Navigating Cybersecurity Challenges in Answering Services: Insights from ATSI 2023

by Justin Massey

Jun 28, 2023

text

The ATSI conference in Atlanta united answering service owners, managers, and industry leaders to tackle the industry's pressing challenges. With insights into artificial intelligence and the rising significance of cybersecurity, the conference unveiled the evolving landscape. To ensure the future success of their business, answering services must embrace continuous adaptation. We will recap the discussions around cybersecurity and provide actionable steps to empower answering services to secure their business.

Making operators more productive

Answering service operators answer calls from many unique companies in different industries each hour, requiring them to perform a significant amount of context switching. However, the complexity intensifies as answering services expect operators to learn and navigate multiple clients' websites and their unique business software. This additional responsibility places a significant cognitive load on operators, impacting their efficiency and effectiveness.

Moreover, one of answering services’ number one problems is hiring and retaining skilled operators, further exacerbating the situation. Onboarding new operators becomes time-consuming, especially when they need to familiarize themselves with multiple business systems and software.

One solution to reduce the onboarding time is for TAS vendors to support the integration of robust two-way APIs within the TAS (Telephone Answering Service) software. Operators gain seamless access to clients' business systems directly from the TAS software, eliminating the need for extensive training on each client's website. This streamlined approach expedites the onboarding process and alleviates the cognitive load on operators, ultimately enabling them to perform their tasks with enhanced efficiency.

Furthermore, the utilization of two-way APIs in TAS software not only enhances operational efficiency but also strengthens security measures. With this integration, TAS operators can no longer log in to client websites directly. This eliminates the risk of an attacker compromising an operator’s workstation and stealing the credentials from the local machine. By removing the need for individual login credentials, the TAS software acts as a secure intermediary, ensuring operators do not retain access to client websites once they no longer require it. This streamlined approach enhances data security and minimizes the potential vulnerabilities associated with operator turnover, providing answering services with an additional layer of protection for their client's sensitive information.

TAS Software Cybersecurity Improvements

In recent years, answering services have witnessed a significant increase in cybersecurity attacks, prompting a paradigm shift in the industry's approach to security. With healthcare and other sectors demanding stricter cybersecurity controls, answering services must adapt to these evolving requirements. This not only necessitates changes in the way answering services handle IT within the business but also calls for improvements in the security measures implemented by the software provided by vendors. Vendors responsible for developing and maintaining the software used by answering services must address these emerging challenges and protect sensitive data.

To achieve this, vendors should consider implementing the following practices:

Secure Handling of Customer Secrets

As TAS vendors become responsible for handling customer secrets like passwords and API keys, ensuring their secure storage and transmission is crucial. Vendors should implement robust encryption mechanisms, secure storage practices, access controls to protect sensitive customer information and log who accessed the customer secrets. By prioritizing the security of customer secrets, vendors can maintain trust and confidentiality in their relationships with answering service customers.

Implement Secure Connection Methods

Vendors should prioritize supporting secure methods for connecting to answering service customers' applications. This includes implementing encrypted communication protocols like HTTPS and adhering to industry-standard security practices. Additionally, vendors should explore supporting a variety of secure authentication techniques like oAuth, JWTs, and other forms of secure authentication. Applications may require different authentication methods, and by providing flexibility and compatibility with various authentication mechanisms, vendors can ensure that answering services can securely connect to all types of applications they interact with. By establishing secure connections and offering a range of authentication options, vendors can empower answering services to maintain robust security across their entire ecosystem of customer applications.

Support Single Sign-On (SSO)

By utilizing a single sign-on provider, such as Google Workspaces or Azure AD, vendors can enable seamless authentication to their TAS solution. This simplifies the login process for answering service operators and enhances security by reducing reliance on multiple login credentials. With SSO, operators can securely access and navigate various business systems without remembering numerous usernames and passwords.

IT Responsibility Model for Answering Services

If you are an answering service owner, you did not get into the business because you wanted to manage IT infrastructure. Your passion lies in providing exceptional customer service and ensuring smooth operations for your clients. That's why shifting the responsibility of infrastructure management to a TAS vendor can be a game-changer for your business.

By entrusting the hosting of the software to a reliable vendor, you can offload the burden of maintaining servers and infrastructure, allowing you to focus on what you do best: answering calls and delivering outstanding service. This shift also transfers the risks associated with managing the infrastructure to the TAS vendor, as they take on the responsibility for hardware, operating systems, and network management. It empowers you to streamline your operations, optimize resources, and have peace of mind, knowing that the critical IT components are in the hands of experts.

Answering Service IT Responsibility Model - Vendor Hosted

Regarding the responsibility breakdown between answering services and TAS vendors, the dynamics can vary depending on who hosts the software. Understanding these distinctions is crucial for establishing clear expectations and ensuring a smooth operational framework. If the TAS vendor hosts the software, the responsibility for infrastructure-related aspects shifts to the vendor. This includes hardware provisioning, operating system management, and application deployment. The TAS vendor maintains the network infrastructure and ensures its availability and performance. Additionally, they are responsible for regular updates and patches to the infrastructure, guaranteeing that it remains secure and up to date.

Answering Service IT Responsibility Model - Self Hosted

On the other hand, when answering services host the software themselves, they are responsible for managing the underlying infrastructure. This includes procuring and maintaining the necessary hardware, managing the operating system and application stack, and ensuring network connectivity. Answering services must stay vigilant in implementing security measures and updating their infrastructure to protect against potential vulnerabilities.

Regardless of the hosting scenario, answering services and TAS vendors must collaborate and align on responsibilities related to data security, access controls, and incident response protocols. Clear communication and a shared understanding of each party's role are essential for a successful partnership and a robust security posture.

Promised Deliverables to Attendees

During the recent ATSI conference in Atlanta, a panel of cybersecurity experts, including Justin Massey, founder of Relay Hawk, Rob Van Buskirk, Co-Founder of VanRein Compliance, Art Powell, Founder of Trinsic Technologies, and Jeb Buie, VP of Special Activities at Trinsic Technologies, engaged in a thought-provoking discussion on cybersecurity. The panel received questions from the audience, and Justin Massey noted some action items that emerged from the conversation. This section will explore the action items identified during the panel discussion.

Vendor Questionnaire

The first deliverable promised was a security questionnaire that an answering service could send to their vendors. Security vendor questionnaires can contain technical security language, which may be challenging for small business owners to understand—striking a balance between simplicity and technicality is essential for these questionnaires to be valuable to the answering service. Justin Massey reached out to the security community to engage in a conversation, leading to several interesting responses.

Andrew Spangler, Head of Security & Compliance at Harness, emphasized the importance of tailoring security questionnaires based on the data the answering service is exchanging with the vendor. If no personally identifiable information (PII) is involved, a less intrusive questionnaire may suffice, as the same level of security controls may not be required.

Leif Dreizler, Senior Manager, Software Engineering at Semgrep and former Senior Engineering Manager at Twilio, suggested a simple yet insightful question to gauge the maturity of a vendor's security organization: ask the vendor to describe the size and structure of their security team. If the security organization consists of only one person and the application handles sensitive data such as healthcare information and PII, it should raise a red flag.

Lastly, Google's interactive Vendor Security Assessment Questionnaires (VSAQ) can be a valuable resource for a comprehensive list of vendor questions.

Trusted Sources for Security News

During the Q&A session, an attendee requested a list of reliable sources to stay updated with the latest cybersecurity news. Justin Massey recommends the podcasts Darknet Diaries and Risky Biz. Darknet Diaries explores fascinating real-life stories of hacking and cybercrime, offering valuable insights into cybersecurity. Risky Biz provides in-depth interviews with industry experts and covers current security news. It is an excellent resource for answering service business owners new to cybersecurity who want to stay informed about emerging trends and threats.

Difference Between a Password Manager and a SSO provider

When comparing a password manager like 1Password and an SSO provider like Google Login, using an analogy such as keys on a keyring is helpful. A password manager is like a keyring that holds hundreds of keys for different doors. Each time you need to unlock a specific door, you have to search through the keyring to find the right key. While it offers convenience and organization, it is not as simple to use as a single master key. On the other hand, an SSO provider is akin to a master key that can unlock multiple doors. With a single master key, you can effortlessly access various doors without the hassle of searching through a bulky keyring. In managing login credentials, 1Password functions as a comprehensive password manager, while an SSO provider simplifies authentication by offering a unified access point.

Implementing a Single Sign-On (SSO) solution is highly recommended for managing authentication across multiple applications. While it may initially seem risky to consolidate all login credentials into a single basket, the convenience and security benefits outweigh the concerns. SSO simplifies the login process for answering service operators, acting as a master key that effortlessly grants access to multiple systems. It reduces the cognitive load of managing numerous passwords and enhances overall productivity.

Additionally, SSOs often provide robust logging capabilities, allowing for detailed visibility into user logins, including information about the application accessed, the time of login, and the location. This logging capability is invaluable for security investigations and monitoring user activity. Only some platforms and applications support SSO. A password manager like LastPass remains valuable for managing credentials that don’t support an SSO.

By combining the strengths of an SSO and a password manager, answering services can balance efficiency, security, and comprehensive logging for their authentication needs.

Conclusion

We would love to hear your thoughts and continue the conversation about empowering answering services in cybersecurity. Connect with us on LinkedIn or email info@relayhawk.com.

If you're looking for assistance in assessing your self-hosted TAS implementation or exploring ways to enhance your cybersecurity measures, Relay Hawk is here to help and we understand the unique challenges of answering services and the importance of robust security practices. Together, we can fortify your answering service against evolving cyber threats and empower your business for success.

Schedule a meeting with Relay Hawk today.

Keep up to date

Get the latest cybersecurity news and tips from our experts