What’s one often overlooked area hiding a lot of IT security threats? Hint: It’s the part of the IT department that has the most frequent contact with the rest of the organization.
Help desks are in many ways a gateway to the company’s IT infrastructure, and as such they can make attractive targets for cyber criminals.
That’s the message in a recent report from the SANS Institute, which surveyed 900 IT pros about their companies’ practices regarding help desk security.
The results: Security often isn’t an area of focus when solving tech problems. In fact, only 10% said the security practices of their company’s help desk are “robust.”
Often, the problem is that help desks are overworked, or just don’t want to bother users by taking extra security steps. Usually the name of the game for help desks is solving problems quickly — often that doesn’t leave time for identifying and avoiding those threats.
The biggest threat help desks face, according to 69% of respondents: social engineering attacks.
Especially at larger organizations where help desk staff may not meet many users individually, it can be easy for a criminal to convince a staffer to reveal sensitive information. For example, one common help desk call is a request for a password reset. An attacker could potentially fake one of those calls to get into an account.
One solution: Have a policy requiring caller’s identities to be verified. Nearly 40% of the organizations surveyed have no such controls in place.
Beyond having a policy, it’s also important that the company enforces it so the rules are actually followed. Often, help desk employees will bypass those controls to tackle a user’s problem faster.
In addition, using help desk software or self-service tools can add a layer of security by requiring users to be logged in to make requests or complete certain tasks.
In addition to the threat of social engineering, 48% of survey respondents are worried that help desk staff could accidentally disclose sensitive information. Like the rest of IT, the help desk has access to a lot of data, and staffers could unknowingly reveal too much in the process of helping a user.
Many incidents could be avoided with some additional training on privacy protection for help desk staff. However, just 45% of companies offer security training for help desk employees.