48% of organizations don’t have a user verification policy in place for incoming calls to IT service desks, according to Specops Software. The information was uncovered as part of a survey of more than 200 IT leaders from the private and public sectors in North America and Europe.
In addition, the survey found that 28% of the companies that actually do have a user verification policy in place are not satisfied with their current policy due to security and usability issues.
For example, the majority of these companies rely on knowledge-based questions using static Active Directory information, such as an employee ID, a manager’s name, or even HR-based information like the employee’s date of birth or address – data that can easily be sourced by hackers.
In fact, the National Institute of Standards and Technology (NIST) recommends against using knowledge-based questions because of their lack of security.
Password resets at IT service desks are a serious vulnerability
“In the absence of a self-service password reset solution, it is up to the service desk agent to verify that the caller is the legitimate owner of the account before issuing a new password. Unfortunately, without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increase risk of costly cybersecurity breaches.”