The SANS 2013 Help Desk Security and Privacy Survey revealed nearly half of enterprise Help Desks operate with serious gaps in security controls — a full third of the IT professionals polled described risk management and security awareness training for Help Desk staff as “weak” or “non-existent.” When you consider that the primary functions of the typical enterprise Help Desk center largely on password reset requests and other incidents involving confidential information, the degree of danger is clear. The best way to mitigate a portion of this risk is to automate enterprise password management and access management.
Help Desk staff are trained to be friendly and accommodating — and they’re incentivized to resolve calls and tickets as efficiently as possible. With agents under pressure to meet productivity benchmarks, information security isn’t necessarily top-of-mind.
Imagine Chris in sales calling up the Help Desk because she can’t access a presentation she needs to deliver in 10 minutes. She’s panicked, and the agent feels pressured to solve her problem within the perceived urgency of the moment. Multiply that by two dozen daily requests and one of the reasons that information security drops to the bottom of the “to do” list is obvious. That agent isn’t thinking about security instead, the agent is doing whatever it takes to retrieve the file Chris needs. Why? Because help desk personnel are trained and incentivized to solve problems quickly and with a positive outcome.
Seventy percent of survey respondents described “social engineering” attacks — when subversive individuals attempt to extract sensitive information and passwords from Help Desk agents — as significant to enterprise risk management. Because agents and the Help Desk overall are typically rated on productivity and speed metrics, staff members may ignore or work around regulatory compliance guidelines and IT security protocols to meet efficiency goals.
Pervasive understaffing and high personnel turnover rates further compound the problem. Entry-level agent positions tend not to be well-paid, and consequently, according to the report, annual churn rates in these jobs averages somewhere between 30% and 40%. How does this impact security and IT compliance?
When you have untrained, transient staff sitting at the helm of data security, it’s a disaster waiting to happen. There’s simply no incentive to focus on information security protocols when it doesn’t factor in to evaluation metrics. Even if you trained your staff exhaustively on compliance regulations, there’s no meaningful motivation to adhere to policies.
The reality of the enterprise Help Desk environment is a given. How you maintain data security within this environment, however, is a different story.
Of course good training and incentivizing staff to follow security protocols will help. However, when you consider turnover rates and the level of disengagement reported on the front lines, it’s never going to be enough.
The only way to effectively maintain IT security is to mandate compliance solutions through automation. When employees are empowered to manage and reset their own passwords, the Help Desk call volume plummets. Self-service password reset unburdens staff from a tedious, time consuming and costly exercise and seals the information security fissure created by manual password reset processes. Further, when role-based user access provisioning protocols are baked into an automated identity management and password management solution, the temptation and ability to orchestrate unsecure work-arounds significantly decreases.
You can’t eliminate Help Desk challenges, but you can manage IT security and compliance more effectively within an imperfect environment. Automating enterprise password management, help desk ticketing and user provisioning is a huge step in the right direction — your costs are lower, your efficiency is better, and your systems are more secure. Who can argue with that?
Password Reset Software Customer Testimonial
Password Station’s enterprise password manager synchronizes Gwinnett Medical Center’s across a wide variety of systems and platforms most notably McKesson Care Manager and Lawson HR. Avatier’s automated password reset tool enforces corporate password policies across systems, applications and cloud services. Password Station automatically administers password cyber security corporate password management policies.
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.