Protecting IT support and service desks

Glenn Akester at Node4 explains why service desk teams need better tools to fight cyber-crime at source

 

Among UK mid-market businesses, IT support and help/service desk staff are currently the most difficult IT roles to hire or retain. This is ahead of other areas such as data scientists, cyber-security specialists and even AI professionals.

 

Why should this be the case? A major part of the challenge stems from the intense nature of the role, which can also go relatively unrecognised compared to other IT responsibilities. Expectations are often extremely high, with organisations contractually obliged to deliver almost 100% network uptime and 24/7 availability on the other end of a phone or Teams chat.

 

Unsurprisingly, this kind of environment often contributes to high employee turnover and the associated recruitment issues organisations face. The situation also has important cyber-security implications, with the risks brought into sharp focus by the recent activities of cyber-crime groups such as Scattered Spider, who hit the headlines having successfully targeted the helpdesks of Marks & Spencer earlier this year.

 

Social engineering success

But why service desks in particular, when there are so many other attack vectors available? According to analysis by Specops Software, it is because “they’re a high-leverage, low-resistance entry point into corporate networks.”

 

The process typically relies on social engineering techniques directed at service desk staff, who are asked to reset user credentials and MFA, which then enables the attackers to gain network access. By impersonating other staff from the target organisation, native English speakers use a personable, believable communication style and psychological pressure tactics, such as claiming urgent work reasons or reporting lost work phones, to convince service desks to share credentials or carry out  MFA resets. The strategy is made even more convincing by the use of open-source data, including LinkedIn names and job titles, which makes requests more believable.

 

Once attackers obtain a reset, they rarely stop at a single account. They move laterally across cloud and on-premises environments, harvesting additional credentials and escalating privileges while blending into normal user activity. Residential proxy services and familiar log-in patterns make malicious sessions look routine, which further complicates detection. Many campaigns then pivot to the virtualisation layer, where limited EDR visibility on hypervisors allows new, covert infrastructure to be created and used to stage the final payload. The outcome is typically a combination of ransomware deployment and data theft, leading to operational disruption, recovery costs and prolonged business interruption.

 

Addressing the risks

So, where does this situation leave organisations and their security teams worried that their service desks might be targeted? The most effective defences begin at the point where requests are made. Organisations should ensure that no phone call or friendly message, no matter how authentic it appears to be, can override robust security processes. Strong verification must be required before any credential or MFA reset is approved, ideally involving more than one factor that is difficult to spoof. For high-risk changes, this could mean in-person identification or a pre-registered hardware token check. Resets carried out purely over email or chat should be prohibited, and if remote verification is unavoidable, it should involve a documented call-back to a trusted number on file, together with a short cooling-off period.

 

First-line staff should also have restrictions on the changes they are permitted to make. For instance, sensitive actions should be limited to just-in-time elevation with a second approver and time-bound access. At the same time, scripted responses and clear escalation routes can help service desk agents manage requests that rely on urgency or pressure tactics. Alongside this, monitoring normal account-change activity and flagging anomalies can highlight situations where attackers attempt to blend in with legitimate traffic.

 

Attention should also be paid to the underlying infrastructure, particularly organisations relying on virtualisation estates, which need to be carefully protected with strict role-based access controls, segmented network architecture and dedicated monitoring of administrative connections. Organisations should also identify those accounts where access, under all circumstances, should remain subject to hardware-based MFA.

 

Redefining service desk security

Minimising risk also depends on how these teams are valued and supported within the broader organisation. Rather than being seen purely as a support channel, they should be recognised as a critical line of defence, a shift in perception that should also be reflected in job descriptions and performance objectives, which should always include responsibilities relating to secure operations and safeguarding identity systems.

 

From a career development and progression perspective, service desk staff who are given opportunities to rotate into areas such as identity and access management, threat detection or incident response are more likely to view the role as a stepping stone within a longer career in IT and security. In this context, professional certifications and structured training can also reinforce the value of these opportunities and contribute towards better recruitment and retention.

 

Resourcing levels also play a role, not least because understaffed desks inevitably struggle to meet round-the-clock demand. In contrast, providing adequate coverage, together with modern tools that streamline verification and integrate risk signals directly into the agent console, can ease the burden on staff while simultaneously strengthening security.

 

It is time to redefine the role of the service desk. It’s a department crucial for protection and defence, not just valuable when something goes wrong and help is needed. By flipping its perception, organisations can improve the retention and recruitment of such roles, whilst strengthening its security posture in today’s deceitful cyber-security landscape.

 

---

 

Glenn Akester is Technology Director for Cyber Security & Networks at Node4

 

Main image courtesy of iStockPhoto.com and VioletaStoimenova