At #SDI16, I had the pleasure of hosting a breakout session with security expert Richard Sowden. It’s not often you get a chance to hear the advice of a real-life security expert, so for all of you who missed it, I have tried to distil some of the key pieces of advice into this blog.
The first thing we need to do is accept that the role of the service desk is central to keeping an organisation safe and secure. As the conduit between the business and the rest of the IT organisation, service desk professionals can provide insight about security concerns from customers and, in return, dispense advice packaged in a friendly format.
From an individual who lives and breathes security like Richard, there are some easy wins to make an organisation more secure.
Passwords and other fun
The first point concerns passwords and other customer interactions that require the service desk to verify identity. Often, there are a series of sound but uninspired ways of doing this – confirming a username or personal information perhaps – each with a potential problem. Firstly, some of the information is publicly accessible or easily guessed. Secondly, asking for too much information to mitigate the first risk can alienate customers, incentivising them to take security risks elsewhere. (If the service desk isn’t the easiest way for customers to get access to something they need, what alternatives might they try?)
Our security expert came up with a solution: ask conversational questions based on data only the service desk holds, but the customer should know. It sounds complicated but it isn’t. An example of this in action, provided by Richard was ‘could you tell me the last time you contacted the service desk and what it was about?’
The beauty of this is that it’s going to be tough for an outsider to guess this information while the service desk can solicit this information for verification in a friendly conversational manner.
Rules are Rules
In the middle of his presentation, Richard touched on something that will ring true for many service desks – sometimes we’re concentrating so much on getting our customers where they need to be, we can lose focus of the bigger picture. I’ve seen it taking place on service desks; I’ve probably also unwittingly been a part of it myself. The customer is the number one priority – our driving force is to help them. But, we must remember that rules are rules and, for the most part, they are in place for a reason.
Security experts like Richard don’t just dish rules out for fun. Often they are in response to a serious threat or designed to protect individuals and the wider organisation. Sure, Richard argues, customers should be the number one priority, but not at all costs.
Taking a step back, there is a clear balancing act. The service desk must be the best place to come for security assistance – better than risking customers going it alone – but we need to ensure there is a healthy respect for the rules. When customers ask for a ‘one-off’ that bends the rules a bit, service desk professionals must be aware of what parameters they can work within, ideally in a documented procedure.
Richard argues that IT leaders must “give the service desk the capability to raise alerts about issues and worries for the security team to investigate, this allows potential problems to be passed on to the people who understand the risk and are responsible for enforcing controls. This also ensures that service desk staff can be comfortable that they have the opportunity for concerns to be highlighted and helps in a potentially pressurised situation, reducing the chance that information will be concealed. For example, a member of staff requests something that doesn’t fit with policy or there is concern about a user’s identity for an account reset.”
Finally, in my personal and professional experience, resentment towards rules stems from misunderstanding. If the service desk articulated the reason for the rules, they might find their customers are more understanding and less likely to try to get around them in the future.
Use the plethora of resources out there
The final point raised by Richard is for service desk and IT professionals to use the vast amount of security advice and insight out there. Why not start with a webinar on security with Richard here.
It’s also worth browsing the Cyber Essentials site, highly recommended by Richard, it provides businesses small and large with clarity on good basic cybersecurity practice. A great place to get started!