teissTalk: From service desk to security risk - stopping social engineering at the source

Views on news

Several of Europe’s busiest airports have spent days trying to restore normal operations, after a cyber-attack disrupted their automatic check-in and boarding software. What makes this attack stand out among other similar ones is the absence of a multi-layered resilience plan. With the current rate of cyber-attacks, even individuals would do well to have a plan B in case businesses and institutions don’t. There are still airports that rely on manual processes. Attacks are on the increase against aviation firms too (at 600% for the past 24 months). Only terminals 1-4 were affected, but terminal 5, BA having been attacked before, already had a Plan B. Airlines do share cybersecurity intel both formally and informally, but it takes them time to put controls in place. Also, building those defences is like taking out an insurance policy – an incident may or may not eventually happen. 

Training the helpdesk to deal with social engineering

Today, voice samples used for social engineering aren’t only pre-recorded but can also generated in real time, while virtual cameras can be injected into Zoom calls. But not all attacks use such sophisticated technology. Personal data such as employee number or mother’s maiden name can no longer be used for authentication. With dual controls, an extra line of defence can be added to cyber defence. Nevertheless, deep fakes must now be incorporated into awareness training too and authentication must find new ways such as asking the boss to lift a pen. 

Security education must become more agile, fluid and role specific. Moreover, if service desks are outsourced, it’s harder for management to ensure that its staff  gets the right training. Businesses are also less conscientious about off-boarding vendors than onboarding them, which results in stale accounts and an extended attack service – anomalies that a password auditor can point put. An alternative approach to preventing attacks on help desks could be educating staff better about the technology they use and its security features, so they rely less on helpdesks. For example, password reset can be done on a self-service basis as well.

The panel’s advice

• Cyber awareness tests usually check recall and working memory not actual learning.
• There is a level of apathy in the general public about cybersecurity until they experience an attack.
• We are moving now from “trust and verify” to “never trust, always verify.”
• Practise recovery with your service desk and start testing your back-ups.
• Do security education instead of training, allowing your employees to empower themselves to get more secure.