Tech Republic

For the third consecutive quarter, Gartner has found that cyber attacks staged using artificial intelligence are the biggest risk for enterprises. The consulting firm surveyed 286 senior risk and assurance executives from July through September, and 80% cited AI-enhanced malicious attacks as the top threat they were concerned about. This isn’t surprising, as evidence suggests AI-assisted attacks are on the rise. Other commonly cited emerging risks outlined in the report include AI-assisted misinformation, escalating political polarization, and misaligned organizational talent profiles. Attackers are using AI to write malware, craft phishing emails, and more In June, HP intercepted an email campaign spreading malware in the wild with a script that “was highly likely to have been written with the help of GenAI.” The VBScript was neatly structured, and each command had a comment, which would prove an unnecessary effort for a human to write. The researchers then used GenAI to produce a script and found similar output, suggesting that the original malware was at least partially AI-generated. SEE: 20% of Generative AI ‘Jailbreak’ Attacks are Successful The number of business email compromise attacks detected by security firm Vipre in the second quarter was 20% higher than the same period in 2023, and two-fifths of them were generated by AI. The top targets were CEOs, followed by HR and IT personnel. Usman Choudhary, VIPRE’s chief product and technology officer, said in the press release: “Malefactors are now leveraging sophisticated AI algorithms to craft compelling phishing emails, mimicking the tone and style of legitimate communications.” Retail sites alone experienced an average of 569,884 AI-driven attacks each day from April to September, according to Imperva Threat Research. Researchers said that tools such as ChatGPT, Claude, and Gemini, as well as special bots that scrape websites for LLM training data, are being used to conduct distributed denial-of-service attacks and business logic abuse, for example. More ethical hackers are admitting to using GenAI, too, with the proportion increasing from 64% to 77% in the last year, according to a report from BugCrowd. These researchers say it assists with die-channel attacks, fault-injection attacks, and automating parallelized attacks to simultaneously breach multiple devices. But if the ‘good guys’ are finding AI valuable, then so will the bad actors. Must-read security coverage The rise in these attacks should not come as a surprise AI can lower the barrier to entry for cyber crimes, as less-skilled criminals can use it to generate deepfakes, scan networks for entry points, reconnaissance, and more. Researchers at ETH Zurich recently created a model that could solve Google reCAPTCHAv2’s puzzles used to distinguish humans and bots 100% of the time. Analysts at security firm Radware predicted at the start of the year that this newfound accessibility would lead to the development of private GPT models used for nefarious purposes. They also forecast that the number of zero-day exploits and deepfake scams would increase as malicious actors become more proficient with LLMs and generative adversarial networks. Indeed, Google’s Mandiant tracked 97 total zero-day vulnerabilities that were discovered and exploited in 2023, marking a 56% increase from a year earlier. Last month, Microsoft listed deepfakes amongst the most significant attack types used by increasingly prolific ransomware groups. SEE: AI Deepfakes Rising as Risk for APAC Organisations Executives are also concerned about over-reliance on IT vendors IT vendor criticality also made it into Gartner’s list of top concerns among senior risk and assurance executives for the first time this quarter. Zachary Ginsburg, Senior Director of research in the Gartner Risk and Audit Practice, said in a Gartner press release: “Customers with a concentration of services with one vendor may face elevated risk in the event of outages, or they may face unanticipated changes in services depending on new regulations or legal decisions in the EU, U.S. or elsewhere.” He alluded to July’s CrowdStrike incident, which saw about 8.5 million Windows devices worldwide disabled and caused huge disruption to emergency services, airports, law enforcement agencies, and other essential organizations. SEE: What is CrowdStrike? Everything You Need to Know “Because third parties, like SaaS vendors, rely on other vendors, organizations may not realize the full extent of their exposure,” Ginsburg added. Gartner predicts that 45% of businesses globally will have experienced attacks on their software supply chains by 2025. source

The U.K. government has launched a free self-assessment tool to help businesses responsibly manage their use of artificial intelligence. The questionnaire is intended for use by any organisation that develops, provides, or uses services that use AI as part of its standard operations, but it’s primarily intended for smaller companies or start-ups. The results will tell decision-makers the strengths and weaknesses of their AI management systems. How to use AI Management Essentials Now available, the self-assessment is one of three parts of a so-called “AI Management Essentials” tool. The other two parts include a rating system that provides an overview of how well the business manages its AI and a set of action points and recommendations for organisations to consider. Neither has been released yet. AIME is based on the ISO/IEC 42001 standard, NIST framework, and E.U. AI Act. Self-assessment questions cover how the company uses AI, manages its risks, and is transparent about it with stakeholders. SEE: Delaying AI’s Rollout in the U.K. by Five Years Could Cost the Economy £150+ Billion, Microsoft Report Finds “The tool is not designed to evaluate AI products or services themselves, but rather to evaluate the organisational processes that are in place to enable the responsible development and use of these products,” according to the Department for Science, Innovation and Technology report. When completing the self-assessment, input should be gained from employees with technical and wide business knowledge, such as a CTO or software engineer and an HR Business Manager. The government wants to include the self-assessment in its procurement policy and frameworks to embed assurance into the private sector. It’d also like to make it available to public-sector buyers to help them make more informed decisions about AI. On Nov. 6, the government opened a consultation inviting businesses to provide feedback on the self-assessment, and the results will be used to refine it. The rating and recommendation parts of the AIME tool will be released after the consultation closes on Jan. 29, 2025. More must-read AI coverage Self-assessment is one of many planned government initiatives for AI assurance In a paper published this week, the government said that AIME will be one of many resources available on the “AI Assurance Platform” it seeks to develop. These will help businesses conduct impact assessments or review AI data for bias. The government is also creating a Terminology Tool for Responsible AI to define and standardise key AI assurance terms to improve communication and cross-border trade, particularly with the U.S. “Over time, we will create a set of accessible tools to enable baseline good practice for the responsible development and deployment of AI,” the authors wrote. The government says that the U.K.’s AI assurance market, the sector that provides tools for developing or using AI safety and currently comprises 524 firms, will grow the economy by more than £6.5 billion over the next decade. This growth can be partly attributed to boosting public trust in the technology. The report adds that the government will partner with the AI Safety Institute — launched by former Prime Minister Rishi Sunak at the AI Safety Summit in November 2023 — to advance AI assurance in the country. It will also allocate funding to expand the Systemic Safety Grant program, which currently has up to £200,000 available for initiatives that develop the AI assurance ecosystem. Legally binding legislation on AI safety coming in the next year Meanwhile, Peter Kyle, the U.K.’s tech secretary, pledged to make the voluntary agreement on AI safety testing legally binding by implementing the AI Bill in the next year at the Financial Times’ Future of AI Summit on Wednesday. November’s AI Safety Summit saw AI companies — including OpenAI, Google DeepMind, and Anthropic — voluntarily agree to allow governments to test the safety of their latest AI models before their public release. It was first reported that Kyle had voiced his plans to legislate voluntary agreements to executives from prominent AI companies in a meeting in July. SEE: OpenAI and Anthropic Sign Deals With U.S. AI Safety Institute, Handing Over Frontier Models For Testing He also said that the AI Bill will focus on the large ChatGPT-style foundation models created by a handful of companies and turn the AI Safety Institute from a DSIT directorate into an “arm’s length government body.” Kyle reiterated these points at this week’s Summit, according to the FT, highlighting that he wants to give the Institute “the independence to act fully in the interests of British citizens”. In addition, he pledged to invest in advanced computing power to support the development of frontier AI models in the U.K., responding to criticism over the government scrapping £800 million of funding for an Edinburgh University supercomputer in August. SEE: UK Government Announces £32m for AI Projects After Scrapping Funding for Supercomputers Kyle stated that while the government can’t invest £100 billion alone, it will partner with private investors to secure the necessary funding for future initiatives. A year in AI safety legislation for the UK Heaps of legislation has been published in the last year committing the U.K. to developing and using AI responsibly. On Oct. 30, 2023, the Group of Seven countries, including the U.K., created a voluntary AI code of conduct comprising 11 principles that “promote safe, secure and trustworthy AI worldwide.” The AI Safety Summit, which saw 28 countries commit to ensuring safe and responsible development and deployment, was kicked off just a couple of days later. Later in November, the U.K.’s National Cyber Security Centre, the U.S.’s Cybersecurity and Infrastructure Security Agency, and international agencies from 16 other countries released guidelines on how to ensure security during the development of new AI models. SEE: UK AI Safety Summit: Global Powers Make ‘Landmark’ Pledge to AI Safety In March, the G7 nations signed another agreement committing to exploring how AI can improve public services and boost economic growth. The agreement also covered the joint development of an AI toolkit to ensure the models used are safe and

The construction of new data centres in the U.K. and Europe is being held up due to insufficient electricity supply. Utility companies in the U.S. have also been struggling to keep up with demand. David Sleath, chief executive of development giant Segro, said that he would ideally be investing “hundreds of millions and more” into building new data centres, according to The Times. “The single biggest constraint is access to power,” he told the publication. Segro, which operates 35 U.K. data centres, has had to wait “a number of years” for infrastructure upgrades that boost grip capacity before breaking ground on a planned development. A National Grid spokesperson told The Times it is connecting data centre developments to the grid “as quickly as possible,” while a government spokesperson said that efforts are underway to push stalled projects forward. The spokesperson added that the National Grid is collaborating with energy regulator Ofgem to update the grid connections process. Power shortages are the top concern for data centre companies globally, including North America, as they make it hard for them to secure capacity. A report from Bain and Company found that utility companies in the U.S. would need to increase their energy generation to up to 26% above the 2023 total to meet the projected demand in 2028. Indeed, according to the Electric Power Research Institute, data centre power consumption in the U.S. will be more than double what is currently by 2030. Sleath added that the problem is in its infancy in the U.K., but is gaining significance as the government strives to make the country technologically competitive with the likes of the U.S. and China — a vision for a “U.K. success story.” Indeed, there is evidence that the country’s tech sector is currently stagnating. Research has revealed that, this year, the number of tech startups founded in the U.K. has suffered its first “marked decline” since 2022. There were only 11,368 new tech incorporations in the third quarter of 2024, compared with 13,073 in the first quarter — an 11% decline. SEE: UK Government Announces £32m of AI Projects More about data centers UK deems data centres critical, piling pressure on the Grid Data centre demand is skyrocketing worldwide to facilitate AI training and the expansion of cloud services that host the models. In September, the government announced that data centres are now deemed critical national infrastructure. The government alluded that this change was made to help boost the country’s security as they become increasingly important to the smooth operation of essential services, as demonstrated by July’s CrowdStrike outage. However, according to Ishmael Burdeau, a civil servant responsible for the government’s Net Zero strategy, it also means that planning restrictions surrounding their development have been relaxed, so more can be greenlit. As per the The Register, he said the designation allows the government to “override local opposition to datacenters,” which is generally based on their power and water consumption, noise, and environmental destruction. Shortly after, the government announced that four U.S. tech firms had committed to investing £6.3 billion in U.K. data centres, providing the country with “the necessary infrastructure to train and deploy the next generation of AI technologies.” SEE: Microsoft Bets Big on UK AI with $3.2bn Investment Power demands could scupper Europe’s environmental goals Failing to meet the electricity demands of data centres could spell doom for the environment. A Morgan Stanley report from September suggested that the facilities will produce 2.5 billion tons of carbon by the end of the decade, three times higher than if the generative AI boom had never happened. SEE: Sending One Email With ChatGPT is the Equivalent of Consuming One Bottle of Water In July, Google revealed that the expansion of its data centres to support AI developments contributed to the company producing 14.3 million tonnes of carbon dioxide equivalents in 2023. This marks a 48% increase compared with the 2019 figure and a 13% rise since 2022. The E.U. has a goal of reducing the region’s 2030 greenhouse gas emissions to at least 11.7% lower than what was projected in 2020, on top of becoming climate neutral by 2050. However, these targets may well be scuppered; a report published by McKinsey this week found that, by 2030, demand for bit barns in Europe will triple, increasing their share of the region’s total energy demand by 3%. Like the U.K., Europe is also facing challenges when it comes to generating the electricity the data centres need. “These include limited sources of reliable power, sustainability concerns, insufficient upstream infrastructure for power access, land availability issues, shortages of power equipment used in data centers, and a lack of skilled electrical tradespeople for building facilities and infrastructure,” the McKinsey analysts wrote. Data centres don’t just need electricity to power servers, as significant energy also goes toward cooling systems to manage the heat generated by dense hardware. AI chips create even more heat because they require extreme processing power, so designers have been asking equipment suppliers to lower the temperature of the water used for cooling. Michael Winterson, chair of the European Data Center Association, told CNBC this week that lowering water temperatures will “fundamentally drive us back to an unsustainable situation that we were in 25 years ago.” Data centres may not be totally transparent about their energy usage There is evidence that data center operators are not accounting for all of the energy they use in their sustainability reporting, meaning the power demands and emissions totals that analysts calculate could be on the conservative side. The emissions of data centres owned by Google, Microsoft, Meta, and Apple are likely to be about 662% higher than officially reported, according to The Guardian. This is largely due to renewable energy certificates and carbon offset schemes, which allow companies to claim they use renewable energy when they don’t. Furthermore, a report from the Uptime Institute found that less than half of data center owners and operators track metrics like renewable energy consumption and water

A recent report from Palo Alto Networks’s Unit 42 exposes the persistent and evolving threat of DNS hijacking, a stealthy tactic cybercriminals use to reroute internet traffic. By leveraging passive DNS analysis, the cybersecurity company also provided real-world examples of recent DNS hijacking attacks — highlighting the urgency of countering this hidden danger. What is DNS hijacking? DNS hijacking involves modifying the responses from targeted DNS servers, redirecting users to attacker-controlled servers instead of the legitimate ones they intend to reach. DNS hijacking can be done in several ways: Gaining control of the domain owner’s account, providing access to DNS server settings: In this scenario, the attacker possesses valid user credentials with the authority to directly change the DNS server configuration. The attacker could also have valid credentials for the domain registrar or DNS service provider and change the configuration. DNS cache poisoning: The attacker impersonates a DNS nameserver and forges a reply, leading to attacker-controlled content instead of the legitimate one. Man-in-the-Middle attack: The attacker intercepts the user’s DNS queries and provides results that redirect the victim to the attacker-controlled content. This only works if the attacker is in control of a system implicated in the DNS query/answer process. Modifying DNS-related system files, such as the host file in Microsoft Windows systems. If the attacker has access to that local file, it is possible to redirect the user to attacker-controlled content. Attackers generally use DNS hijacking to redirect users to phishing websites that look similar to the intended websites or to infect the users with malware. Detecting DNS hijacking with passive DNS The Unit 42 report described a method to detect DNS hijacking via passive DNS analysis. What is passive DNS? Passive DNS describes terabytes of historical DNS queries. In addition to the domain name and the DNS record type, passive DNS records generally contain a “first seen” and a “last seen” timestamp. These records allow users to trace the IP addresses a domain has directed users to over time. For an entry to appear in passive DNS, it must be queried by a system whose DNS queries are recorded by passive DNS systems. This is why the most comprehensive passive DNS information generally comes from providers with high query volumes, such as ISPs or companies with extensive customer bases. Subscribing to a passive DNS provider is often advisable, as they collect more DNS queries than the average company, offering a more complete view than local DNS queries alone. SEE: Everything You Need to Know about the Malvertising Cybersecurity Threat (TechRepublic Premium) Detecting DNS hijacking Palo Alto Network’s method for detecting DNS hijacking begins by identifying never-seen-before DNS records, as attackers often create new records to redirect users. Never-seen-before domain names are excluded from detection because they lack sufficient historical information. Invalid records are also removed at this step. The DNS records are then analyzed using passive DNS and geolocation data based on 74 features. According to the report, “some features compare the historical usage of the new IP address to the old IP address of the domain name in the new record.” The goal is to detect anomalies that could indicate a DNS hijack operation. A machine-learning model then provides a probability score based on the analysis. WHOIS records are also checked to prevent a domain from being re-registered, which generally leads to a complete IP address change that could be detected as DNS hijack. Finally, active navigations are conducted on the domains’ IP addresses and HTTPS certificates. Identical results indicate false positives and can therefore be excluded from DNS hijacking operations. Must-read security coverage DNS hijack statistics From March 27 to Sept. 21 2024, researchers processed 29 billion new records, 6,729 of which were flagged as DNS hijacking. This resulted in an average of 38 DNS hijack records per day. Daily counts of candidates and predicted DNS hijacking records. Image: Palo Alto Networks Unit 42 indicates that cybercriminals have hijacked domains to host phishing content, deface websites, or spread illicit content. DNS hijacking: Real-world examples Unit 42 has seen multiple DNS hijack cases in the wild, mostly for cybercrime purposes. Yet it is also possible to use DNS hijacking for cyberespionage. Hungarian political party leads to phishing One of the largest political opposition groups to the Hungarian government, the Democratic Coalition (DK), has been hosted on the same subnet of IP addresses in Slovakia since 2017. In January 2024, researchers detected a change in the DK’s website, which suddenly resolved to a new German IP address, leading to a Microsoft login page instead of the political party’s usual news page. Microsoft login phishing page. Image: Palo Alto Networks US company defaced In May 2024, two domains of a leading U.S. utility management company were hijacked. The FTP service, which has led to the same IP address since 2014, suddenly changed. The DNS nameserver was hijacked using the attacker-controlled ns1.csit-host.com. According to the research, the attackers also used the same nameservers to hijack other websites in 2017 and 2023. The goal of the operation was to show a defaced page from an activist group. How companies can protect themselves from this threat To protect from these threats, the report suggested that organizations: Deploy multi-factor authentication to access their DNS registrar accounts. Establishing a whitelist of IP addresses allowed to access DNS settings is also a good idea. Leverage a DNS registrar that supports DNSSEC. This protocol adds a layer of security by digitally signing DNS communications, making it more difficult to intercept and spoof data for threat actors. Use networking tools that compare DNS queries results from third-party DNS servers — such as those from ISPs — to the DNS queries results obtained when using the company’s usual DNS server. A mismatch could indicate a change in DNS settings, which might be a DNS hijacking attack. In addition, all hardware, such as routers, must have up-to-date firmware, and all software must be up-to-date and patched to avoid being compromised by common vulnerabilities. Disclosure: I work for Trend

Integrating business software with your call center is essential, but it’s rarely easy. Vendors, of course, are going to sugarcoat the hurdles and advertise a call center integration that works off the shelf. Some are more open about the difficulties, but either way, you need to do your due diligence before making any drastic changes. I’ll walk you through every way that you can test prospective call center integrations before you make a huge commitment. It’s hard to unwind these changes once deployed — you don’t want to be stuck in that position, or locked-in to a suboptimal integration. We’ll also look at how to lead the transition at your organization. The truth is that technically sound integrations sometimes fail because managers lack the will or communication skills to really drive adoption. Preparing your agents and supervisors for the integration is just as important as selecting software that fits with your tech stack. 1 RingCentral Office Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Medium (250-999 Employees), Enterprise (5,000+ Employees), Large (1,000-4,999 Employees) Medium, Enterprise, Large Features Hosted PBX, Managed PBX, Remote User Ability, and more Six steps to test a call center integration 1. Check system and compliance requirements First and foremost, make sure that your system meets the technological or legal requirements for any new integration you wish to add to your stack. Verify that the integration is built to work with your call center software and any other software that it must play well with, such as  CRM software, ticketing systems, or ERP software. Review integration documentation and API specs, ensuring they match your systems’ version and configuration. Compatibility is crucial to avoid issues like data mapping errors or limited functionality. You also want to ensure that this integration complies with all legal requirements. Most reputable call center integrations are built with data security in mind, but if your industry has strict compliance requirements (e.g., HIPAA, GDPR). Check if features like data encryption, role-based access controls, and audit trails satisfy relevant regulations. 2. Consult your IT team Your IT team is a great resource that understands your call center’s technology even more than the agents who will ultimately be using it — and this includes the software you’re looking into integrating. Rather than simply asking if an integration is doable or if the systems are compatible, ask them if they think the software will truly work well with your current infrastructure. What about your infrastructure 2-5 years from now? You can also ask them if they have any glaring concerns about certain integrations, and what they would recommend for a testing plan once the integrations are complete. By arming yourself with as much information as possible beforehand, you can ensure you are asking the right questions moving forward, and that subsequent integration testing is thorough, comprehensive, and accurate. 3.Survey business requirements This is a must, and the better job you do figuring out what everyone at the organization needs, the more pitfalls you can avoid. Survey heads of any team that is going to touch the integration or its data. This probably includes sales, service, IT, billing, HR, and may include third-party apps like payment gateways or services like IVR testing. For example, your sales team may need the integration to work with specific types of call center dialers, call tracking software, or even a separate CRM from your customer service team. It’s crucial for you to uncover the specific needs of each department early on in the process to ensure that you are only shopping for truly viable integrations. The last thing you want to do is find out that your new integration doesn’t meet the actual day-to-day needs of the organization. 4. Speak with customer references Reach out to the sales representatives for the software you’re looking to integrate and ask for any customer references they may have available — particularly from other call centers. Be sure to confirm what integrations their software works with, how their integration processes went, and if they encountered any testing or post-integration issues. Taking this step can reveal potential issues that might not be evident in demos or technical documentation. Speaking with customers who’ve used the software helps validate its effectiveness in the real world. Someone who has been using integration for a few years has a perspective you won’t find anywhere else. With this information from peer organizations, you’ll have several first-hand accounts of the integration and testing process. This can help you rule out seemingly good-fit options and give you a better idea of what to expect moving forward. 5. Conduct demos Be sure to conduct walkthroughs or demos of the technology before committing to any new call center integrations. This can be done by reaching out to company representatives and scheduling demos with key stakeholders such as your call center agents, IT team, and managers. I would get down to a very short list of potential call center integrations before conducting demos. You need to “see how it drives,” but demos are so time-consuming and they pull important employees away from their work for at least an hour for each demo. Know exactly what you want to demo, too. Don’t expect that the vendor’s team is going to come prepared for your exact situation. That would be nice, but it’s not realistic. More likely, you are their third demo of the day, tenth of the week, and the rep is figuring out who you are right before the call. So come prepared on your end. If the integration relies on APIs, come ready to test the software your team plans to use. For example, check if the software integrates smoothly with your CRM, IVR software, and call tracking software. Is data exchanged accurately in real time? Are customer records updating and syncing to call logs? Let’s say you’re looking to integrate interactive voice response (IVR) technology with your call center. You’ll want to know what other technology it’s compatible

Many call center software features have no major impact on performance. Only a select few capabilities separate top vendors from the rest, and those are the ones to focus on. In this guide, we’ll break down the five essential features that define effective call center software — covering everything from must-have communication tools to analytics that drive real insights. We’ll also give you a clear framework to evaluate each feature, helping you cut through the hype and find the capabilities that will elevate your customer service. Whether you’re upgrading or starting fresh, understanding these features will help you make the right choice. 1 RingCentral Office Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Medium (250-999 Employees), Enterprise (5,000+ Employees), Large (1,000-4,999 Employees) Medium, Enterprise, Large Features Hosted PBX, Managed PBX, Remote User Ability, and more 1. Interactive Voice Response (IVR) A basic IVR is essentially a phone tree that provides customers with an automated menu of options. Call center IVRs tend to be a little more advanced in their capabilities, and are typically connected to a database and allow customers to complete a range of tasks on their own. At the very least, an IVR is responsible for intaking calls and routing them to the appropriate agent. On the more advanced end, IVR systems allow customers to make payments, change their address, or transfer them seamlessly to another channel. How does a call center IVR work? Basic IVRs rely on DTMF tones (touch-tone inputs), while more advanced systems incorporate Automatic Speech Recognition (ASR) to process spoken responses. Some also use Natural Language Processing (NLP) to understand intent. Text-to-speech (TTS) technology is used to generate spoken responses for dynamic content, like account balances or payment confirmations. SEE: Discover seven surprising use cases for call center ASR.  When choosing a system, businesses must decide between on-premise and cloud IVR solutions. On-premise IVRs run on internal servers, giving companies greater control over customization and data security. On-premises IVR systems cost a lot more upfront than cloud IVR, and come with significant ongoing maintenance and testing expenditures. Hosted IVRs are managed by the vendor and offer flexibility to scale as call volumes fluctuate. Updates and maintenance are baked into the cost of the subscription service. Cloud solutions also tend to be more budget-friendly and are popular with companies that want a reliable system without the demands of infrastructure management. SEE: Nine reasons to use a hosted IVR vs hosting your own.  What are the expectations for call center IVR? At a minimum, an IVR should reduce the friction of interacting with your customer support and reduce unnecessary wait times that result from live agents answering customer inquiries. Its implementation should also boost call management and associated call center metrics, such as call abandonment rates, first contact resolution, and first response times. Additional features that typically accompany a self-service IVR are omnichannel capabilities so customers can conveniently reach your call center through various means and on different platforms. An IVR self-service system improves customer experience and agent productivity while reducing costs. On the premium end, conversational IVR can interpret and respond to unique customer inquiries rather than reiterate recorded messages. See: Discover real-world benefits of using conversational IVR.  2. CRM integration Customer Relationship Management software has to integrate with your call center software. Maybe you are using a sales engagement platform or something other than a CRM — fine — whatever you use to keep track of customers needs to be connected to the phones. Don’t have a CRM? See how to pick the best CRM for your call center.  How does a CRM integration work for call centers? For the most part, call center software will advertise pre-built integrations, SDKs, and APIs that allow companies to integrate their CRM software with the phone system. How well do these CRM integrations work? It depends on a ton of factors. The more you have customized your own system, the less plug-and-play the integration is going to be. Integrating your call center and CRM is going to take some time, regardless of how well any pre-built integration has been designed. More than any other call center feature, this is the one you should spend the time to do the live demo and get recommendations from peers in your industry. What are the expectations for call center CRM integration? Integrating CRM functionality with your call center software enables you to build strong customer bonds and relationships. When your agents receive a customer’s call, CRMs provide them with detailed background information related to them so they can provide personalized support. For high-volume call centers, the expectation is that CRMs will do more than just display customer information to agents. Companies want to see the IVR be able to prioritize calls from VIPs, distribute calls efficiently based on agent skills and customer needs, and set up call queues for outbound IVR based on customer data. Premium CRM software may include marketing automation, workflow automation, predictive analysis, and machine learning capabilities. For contact centers, multi-channel integration ensures you can provide customers with a consistent, quality support experience regardless of the avenue or channel they choose to reach you. 3. Call center analytics Call center analytics empowers you to improve your call center’s operational efficiency. It allows you to collect relevant call center data, measure it, and analyze it, thereby gaining valuable insights to improve the performance of critical areas. Call center analytics ensures you aren’t flying blind regarding your agents’ performance, the quality of their customer interactions, and their overall output. How does call center analytics work? Call center analytics work effectively by measuring established metrics and key performance indicators (KPIs). Some of these include Average Handle Time (AHT), abandonment rate, and First Contact Resolution (FCR). These metrics provide vital information to managers, helping them offer high-quality customer service, improve team performance, and streamline call flows. What are the expectations for call center analytics? Managers expect analytics to enable data-driven decision-making and continuous improvement

Every convenience you offer your customers creates a potential vulnerability that a hacker could exploit. That’s just the truth, sorry. IVR authentication is an important layer of security for the self-service options that you offer to callers with an IVR system. Without it, an attacker could easily pose as a victim, call into your IVR, access account information, move money, or update address information. In other words, weak IVR authentication enables identity theft, to say nothing of the risks it poses to sensitive business data. On some level, most consumers understand why a strong authentication process is required — but they don’t have unlimited patience. There are only so many hoops they’re willing to jump through before the process starts to grate on them. In this post, I’ll show you a few strategies to square the circle and provide rock solid IVR authentication without disrupting the customer experience. 1 RingCentral Office Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Medium (250-999 Employees), Enterprise (5,000+ Employees), Large (1,000-4,999 Employees) Medium, Enterprise, Large Features Hosted PBX, Managed PBX, Remote User Ability, and more The challenges with making IVR authentication user-friendly The essential problem is balancing high security with smooth user interaction. If an IVR cannot validate a caller quickly, they lose patience and hang up. This is particularly concerning in call centers where call abandonment heralds a decrease in customer satisfaction. SEE: Learn how to calculate call abandonment rate.  Callers do not want to punch in long strings of numbers, navigate through complex menus, or provide sensitive information audibly. This is awkward, cumbersome, and many callers find it intrusive. Every extra step you add to the authentication process makes it stronger, but it also increases the chances of a user or system error. Automated voice recognition is powerful, but it can misinterpret accents, regional dialects, or background noise. When users must speak key information like account numbers, there’s room for misunderstanding. Needing to repeat authentication attempts frustrates callers. Advances in natural language processing have improved IVR capabilities, but even the most advanced conversational IVR can misinterpret voice commands. SEE: Learn about the real-world benefits of conversational IVR.  For contact centers where the IVR is integrated with other channels, there’s more that can go wrong for users, and more potential security vulnerabilities. Seamless channel integration is an aspiration rather than a reality for many contact centers. You’ll have to ensure that customers aren’t forced to re-authenticate after being transferred from the IVR to another channel. Strategies for non-intrusive IVR authentication So, how do businesses walk the line between security and user-friendliness in their contact center? It comes down to designing an IVR authentication system that’s intuitive and intelligent, with simple prompts and clear instructions that leave no room for error or confusion. You may already be familiar with some basic authentication methods like 2FA and MFA, two-factor authentication and multi-factor authentication, respectively. These tools use quick security checks that don’t overburden the user. But there are also more advanced technologies out there. Here are some of the strategies and authentication options that can help authenticate users in a way that’s quick, intuitive, and secure. Biometric authentication In an IVR system, biometric authentication utilizes unique physical characteristics, like voice prints, to verify a caller’s identity. Done right, the advantage of this method is its speed. Biometric authentication eliminates the need for remembering passwords or PINs. To make it as non-intrusive as possible, businesses can use voice biometrics that seamlessly analyze the caller’s voice during conversation, thereby authenticating the user without interrupting the flow of interaction. Keypad entry A traditional method, this strategy can be innovated by adding smart pauses, where the system waits for a natural break in the conversation before prompting for a PIN or password. Businesses can also allow callers to use a smartphone app or website to authenticate themselves, bypassing the keypad entry altogether. This approach caters to users uncomfortable with speaking passwords aloud or those in noisy environments. Two-factor authentication (2FA) IVR systems can send a one-time passcode (OTP) to the caller’s phone or email, which they then enter into the IVR system to gain access. While two-factor authentication adds an extra step, it significantly boosts security and can be streamlined by ensuring the code is short and the system prompts are clear. Multi factor authentication (MFA) Multi-factor authentication is the same idea as 2FA, but MFA will use at least two factors to validate a user and often more. MFA typically uses OTPs that can be sent to multiple devices or online accounts, and may also use PINs or biometrics. OTPs should have a reasonable expiration time. Incorporating a feedback loop where callers can request more time or a new code if needed can greatly enhance the user experience. Behavioral analysis This isn’t so much a verification method, but a security protocol that runs in the background. It’s an advanced strategy that involves analyzing the caller’s behavior patterns, such as typical call times or common transaction types, to flag any unusual activity. Preventing fraud and hardening security are just one of the reasons that a good call center IVR system comes with analysis tools. You can learn a lot about customer sentiment, buying patterns, and new pain points. SEE: Discover the newest improvements with call center IVRs.  The best aspect of this extra layer of security is that there’s no action required from the caller. You can keep them and their data safer without making them jump through another hoop. Keeping an eye on IVR authentication Maintaining an IVR authentication system means keeping an eye on security, ease of use, and overall performance. Regular monitoring and updates are essential to make sure the system runs smoothly and remains user-friendly. Here are some simple ways to stay on top of IVR authentication maintenance: Regular testing and security audits: Routine automated IVR testing is a must for all systems. Either you or a third-party should be managing this. Additionally, conduct periodic security audits on

A credit card or PayPal account is required to activate your subscription. You will be billed $299.00/year and you will receive a receipt via email once your payment is processed. You may cancel your subscription with at least 10 business days notice prior to the expiration of your current subscription by accessing the Premium tab in your TechRepublic Profile and selecting “Cancel Subscription.” TechRepublic Premium is the fastest, smartest way to solve the toughest IT problems. Subscribe to access our full library of resources and gain benefits from: Quick access to expert analysis from IT leaders, original research and surveys, comprehensive guides on hot topics, and eBooks from TechRepublic. Ready-to-go policies and initiatives, downloadable templates and forms you can customize, and hundreds of time-saving tools, calculators and kits. source

Direct Inward Dialing (DID) is a way to reach a specific team member or department in an organization by dialing them directly, rather than going through a main phone menu or operator. It’s a feature commonly used within Private Branch Exchange (PBX) systems, and many Voice over Internet Protocol (VoIP) providers support DID functionality in their solutions. With DID, callers enjoy a more personalized, streamlined experience, and companies can support a more efficient, effective workforce. 1 RingCentral Office Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Medium (250-999 Employees), Enterprise (5,000+ Employees), Large (1,000-4,999 Employees) Medium, Enterprise, Large Features Hosted PBX, Managed PBX, Remote User Ability, and more Why direct inward dialing is so useful A DID number is a virtual phone number that lets businesses give each employee or department a direct line, without needing a separate phone line for each person. Normally, a company would have just a few main phone lines, called “trunk lines,” but with DID, they can connect multiple unique numbers to those same lines. This means a customer calling a specific DID number can reach a person or department directly, instead of going through a central receptionist or switchboard. Companies can use DID numbers to: Improve customer service, quickly connecting callers with their intended contact and limiting missed calls. Deploy local or toll-free numbers across different markets, projecting a professional presence wherever their customers are. Scale the number of phone extensions quickly, without adding physical infrastructure. Support a more personalized call experience, without the hassle of wading through lengthy phone menus. Maintain employee privacy, as calls can be forwarded to a personal cell phone when out of the office or working remotely. Bolster a business continuity strategy, allowing calls to be redirected to backup locations or remote employees during outages or emergencies. VoIP services make Direct Inward Dialing easy to configure Today, many companies make phone calls using VoIP instead of a landline. Essentially, they have a cloud phone system that uses the internet rather than a hardware PBX that uses the Public Switched Telephone Network (PSTN). Using DID numbers with VoIP is much easier than using a traditional system. Instead of installing a lot of hardware, companies can simply log into their VoIP phone software and add or change DID numbers online. This lets businesses set up direct lines for employees or departments fast, without big setup costs or waiting for vendors. VoIP also gives businesses lots of ways to customize call routing. For example, companies can decide where calls go based on the time of day, who’s available, or where employees are working. This is especially helpful for remote or hybrid teams, as calls can be forwarded to different devices like cell phones or laptops with ease. With VoIP, companies have total control over their DID settings, and it’s all managed online, so changes are instant. VoIP services, especially call center software, include tools that track and analyze call data, like how many calls come in, how quickly they’re answered, and more. This info can help companies improve call flow and make better decisions about staffing and customer service. Overall, VoIP makes it easy to manage DID numbers and helps businesses stay flexible as they grow. How Direct Inward Dialing works When a caller enters a DID number on the traditional PSTN, the call routes through an organization’s main phone provider to the dedicated PBX system trunk line associated with that DID. If the line is available, the call then routes directly to the recipient. Otherwise, depending on the phone system configuration, the caller might experience a busy signal or be routed to another destination, such as a holding queue or voice mailbox. VoIP providers manage the same direct routing much more efficiently through a process called Session Initiation Protocol (SIP) Trunking. Rather than renting a set number of trunk lines, which can then be updated only by the phone company, a VoIP provider can save businesses a great deal of time and money by establishing trunk lines as needed. Organizations can configure their system however they wish and reconfigure it at any time through their VoIP software interface. This is a huge benefit over traditional PSTN systems. Can you fax with a DID number? Yes. The process works in the same way as a traditional fax line. A DID number can be connected directly to a fax machine or to a fax server that runs to several machines. This way, each team member may be assigned their own DID phone number and separate DID fax number, which connects to a dedicated machine near their workspace. SEE: Learn why you shouldn’t use your own fax server and what to use instead.  With the rise of remote work, modern businesses often connect a DID number to a cloud fax solution capable of converting documents into a JPG, PDF, or similar file that can be routed to an employee’s laptop or cell phone. DID numbers vs DOD numbers Somewhat related to Direct Inward Dialing, Direct Outward Dialing (DOD) enables team members to call anyone outside of their PBX system directly using the standard phone number format without having to go through an operator or switchboard. For convenience, a system can even be configured to dial outside numbers in a localized area without needing to use the area code. Anytime an employee calls an outside party from a DOD number, that specific individual or departmental extension will display on the recipient’s caller ID rather than a generalized main company phone number. This is simply one more way that companies can strengthen their brand by providing a more personalized, streamlined experience for customers, vendors, and other associates. source

The federal government is encouraging software manufacturers to ditch C/C++ and take other actions that could “reduce customer risk,” according to the Product Security Best Practices report. In particular, CISA and the FBI set a deadline of Jan. 1, 2026, for compliance with memory safety guidelines. The report covers guidelines and recommendations rather than mandatory rules, particularly for software manufacturers who work on critical infrastructure or national critical functions. The agencies specifically highlighted on-premises software, cloud services, and software-as-a-service. While it isn’t directly stated that using ‘unsafe’ languages could disqualify manufacturers from government work, and the report is “non-binding,” the message is straightforward: Such practices are inappropriate for any work classified as relevant to national security. “By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle,” the report states. Memory-unsafe programming languages introduce potential flaws The report describes memory-unsafe languages as “dangerous and significantly elevates risk to national security.” Development in memory-unsafe languages is the first practice the report mentions. Memory safety has been a topic of discussion since at least 2019. Languages like C and C++ “provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references.” a 2023 NSA report on memory safety stated. However, the report continued, those languages lack inherent memory protections that would prevent memory management issues. Threat actors can exploit memory issues that might arise in those languages. Must-read developer coverage What software manufacturers should do by January 2026 By Jan. 1, 2026, manufacturers should have: A memory safety roadmap for existing products written in memory-unsafe languages, which “should outline the manufacturer’s prioritized approach to eliminating memory safety vulnerabilities in priority code components.” A demonstration of how the memory-safety roadmap will reduce memory-safety vulnerabilities. A demonstration of “reasonable effort” in following the roadmap. Alternatively, manufacturers should use a memory-safe language. Memory-safe languages approved by the NSA include: Python. Java. C#. Go. Delphi/Object Pascal. Swift. Ruby. Rust. Ada. SEE: Benefits, risks, and best practices of password managers (TechRepublic) Other ‘bad practices’ vary from poor passwords to lack of disclosures Other practices labeled “exceptionally risky” by CISA and the FBI include: Allowing user-provided input directly in the raw contents of a SQL database query string. Allowing user-provided input directly in the raw contents of an operating system command string. Using default passwords. Instead, manufacturers should ensure their product provides “random, instance-unique initial passwords,” requires the users to create new passwords at the start of the installation process, requires physical access for initial setup, and transitions existing deployments away from default passwords. Releasing a product containing a vulnerability from CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Using open source software with known exploitable vulnerabilities. Failing to leverage multifactor authentication. Lacking the capability to gather evidence of intrusion if an attack does occur. Failing to publish timely CVEs including the Common Weakness Enumeration (CWE), which indicates the type of weakness underlying the CVE. Failing to publish a vulnerability disclosure policy. The full report includes recommended next steps organizations can use to comply with the agencies’ guidelines. source