Many IT help desk teams fall into a complacent mindset of “security through obscurity,” the belief that hackers have no reason to target them because, after all, they’re not Bank of America or The New York Times.
Never forget that anonymity does not in any way confer security.
However, every year, small businesses have a one in five probability of being cybercrime victims. Of the small businesses that become victims, around 60% are out of business within six months. That’s a scary statistic. Hackers don’t choose targets based on the size of the company, type of company, or really any other descriptor save one: vulnerability.
Why Smaller Businesses Are Often Targeted
Symantec’s 2013 Internet Security Threat Report found that smaller businesses are increasingly attractive as targets for hackers. Companies with fewer than 250 employees accounted for 31% of targeted hacking attacks in 2012. In 2011, they only accounted for 18% of such attacks.
Hackers choose small businesses for several reasons, a main one being they’re easy targets, and they often don’t have the resources to fight back the way big companies do. Furthermore, small businesses can yield big payoffs for hackers. Many times, breaching a small business’s network can serve up very useful data for hackers who want to go after bigger targets. Not only that, the small business’s data harvest might include employee information, cloud login credentials, and customer data … and sometimes customer financial information.
What Happened at Viber
In July, 2013, the online help desk for Viber, a VoIP/instant messaging service, was hacked and the site defaced by pro-Syrian hackers of the “Syrian Electronic Army” who target victims in the name of Bashar al-Assad, the Syrian President. The hackers said they accessed email addresses, phone numbers, and other personal information of Viber’s users and employees. This particular hacking collective has been busy lately, accessing websites and Twitter accounts of the BBC, Al Jazeera, Financial Times, the Associated Press, The Guardian, and The Washington Post, among others. How did they get in? A Viber employee fell victim to an email phishing attack.
What Makes Help Desks Vulnerable
The very helpfulness of the IT help desk makes it a ripe target for so-called social engineering attacks that include phishing scams. Unfortunately, an IT help desk’s willingness to be helpful can create a back door to business networks through social engineering, which is the art of using social trickery to get others to give up snippets of information they shouldn’t. Given enough snippets, access can be obtained. According to the 2013 Verizon Data Breach Investigations Report, social engineering is the most successful tactic used by hackers against service desks.
How to Avoid Social Engineering Attacks
Metrics based on speed and number, coupled with overwhelmed workers who just want to be helpful, are a recipe for social engineering vulnerability.
Metrics of IT help desk performance are often based on quantity and timeliness of resolutions, and this sets up the human help desk agent to be the weak link in help desk security. Think of the humble password reset. While most people are comfortable resetting passwords through the self-service portal, some people still go about the process by phone.
Self-service portal password resets tend to lower the opportunity for end-user impersonation, while the phone-based password reset is much more vulnerable. If people in your organization insist on using phone-initiated password resets, you should take steps to mitigate risk, such as emailing the end user’s manager to call the employee to verbally confirm the need for the reset. Yes, it’s a hassle, but it can reduce social engineering vulnerability. Other potential vulnerabilities must be identified and eliminated as much as possible.
By choosing your IT service management software wisely, you can lower your organization’s risk of being hacked through the IT help desk. Samanage is a provider of help desk software with robust security features and easy implementation of resolutions — like self-service password resets — that lower risk for social engineering attacks. Not only that, all patches and security upgrades are installed automatically, so you don’t have to worry about falling behind or neglecting to install them. Great software can’t entirely protect your organization from social engineering attacks, but it can mitigate risk and help your IT professionals maintain the vigilance necessary to recognize threats and address them promptly.
About Greg Ghia
Read more articles by Greg