In addition to the human component, lack of training, tools and technology also plays a key role in overall help desk security. More than 51% of respondents say they have a moderate approach to help desk security as part of their overall corporate security controls, but are not necessarily focusing on training or additional technologies for day-to-day activities. With most budgets determined by the number of users serviced, rather than cost per call or even cost of potential security breaches, establishing a return on investment (ROI) for new processes, additional training, and tools for daily support can be extremely difficult. Additional findings include:
- 44% of respondents ranked verification of call-in users a much greater threat than that for self-services users (11%).
- Only 10% of respondents ranked their security practices for the help desk as robust.
- Nearly 43% of respondents do not take the cost of a security incident into account when establishing their help desk budget; rather help desk budgets are determined by the number of users.
The help desk continues to be the preferred method for employees to resolve basic IT issues . Its very charter is to better serve users and as a result, help desk staff can hold excessive privileges making it an attractive target for social engineers and technical hackers to attempt to gain entry into networks. In order to close the gap on help desk vulnerabilities, organizations need to re-think their approach to meet the convenience demands of users while protecting against threats. Recommended best practices include:
- Automation and self-service options for common user issues including password resets to help reduce errors and vulnerabilities that lead to successful breaches and data theft
- Robust and continuous training for help desk personnel to learn how to spot and react to potential social engineering attacks
- Advanced tools that leverage dynamic data sources and new authentication methods to more accurately identify users and their location
RSA Executive Quotes:
Sam Curry, Chief Technologist, RSA, The Security Division of EMC"In many instances the help desk is the first line of defense against breaches and securing it should be as important as any other business-critical function. The new help desk needs to strike a balance of enhanced security and end-user convenience that integrates security directly into the process by adding technologies for automation and enterprise-level authentication, and continuous training to mitigate human error."