Social engineering attacks are on the rise and a major threat to the IT service desk. Is your organisation prepared? Here’s what you need to know.
Social engineering and the service desk
ISACA’s State of Cybersecurity 2022 Report indicates that for the second year in a row, social engineering was the top attack type.
With the progressive shift toward remote and hybrid work for employees, new threats have surfaced. Where employee verification could have previously taken place in person by the IT service desk, it has been replaced by methods that are susceptible to social engineering attacks. These types of attacks are not only increasing in number but also in sophistication. Be aware, calls to the IT service desk could now use technologies such as deepfake and voice cloning.
For instance, the CEO of a UK energy company fell victim to AI voice impersonation, believing he was speaking on the phone with the boss of his parent company, who requested a transfer of over £200k. Another example involved a bank being defrauded of $35m by voice cloning of a director requesting fund transfers as part of an acquisition.
Although these are highly sophisticated examples, the expectation is that these types of attacks will become more prevalent and harder to detect, especially when it comes to targeting the service desk due to the current state of limitations to securely verifying users’ identities.
To prevent attacks such as these, IT departments should be looking at:
- Enforcing and monitoring secure user verification at the IT service desk
- Diverting high-volume calls away from the IT service desk.
Secure service desk verification
Specops Software conducted a survey among more than 130 organizations to determine if they were verifying users’ identities when contacting the service desk. The good news is that 65% of respondents answered affirmatively. However, the majority of them were relying on knowledge-based authentication (KBA), which involves asking static questions based on information from Active Directory or HR systems, such as employee ID or manager name.
Questions and answers like these to verify users’ identities have long been considered insecure. Organizations still relying on this method should consider more secure alternatives, particularly for high-risk use cases.
Another crucial consideration is user verification enforcement and the ability to monitor it, which was identified as a challenge by survey respondents. Although a significant percentage of organizations have a security policy in place that requires user verification at the IT service desk, there is no way to ensure or monitor compliance with this policy.
Password reset: reducing high volume / high risk calls
Gartner and Forrester report that 40% of help desk calls are related to password resets, with a single call costing the business around $70 (£60). These calls are not only burdensome to IT support teams but also significantly drive up costs and increase the risk of fake password reset calls.
A self-service password reset solution can offer a quick solution to this problem. Organisations can typically implement such solutions in a relatively short time and start realizing the benefits. However, it’s important to note that not all solutions are created equal. When evaluating a solution, consider:
- The authentication methods that the solution supports. It’s advantageous if the solution supports commercial authentication forms that are already in use.
- Enrollment options, such as pre-enrollment or forced enrollment for users.
- Ease of use and accessibility, including whether remote users can successfully reset their passwords without a VPN.
Solving the problem with Specops
Attackers often use password resets as an entry point, whether it’s through self-service or the IT service desk. The best approach is to have a security strategy that covers both of these areas, but organizations can begin by reducing calls to the IT service desk with a self-service password reset solution or enforcing secure user verification at the IT service desk.
Specops are leading the way in these area’s offering uReset, a self-service password reset solution utilising multi-factor authentication (MFA) with 20+ different ID service options including Duo Security, Google Authenticator, Microsoft Authenticator, Okta, PingID, Symantec VIP, and Yubikey and Secure Service Desk to enforce end user identity verification with different ID service options to protect against social engineering attacks at the service desk.
Specops Software is part of the Outpost24 group, serving over 2500+ customers in 65 countries. If you’d like a demo, trial or to speak to an expert, please get in touch.
