Every organisation which holds some form of IT Infrastructure also makes us of an IT Helpdesk/Service Desk, whether this be internal or outsourced. When we think of Cyber Security, the immediate thoughts run along the lines of hackers infiltrating our network and cracking codes to obtain our information. The world news is full of this recently. Usually this kind of activity is gained through use of an authorised login account. This is where Social Engineering can play a huge part.
If, like me, you have ever forgotten a password for a website account, maybe even an email account, there are many ways in which to retrieve this. There is usually a request to provide additional information to verify who you are before a trigger is made to send you a means to access account, usually via another email address these days. But how does this work in a law firm?
If I can give an example; a Partner might call the IT Service Desk saying "I have forgotten my password, can you reset it for me please?" The onus is then on the Helpdesk analyst to verify the Partner as being who they say they are. It is vital that this line of questioning is correct, as it would be very easy to come up with some seemingly difficult questions. Some examples below;
When did you start with the firm? LinkedIn would probably house this information
Can you email me from your BlackBerry to verify yourself, or Can I call you back on your mobile? Maybe the Partner provides a different number saying his corporate phone is dead.
These types of questions should not be trusted to give a verified answer; with preparation anyone could give excuses or answers to these questions. Also adding to this, if the Partner appears irate on the phone, the pressure increases on the Helpdesk analyst to quickly act.
The firm's policies should be clear from day one of any new starter, whether that be Partner or Helpdesk analyst. IT Security should not be taken lightly, no matter what your status or urgency; something to bear in mind when calling your IT Helpdesk.