Remember when Wayne Gretzky, "The Great One," famously said he skates to where the puck is going to be, not where it is? Cybersecurity professionals need to embrace this concept. Most of our current security measures are focused on where the puck is now, protecting online and mobile applications. Meanwhile, clever hackers are targeting areas where our defenses are weak: the call center, chatbots, and video calls. These oft-neglected targets are a hat trick of opportunities for fraudsters.
Terrifyingly, many people call their bank's call center and are verified with easy-to-guess security questions that can be easily found on social media. Or worse yet, verification relies on voice ID that can be easily mimicked by AI-generated voices. We wouldn’t bank with a financial institution that does not have multifactor authentication (MFA) like biometrics or SMS codes protecting their website and mobile banking, but we still accept these outdated and insecure practices when we pick up the phone.
Expecting fraudsters to play nice and only attack us where we have a goalie in place is a losing strategy, since they are finding places where our defensive players aren’t. Today’s fraudsters are scoring against the call center, chatbots, and video calls - all of which have insufficient or sometimes no identity verification in place.
The FBI has released an advisory on a particularly effective game plan being used by a Russian hacker group named "Scattered Spider." This team of hackers has been calling help desks and impersonating real employees whose profiles were found on LinkedIn. The attackers convinced help desk employees to reset passwords and grant access to sensitive systems. Once inside, they accessed critical systems and data, causing significant operational disruptions and millions in financial losses to companies ranging from energy infrastructure to financial institutions and even well-known Vegas resorts. The victims of these attacks had their heads down and were left dazed after a big financial hit.
To meet these rising cybersecurity threats, we need to be aware of those dirty areas and put our defenders where they can break up plays that cost us goals. The help desk staff getting drafted are our team’s enforcers. Ensure they are first-round picks, not beer league irregulars. You get what you pay for in your first line of defense. Enhanced training for help desk employees is crucial, ensuring they can recognize fraudulent calls and understand the importance of thoroughly verifying a caller’s identity.
Budgeting appropriately for technology is as important as making sure you have money for helmets and pads. No team would take the ice without proper protective gear, and no organization should face the digital landscape without investing in robust cybersecurity measures.
Establishing and enforcing standardized procedures for caller verification is essential. Employees should follow the team playbook for every interaction. Help desk teams must be coached to follow the game plan. A key strategy employed by fraudsters is to elicit a false sense of urgency to coerce help desk agents into breaking the rules. Without any referees to call penalties, the help desk must keep their heads in the game and avoid coughing up the puck, no matter how urgent it seems.
Business rules can reduce the stick handling you need your help desk to do. These rules can be enforced with technology and ensure callers are who they say they are before high-risk actions are taken.
Leveraging technology to aid in identity verification can further bolster defenses, such as advanced call monitoring systems that flag suspicious activity or secure, encrypted communication channels for help desk interactions. Regular audits of help desk interactions can help identify gaps in identity verification processes, reinforcing training and ensuring compliance with established procedures.
Leadership plays a crucial role in fostering a culture of security within an organization. As with coaching, it’s essential for leaders to set priorities. Focusing on cybersecurity and providing the necessary resources and support for robust user authentication processes is critical. This includes investing in technology and training and creating an environment where employees feel empowered to adhere to security protocols, even if it means delaying service to verify identities thoroughly.
As cyber threats continue to evolve, so too must our defenses. The weakest link in security defense is often the human element. By focusing on strengthening identity validation processes for help desk interactions, organizations can significantly reduce their vulnerability to social engineering attacks. It’s a proactive step that requires investment and commitment but can ultimately safeguard against the potentially devastating consequences of a security breach.
Implementing hardware tokens or authenticator apps in your MFA strategy can greatly improve your defense for help desk interactions. MFA are the shot-blockers to your helpdesk’s goalie – an additional layer of protection keeping the puck out of your own net.
In the matchup against cybercrime, we need to play the right way. Ensuring that help desk employees are well-equipped to validate identities effectively is not just a best practice—it is a critical component of a comprehensive cybersecurity strategy. By addressing this often-overlooked vulnerability, organizations can build a more resilient defense against the ever-present threat of cyberattacks. Applying compliance frameworks to all vectors of attack can help keep your opponent off the scoreboard.
Ongoing maintenance of your cybersecurity program is like training for the next season. Even if you win the cup this year, there’s no guarantee that you have a dynasty on your hands. Your opponent is continually coming up with new offensive strategies, so you must ensure your team is always prepared. This maintenance includes technology upgrades, ongoing team training, and playbook reviews. There are no Zamboni drivers to clean up the ice, intermissions, or off-season breaks. Your organization needs to keep moving and training to stay ahead of the bad guys.
When your cybersecurity practices are robust and protect the security of your employees, customers, and their data, you will be well on your way to the Cybersecurity Hall of Fame!
Just a few thoughts from a hockey fan in cybersecurity.