One of the biggest current risks/threats to organizations is cybercrime, so it’s unsurprising that phrases such as “security is everyone’s responsibility” are popular. There’s also a need for IT security teams and the IT service desk to work together effectively. When this is done well, the IT service desk can play an essential role in an organization's IT security practices, including acting as a central point of help and advice.
If you feel that your IT service desk could do more to help with IT security, then this blog is for you – with it outlining a number of areas where IT security best practices can be blended into day-to-day service desk activities.
Ensure that your IT security policies cover acceptable usage
If you don’t have an IT-focused acceptable usage policy, then you’re missing a trick. Such a policy will clearly set out what is and isn’t appropriate on company infrastructure and systems.
If you’re creating an acceptable usage policy from scratch, then – in addition to seeking guidance from the corporate IT security team – also speak to your corporate compliance or risk teams to see if there are any existing usage policies that you can build on or any templates you can adapt.
An acceptable usage policy should guide people on how to enforce policy directives as well as how to deal with deviations and breaches. It should also contain:
- A clear scope – what is and isn’t covered, including provision for accessing company data on personal devices to protect your IT security perimeter.
- A reminder that employees shouldn’t automatically expect privacy on company systems
- Remote work guidance on how to use corporate devices safely on non-company networks
- Details on how documentation should be classified and how to understand what constitutes confidential information
- The consequences of not following the acceptable usage policy.
Limit software installation permissions
If your organization doesn’t control what people can install on their devices, then it runs the risk of end users installing unsafe applications or software containing malicious code (in addition to the consequences of being non-compliant from a software asset management perspective).
To help, the IT service desk can be a point of control for software installation. For example, by making sure that end users don’t have local admin access and are therefore unable to install potentially unsafe software on their devices. With all software install activity instead carried out by IT – which means that only safe, tested, and authorized applications are installed on corporate devices.
Providing end user security training and reminders
The reality is that, even with the best will in the world, if your end users aren’t educated on, and engaged with, IT security then your organization is at an increased risk of security threats. It’s easy to say that IT security is everyone’s job – we did earlier – what’s harder is creating effective training that end users can apply in real life.
Whether it’s the IT security team, the IT service desk, human resources (HR), or all three, build IT security training into your company’s employee induction process so you catch employees on their first day or week in the business. Also, deliver repeat training to employees – either at defined times or when policy breaches necessitate a refresher from the IT service desk.
Things to cover in your IT security training include:
- The acceptable usage policy
- How to use IT equipment appropriately
- Good password management
- How to request new software via official channels
- Social media access and usage (if allowed).
Regularly review password management practices
Strong password management is the bedrock of effective IT security management. The IT service desk and IT security team should regularly agree on the appropriateness, and potential changes to, corporate password management practices.
Some things to consider when reviewing your organization’s password requirements include:
- Enforcing password changes at a system level. For example, with active directory or mobile device management. This will force end users to change their passwords regularly and secure the environment by locking the account if an incorrect password is entered too many times.
- Making sure that IT service desk staff are aware of how the password policy works and agreeing on a process for password resets. Depending on the security requirements for your organization, this could be via self-service, logging a ticket, or having a manager request new credentials.
- Mandating a certain level of password complexity. To make it harder for passwords to be guessed by preventing the use of dictionary words and enforcing the use of numbers, multiple cases, and special characters. This prevents end users from using simple passwords that would make them vulnerable to a simple dictionary-based attack.
Don’t forget the experience
IT security is important but so is the user/employee experience. The trick is to get the balance right – keeping the organization secure without making it complicated for end users to use IT services.
For example, making it easier for end users to manage their passwords by:
- Having a password reset portal where they can reset their password if they forget it or are locked out of their account
- Providing password management tools such that users can automatically access their passwords rather than having to remember them
- Ensuring that all company-issued equipment is labeled with the contact details for the service desk. So, if an end user does get locked out of their account, they know who to contact.
Create a model for security incident management
One of the most important aspects of the relationship between the IT security team and the IT service desk is how to respond to security incidents. Here there’s a need to create a defined workflow model so that all security issues are handled effectively, consistently, and safely.
Some things to consider include:
- Creating templates so that security incidents are easy to log, route, and track
- Building-in matrices such that the appropriate support teams are automatically notified of issues
- Having clear instructions for triaging security incidents at the first-line to prevent them from worsening – for example, appropriate action at the front-line could be isolating a device from the network, advising the end user to change their password, or running a virus scan
- Root cause analysis activities – to understand how a security breach occurred and to identify any lessons learned.
That’s our take on how to better align IT security teams and the IT service desk. What would you add to this? Please let us know in the comments.