The Rising Threat of Social Engineering in ITSM
When news broke in April of the damaging cybersecurity breaches at Marks and Spencer, the Co-op and Harrods, business and IT leaders everywhere will have felt a collective chill run down their spine. The attacks prompted many organisations to immediately launch urgent reviews of their security protocols and procedures.
Furthermore, once it came to light that the breach at M&S was probably a social engineering incident – where the hackers may have gained access via the IT helpdesk – IT service management was put firmly in the spotlight. In particular, there was additional scrutiny regarding procedures for resetting passwords, which are often a weakness targeted by attackers.
The National Cybersecurity Centre, which has been investigating the high-profile attacks on the UK’s retail sector, has issued guidance urging businesses to: “Review helpdesk password reset processes, including how the helpdesk authenticates staff members’ credentials before resetting passwords, especially those with escalated privileges.”
The Cost of ITSM Security Failures
As every IT leader knows, the consequences of a security breach can be deadly serious. M&S’s losses as a result of the attack are likely to run to hundreds of millions of pounds. At the same time, incidents are becoming increasingly frequent, especially as more and more organisations are moving to SaaS solutions, which opens up the possibility of an increasing number of attack vectors.
What’s more, IT staff, with broader access to systems and data, are prime targets for cybercriminals. Although they’re usually more alert to threats, they may often be tempted to bypass cumbersome security procedures, making them equally as vulnerable as their non-tech colleagues.
Strengthening Your ITSM Security Strategy
So what can be done to keep organisations as secure as possible? The aim must be to ensure that IT service management doesn’t become a weak link – while also enabling helpdesks to carry out their duties as effectively and efficiently as possible.
Nothing can be 100 per cent secure, but here are our top pieces of advice to keep you as safe as possible:
1. Automate as much as you can
Wherever you are able, automate your processes – but do it intelligently and ensure you still have robust security around your systems.
The weakest aspect of your organisation is nearly always going to be the humans using the tech. Hackers have sophisticated techniques for catching people at their most vulnerable, such as knowing the best time to call someone to fool them into revealing their password – for example, just as they’re leaving for the day to pick up the kids, or a Friday afternoon when people are tired and less focused on their work.
By automating processes such as password resets, where humans are eradicated from the loop, you can reduce this vulnerability.
However, simply sending out a reset link can also be risky. How can your employees tell the difference between a genuine one and a spoof? Fortunately, a lot of the best ITSM tools now have alternative ways to reset passwords. They involve a level of interaction between the employee and the tool, which adds additional layers of security.
For example, we recently implemented a procedure for one client that verifies a user’s identity through specific questions. It then generates a secure password and speaks it out phonetically to the analyst, so they can communicate it to the customer. There is no email going out, and nothing is being sent with a password. There’s a high level of validation going on, plus it’s all handled within the ITSM tool.
2. Don’t rely too heavily on training
Everyone in every organisation will have undergone some mandatory IT security training – and yet breaches still happen, frequently by means of social engineering techniques, such as in the case of M&S. That’s often because the training may have happened years ago and it will no longer be top of mind. Or, as a box-ticking exercise, it will have been done with recorded videos, which distracted and busy employees often pay little attention to.
And let’s be honest: security is not an exciting topic.
So, while training is still important, don’t assume that your colleagues know or care enough about security and the latest scam techniques they are likely to experience. Instead, automate as much as you can and ensure you have some robust processes in place, especially for password resets (see above). Then ensure all your employees know about it, and keep reminding them.
3. Find the right balance between security and convenience
Throughout the history of cybercrime, this has been a tricky trade-off. How do you make sure your tech is easy for end users but still secure for the business? Make your security procedures too rigorous, and it’ll seriously harm productivity and employee morale. Make them too light, and you’re opening yourself up to a harmful attack.
The sweet spot lies somewhere in between. Two-factor authentication is a good example to draw on here. It boosts security, but having to use too many different authenticators frustrates users. A single, integrated option like Microsoft’s causes minimum inconvenience while ensuring the necessary back and forth takes place.
How CIH Solutions Can Strengthen Your ITSM Security
Getting security right is tough. Fortunately, here at CIH, we understand the necessity of a blend of training, process definition, and secure product configuration.
In particular, we look at everything holistically to ensure you don’t end up with a techie solution that’s completely unusable, forcing people to find a dangerous workaround, or a very user-friendly option that’s completely insecure. That means understanding the full range of products available to your organisation, and how to integrate them in the optimum ways to extract the greatest value from them.
Ready to secure your ITSM processes against social engineering attacks? Contact our team today for a no-obligation security assessment of your current service desk practices.
