Having access to an IT helpdesk is important for any business with a lot of staff as they streamline the solution of IT issues and help to keep the business running smoothly. But they are also a point of vulnerability; we recently ran a story about casinos in Las Vegas falling prey to a social engineering attack that manipulated the IT helpdesk into giving hackers access to important systems.
So we thought we’d follow up with ways you can beef up your helpdesk’s security. Basically, doing so comes down to ensuring the right processes are in place, and then making sure that they are followed. As you probably know, processes are all well and good, but if they aren’t followed, they might as well not be there.
When it comes to securing your helpdesk there’s only so much you can do, but you still need to do it. Follow these tips, and your helpdesk will be better equipped to handle social engineering attempts and less likely to fall victim to hackers looking to breach your systems.
-
Verify the caller’s identity
This sounds like Security 101, but you might be surprised at the number of helpdesks that don’t do this. It should be common practice to ask every caller for some form of personal information that matches what’s on the company database or to send an SMS or a code to a device that has been verified to belong to the person calling, or even an email. None of these are infallible on their own, but using more than one for identity verification makes it hard for scammers as it’s unlikely they will have access to all avenues.
-
Document your processes
Another simple-sounding tip, having processes in place for every type of call your helpdesk is likely to field is a vital step towards securing your IT systems. This way, helpdesk staff know exactly what to do in every imaginable scenario, and those processes have been put in place (and tested) by your IT people. The trick here is to make sure your helpdesk staff are aware of them, and the way you do that is…
-
Training, training, and more training
It can be tempting to conduct training once or twice a year and then trust your people to just keep on keeping on, but it’s not wise. A better approach when it comes to your helpdesk is to do training regularly, especially when new staff rotates in or your systems get updated. And to make sure that the training is effective…
-
Test your helpdesk processes
This one is sneaky, but it’s an important part of making sure your helpdesk is following processes and keeping security top of mind: test them. In security circles doing this is called “penetration testing”, and it usually involves calling up the helpdesk and trying to get them to do something they shouldn’t. If they follow your processes, you shouldn’t be successful, but if you are you’ll know where your processes aren’t effective and you can make adjustments. And if your helpdesk person doesn’t follow existing processes, you’ll know that it’s time for more training, or in extreme cases, disciplinary action.
-
Communicate
With helpdesk service being provided internally or externally via outsourcing, it’s important to keep everyone informed about what you’re doing inside your organisation. That means regularly talking to them when you’re planning on sending out company-wide emails about new cyberthreats or if you’ve noticed a surge in vishing/phishing/smishing attacks. Keep them informed about the goings-on in your business, and you’ll equip them even better to handle any social engineering attempts made by hostile outside forces.
Don’t be the low-hanging fruit
As with anything relating to cybersecurity, none of these tips will guarantee that your organisation won’t fall prey to an attack. That said, if you implement this advice inside your business, you will at least not be an easy target.
And that’s almost as good.
Image by Pete Linforth from Pixabay.