Wednesday, April 1, 2009

Be The Problem, Sell The Solution

I suppose if your business model is dependent on protecting your customers from new and emerging threats, there's a danger that if cutting-edge perils disappear, so will your clientele.

Symantec may have solved that problem for themselves.
The security company, known primarily for their antivirus, anti-spyware, and other endpoint-protection products, is on the hot seat after BBC news reporters allegedly purchased customer credit card numbers from an employee of a Symantec call center in India. Oops.

Symantec claims that the nefarious conduct was limited to one call center agent, and that they had no indication that any of the credit card numbers were used improperly.
Do you know what else Symantec had no indication of? That they had a call center employee stealing and selling customer credit card numbers.

Call centers typically have robust risk and control procedures in place to limit their exposure to illicit activities among staff. Turnover and low compensation among agents and advisors has historically led to improper behaviors, and the call center environment is ripe with the kind of personal information that's in high demand by fraudsters.
Common call center procedures include the banning of any writing instruments or materials and no loose papers that advisors could use to capture and remove sensitive customer data. Computer systems are configured to not have access to email or the internet so that no data can be transmitted externally, and information cannot be written to removable media devices. Screen captures are similarly disallowed. Finally, there are aggressive anomaly detection mechanisms in place to alert security personnel to any aberrant activities.

Somewhere along the line, Symantec had either a failure of one or more controls, or a gap developed between the collection of tracking data and subsequent actioning. Either way, for a security-focused company, this is not good news.

Still, with the volume of customer data at hand and the vast number of employees who probably have access as a requirement to do their jobs, the fact that one agent was involved and the number of compromised accounts was reported to be in the 200-300 range, give Symantec a pat on the back for being open about the breach and proactive in taking steps to protect their customers.

As I've said before, you can't eliminate risk completely. You can only mitigate and respond. It appears that Symantec has done both.

No comments:

Post a Comment

Please tell me what you think.