When remote employees want to reset their passwords, they escalate the problem via email or give their IT service desk a call. But what if a hacker posing as an employee gets in contact?
Security best practice would dictate that the IT team verify the identity of the sender, but according to research from Specops Software, this is something just half of organizations do. The other half (48 percent) don’t have a user verification policy set up for incoming calls to IT service desks.
The company’s latest report, based on a poll of more than 200 IT leaders from North America and Europe, adds that more than a quarter (28 percent) of organizations that do have a user verification policy in place aren’t satisfied with it, due to various security and usability issues.
Most companies rely on knowledge-based questions using static Active Directory information (employee ID, manager’s name, birth date, etc.) which can easily be obtained, it was said.
“Based on our recent findings, password resets at the service desk are a serious vulnerability for organizations of all sizes,” said Marcus Kaber, CEO of Specops Software.
“In the absence of a self-service password reset solution, it is up to the service desk agent to verify that the caller is the legitimate owner of the account before issuing a new password. Unfortunately, without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increased risk of costly cybersecurity breaches.”