason for a successful breach.
Over recent years, the employee experience and its role at the heart of a positive business culture have been climbing strategic agendas, and rightfully so. It’s a proven way to increase productivity, reduce employee attrition, keep the best existing talent and attract the next generation of rising stars.
Even small steps to increase employee loyalty can reduce residual risk. There is a direct correlation between the length of an employee’s tenure at an organisation and the level of cyber risk that individual poses. For example, on average, new employees with fewer than six months’ experience at a business are twice as likely to fall victim to an email phishing attempt.
A challenging business environment
However, in the current business climate, even the strongest employee experience can wobble. Higher interest rates and operating costs, alongside shrinking available talent pools and a growing concern about recession or stagnation are all placing organisations under pressure. In turn, business leaders need to demand more from their employees as they attempt to navigate the economic environment, identify new opportunities to diversify or pursue avenues for growth. Logic dictates that, unless there’s also a means of tempering some of this additional stress, trying to pivot or tap new markets could result in increased cyberattack vulnerability.
This is particularly true in the tech sector where growth and performance are so incentivised it can encourage and even reward risky behaviour if that behaviour has the potential to increase profits.
It’s crucial to remember that alongside genuine mistakes that are the result of stress and distraction, or inadequate training or an inability to make the right decision in the moment, employees can also intentionally act in an unsecure manner if doing so is faster and easier or if the risk itself seems abstract — i.e., there would be limited if any personal consequences if something were to happen.
A partnership to ease the pressure
One proven means of reducing some of this pressure, and with it the possibility of mistakes being made, is through partnership. Outsourcing operations such as the design and delivery of customer experience enables an organisation to devote its resources to mission-critical aspects of the business.
There can be a fear — particularly within organisations that are new to using outsourcing to meet strategic objectives — that they are giving up control or taking a risk by partnering with a BPO.
Likewise, there are valid concerns around the risk of a breach within a wider business ecosystem that can have a material impact across a supply chain. However, unlike with a vendor, supplier or other third party, employing the services of a BPO means a reciprocal relationship where risk is properly mitigated, best practices shared and adhered to and clear measures put in place about preventative actions and steps to follow in the event of an incident.
Identifying the right organisation to deliver your CX should lead to a higher level of scalable certainty and security. But how do you go about finding the right partner for these purposes?
Compliance
To claim to be a leading BPO provider, an outsourcer must be able to show it has all relevant certifications and complies with every data or system security regulation relative to every territory and every industry in which it operates.
However, stating compliance with regulations such as the GDPR or having ISO 27001 certification is not enough. Ask the provider to demonstrate how it complies; evaluate its processes and procedures, especially around aspects such as data handling, and request information about how often the organisation conducts security audits and assessments. It’s only through regular assessments and stress testing that vulnerabilities can be identified, and a culture of continuous improvement implemented.
People
One of the key benefits of outsourcing is always having access to the right levels of human resources to meet your customer needs. Therefore, examine how the outsourcer identifies the right types of candidates, how they’re vetted (to minimise any insider threat), trained and onboarded, and, crucially, how ongoing training and development are delivered, particularly in respect to cyber and information security.
Ongoing training is the only way to match employee understanding with attack sophistication. But as well as the frequency of training and development, it’s crucial to understand how this training is delivered. A one-size-fits-all approach doesn’t work when it comes to skills development. Different people respond differently to different ways of learning. A potential outsourcing partner should use a blended approach to skills development and retention, especially around topics such as cybersecurity.
Insights
Outsourcers need to inform their data and security training decisions and their approaches to the technological aspects of protection by gathering insights beyond their organisation. An outsourcer should be drawing on intelligence from across different business sectors and should have a threat intelligence team (or have access to one), be in constant dialogue with external experts and thought leaders to proactively shape their processes to reflect the latest types of threat and to align with current best practices.
Action
Ask the outsourcing provider to detail how it responds to incidents. It should have a robust, frequently tested plan in place. How would it act in different cybersecurity scenarios? For the same reasons, examine its data encryption, handling and storage controls, and the measures it has in place regarding employee access to potentially sensitive information. How is access controlled and monitored to spot potential issues?
Culture
Corporate culture and its role in shaping the employee experience is a critical aspect of cyber and information security. Therefore, look at an outsourcer’s employee retention rate, particularly for frontline CX staff. How many agents are tenured and how many employees in more senior positions are in those posts due to internal promotion? When employees are valued and retained, so is knowledge and understanding of tools, processes and protocols.
Even if a BPO provider can tick every other box, it must prove it can align with your organisation’s values and create a relationship built on open communication. Some of this alignment can come from existing vertical experience, but the best outsourcers should be able to evolve their own operating standards and procedures to mirror the specificity of a business sector, customer type or end-user and do so without negatively impacting its approach and best practices relating to cyber and information security.
As the frequency, cost and potential reputational damage resulting from data breaches and cyberattacks continues to rise, ensuring your business partners have a best-practice approach to information and system security is paramount. To learn more, read our white paper “Securing your customer experience: How to choose the right CX delivery partner in an age of rising cyber threats.”