Join us for the FREE Cyber Defense Forum | Live Online on October 9


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Announcing the SANS 2013 Help Desk Security and Privacy Survey Results!

Help desk services are a rich entry point for social engineers and technical attackers, but are you prepared?

  • Bethesda, MD
  • July 8, 2013

SANS announces the results of its survey on help desk security and privacy, sponsored by RSA, the security division of EMC. The full survey results will be released during a SANS Analyst Webcast on July 16 at 1 PM EDT.

Nearly all organizations have a help desk regardless of industry type and size. In the survey, respondents cut across various industries, including government (18%), finance (15%) and education (13%); health care, high tech and telecommunications were also well represented. Survey takers also represented a balance in terms of size of organization, with almost 20% supporting more than 25,000 users and 18% supporting 250 or fewer users.

The enterprise help desk is most often where a user turns to resolve a problem with all matters IT--access, endpoints and service--but for decades, the help desk has offered a back door to enterprise network resources through social engineering.

"One thing is clear--successful help desks need to be highly focused on customer service, yet they can present a security risk for the same reason they are in business--helping a user," explains Barb Filkins, SANS Analyst and author of the report. "The only real way to solve the problem is to build security into the business of help desk--from user-friendly but secure self-service tools, to training agents on ways to detect or prevent socially engineered attacks."

The good news is that awareness of and training for such attacks exists. In this SANS survey on help desk security and privacy, more than 70% of respondents reported that they are aware of social engineering, and some are even training their help desk staff to be suspicious. The bad news is that organizations are not factoring security into the overall help desk budget; security technologies are underutilized, and nearly 40% have weak or no security policy around their help desks.

"Self-service tools are viewed as a way to control costs associated with providing help desk services with live, but more expensive, human attendants," says Filkins. "But the success of automation depends on its usability. On-line tools can be so convoluted and difficult that an end user punches '0' to reach the human on the other end, to be led by the hand through the tool's use. Of course, all savings are lost when this happens."

Do the needs of the business trump the risks imposed by password reset and other self-service provisioning? Is an agent too rushed by resolution time limits to validate a caller's authenticity and successfully distinguish real users from social engineers? Can self-service and authentication be used to avoid these security risks and provide a more secure environment for those deploying such technologies?

Answers to these and other questions will be provided during a July 16 webcast where we release our results. Those who register for this webcast will be given access to the full results, in a whitepaper developed by Barb Filkins. During the webcast, attendees will learn:

  • How help desk managers measure success of their transactions
  • How to automate user self-service portals for improvements in risk and user education
  • What type of user vetting practices should automated and non-automated systems be taking to protect against social engineering attacks and other privacy and security threats identified by survey takers
  • How help desk managers view their own approaches to help desk efficiencies and security
  • Which budgeting and staffing practices are in use and their effectiveness

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (