Password Security and the Service Desk
83% of Service Desks think that it's possible for a criminal to gain a password to a legitimate end-user's account
SDI Report "On Security, GDPR and Self-Service Passwords"
Security risk in the service desk
Service Desk Institute SDI has in a research in 2018 documented high-security risks in the majority of IT service desks. When the service desk reset the password for an end-user the essential process is the authentication of the person calling in. Is it the legitimate user or is it someone impersonating the user? When the criminal uses the access, he has won, and we have a GDPR data breach! According to GDPR then a data breach is defined as one non-authorized person getting access to critical data.
The research even shows that 43% of service desks answering the question have identified attempts to gain access to end-user data. The threat is real.
The research also shows that close to 80% have a management defined process for authenticating users calling in (Still 20% who haven’t is surprising). The conclusion is that the management defined process doesn’t prevent that the criminals can breach the authentication process.
In the details, you can see that 31% mean that they should do more. But 51% means that they have done all they can, but still see a risk that the criminals can break their authentication process!! This is thought-provoking. How come that professional service desk and security organizations can accept a situation where a major risk of credential theft exists and then live with it?
83% of the service desk managers in the survey fear that it is possible for a criminal to get the password!
GDPR and service desk
We recommend that you take a closer look at the FastPass Facilitated Password Reset solution where innovative processes and checks can be implemented in the end-user authentication process. Primarily developed for the password reset situation but also to be used in all other employee authentication situations.
One of the issues can be the widespread use of privileged passwords by service desk representatives. In 47% of the service desks, all the service desk representatives have privileged passwords and in 38% a limited group has access to privileged passwords. The problem is, that they can easily give away a password to an illegitimate user without it being noticed.
With the intense coverage of GDPR it is also surprising that 28% of the service desks are not part of their organization’s GDPR initiative and 28% don’t know!
As a summary of the different issues with security and GDPR you get a picture of the service desk as a ‘forgotten’ team in many organizations when it comes to security and GDPR.