In a world of ever-shrinking budgets, enterprise IT remains under relentless pressure to find creative ways of doing more with less. One of the more common ways that organizations are reducing their IT costs is to support users through help desk outsourcing. However, discussions of the pros and cons of help desk outsourcing rarely address the issues of security and compliance.
There are any number of ways in which help desk outsourcing could potentially create compliance violations, but let’s consider one really simple example: In the United States, HIPAA (Health Insurance Portability and Accountability Act) regulations require healthcare organizations to safeguard personally identifiable patient data against unauthorized disclosure. Such organizations are subject to financial penalties if they allow any unauthorized individual to view protected health data. So, with that in mind, imagine what would happen if a third-party help desk provider were to establish a remote session to a user’s PC, and that user just happened to have an electronic health record on screen. The lesson here is that if you work in a regulated industry and choose to outsource help desk operations, then you must select a provider that is fully compliant with the regulations the organization is required to adhere to.
The “simple” fix is to choose a provider that guarantees regulatory compliance. However, while that might reduce or eliminate the chances of a compliance violation, the act of help desk outsourcing itself could potentially weaken your organization’s security--or even put your employees at risk.
When a user contacts an organization’s outsourced help desk by phone, the help desk staff must do something to verify the user’s identity. Most providers take a multi-factor approach. They might send a text message to the user’s smartphone, or they might prompt the user to answer a security question. Herein lies the problem.
Suppose for a moment that a user contacts the help desk for assistance with a particular issue that they are having. The user provides the help desk technician with his name and perhaps some other identifier, such as an employee number. The help desk technician then prompts the user to answer his security question. This means that the help desk technician now knows the answer to the user’s security question. There is nothing stopping the technician from writing the answer down and saving it for future use.
If that scenario seems implausible, then consider two important facts.
First, the technician works for the help desk provider, not for your organization. They therefore have no loyalty nor attachment to your organization.
Second, help desk outsourcing firms (especially those located offshore) have notoriously high turnover rates. As such, technicians could conceivably spend a few months compiling information on your organization (user names, security challenge questions, etc.) and learning about your organization’s infrastructure as they assist users with various problems. Once they have a good working knowledge of how your organization does things, a technician could leave the help desk provider and go work somewhere else. After a period of time, when everyone has forgotten that the rogue technician even exists, the technician could use his or her knowledge to gain access to your network. The technician might do this by accessing the network directly or by contacting the very help desk that he or she used to work for, posing as a user and requesting a password reset.
The best way to prevent an outsourced help desk from becoming a security problem is to keep your help desk operations in house. If operating your own help desk isn’t an option, then try to go with a help desk provider that does not rely on user validation methods that could be easily spoofed. For example, validating a user by sending them a text message containing a code is generally going to be far more secure than asking them to answer a security question.
Security is all about vigilance--across every area of your business. When choosing a help desk provider--or any third-party provider, for that matter--it’s important to carefully assess not only what they offer but how they provide those offerings.