Everyone — from you and me to your employer to the government to the richest organizations around — is vulnerable to a cyberattack. You needn’t look any further than what happened to the MGM casino chain in September 2023.
The world-renown casino chain fell victim to a ransomware attack, where attackers reportedly gained access to sensitive information via vishing — which is a mashup of “voice” and “phishing.”1 The attack resulted in 10 days of disruptions, including hotel room keys and slot machines not working.1
This unfortunate event is a great example of how even businesses you’d think would be impenetrable are far from it. Let’s go back to just how this attack was apparently achieved: “vishing.” The voice aspect means someone actually impersonated someone else to achieve their nefarious goals.
That tracks with the trends that help desk personnel are seeing lately: cybercriminals impersonating employees in the hopes of gaining additional information or network access. Through social engineering, criminals can collect personal user information and use this data to trick help desk staff into handing over confidential information or sensitive data.
Today, verifying someone’s identity by asking their corporate email address isn’t enough. Email addresses, job titles, supervisor names and answers to other common security questions are easily discoverable by cybercriminals. In addition, while many security threats are launched by external actors, threats can potentially be posed from inside as well. That’s why proper user identity verification is an essential tool for IT help desk staff.
What is User Identity Verification?
When a user contacts an IT help desk, the first step for help desk personnel is to verify that a user is who they say they are. This process is called identity verification or digital identity verification. Identity verification will assist in preventing identity fraud and reduce the risk of granting network access to unknown users.
RELATED ARTICLE: How Long Does it Take to Detect a Cyberattack?
Methods of Identity Verification
Here are some methods of how to verify user identity you can employ.
Identity Management Tools
You can equip your IT technicians with a trusted tool for online identity verification services, such as QGuard from CyberQP. This is the tool we put our own trust in at Elevity. It offers such crucial features, including:
- On-demand account creation
- Safeguard access
- Compliance and cyber insurance
- Password rotations
- Moving target defense
- Privileged account approval
- Office 365 and Azure Active Directory (aka Microsoft Entra ID)
- … and more
Knowledge-Based Authentication
Ask the user for personal information found in the organization’s database, such as their name, date of birth and/or employee number.
You can also ask knowledge-based security questions that only the user will know the answer to. Examples include asking for their grandmother’s maiden name or where they attended elementary school. Be sure to select questions that don’t have easily guessable answers or the employee already publicly posts on social media.
Also, consider placing stickers with equipment ID numbers on all organization-assigned equipment. If a user is calling about a computer problem, this equipment ID number will be easy to find. In this instance, be wary if the caller is unable to locate the ID number.
Biometric Verification
More organizations are adopting the use of biometric analysis to verify user identity. This is done through the use of physical characteristics, such as fingerprints or facial recognition. Biometric analysis is a convenient identity verification method and provides enhanced security, since biometric data is difficult to replicate or steal.
Multi-Factor Authentication
Sending a verification code to a user via email or text is one of the most common methods of multi-factor (or two-factor) authentication. Other options include the use of authenticator apps, smartcards and biometrics. Having multiple layers of security will decrease the likelihood of an unauthorized user entering your network.
Caller ID Spoofing Detection Tools
Confirming a help desk caller’s phone number via caller ID spoofing detection software will aid in verifying that the caller’s phone number matches the user’s. This extra-layer of protection can provide more peace of mind in ID verification.
Self-Serve Password Reset Software
You can reduce the call volume burden on your IT staff by encouraging employees to use self-serve password reset software. Self-serve password reset software is a cloud-based application that assists organizations to manage passwords and verify the identity of users. This software also automates password rotation schedules and settings based on parameters such as user time zone, rotation frequency and password length.
RELATED ARTICLE: 7 Steps to Developing an IT Disaster Recovery Plan
Benefits of Identity Verification
When your help desk adds identity verification to their toolbox, the department and your business as a whole will enjoy benefits.
Increased Security
Protecting user identity aids in deterring fraud. While this is especially important in financial services, healthcare and educational industries, every industry must be vigilant in ensuring the security of personal employee data.
Reduced Risk of Data Breaches
Cybercriminals and other bad actors may be lurking and checking for open doors leading to your network. Identity verification is an excellent tool to deter this.
Reduced Risk of Unexpected Downtime
It’s not widely known just how much MGM had to pay for the disastrous security breach. Patrons weren’t able to use MGM’s slot machines, couldn’t get into their hotel rooms, and even had to receive handwritten notices of their winnings.1 That’s all costly enough, but factor in unplanned downtime, where employees aren’t allowed to be productive, and the cost is compounded.
Improved User Experience
Identity verification shows your employees that your organization is taking steps to keep their identities safe. This builds trust between your employees and help desk. This trust will provide a solid foundation for future interactions when employees need assistance.
What’s Your Cybersecurity Risk?
Whether you have the resources of an industry titan like MGM or not, a cyberattack can be costly and disastrous. Unexpected downtime wastes your resources, your customers may become disgruntled and you could lose valuable assets and data. Do everything you can to not let that happen.
We have a free Cybersecurity Risk Assessment tool you can use to check how prepared you are in the event of a cyberattack. Simply answer questions in a few key categories, such as security awareness, and we’ll send you a score and recommendations for your next actions. Just click the link below.
SOURCES:
1Vox, The chaotic and cinematic MGM casino hack, explained, September 21, 2023.