IT service desks lacking user verification policy, putting businesses at risk

48% of organizations don’t have a user verification policy in place for incoming calls to IT service desks, according to Specops Software. The information was uncovered as part of a survey of more than 200 IT leaders from the private and public sectors in North America and Europe.

In addition, the survey found that 28% of the companies that actually do have a user verification policy in place are not satisfied with their current policy due to security and usability issues.

For example, the majority of these companies rely on knowledge-based questions using static Active Directory information, such as an employee ID, a manager’s name, or even HR-based information like the employee’s date of birth or address – data that can easily be sourced by hackers.

In fact, the National Institute of Standards and Technology (NIST) recommends against using knowledge-based questions because of their lack of security.

Password resets at IT service desks are a serious vulnerability

“Based on our recent findings, password resets at the service desk are a serious vulnerability for organizations of all sizes,” said Marcus Kaber, CEO of Specops Software.

“In the absence of a self-service password reset solution, it is up to the service desk agent to verify that the caller is the legitimate owner of the account before issuing a new password. Unfortunately, without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increase risk of costly cybersecurity breaches.”