It’s Friday at noon, and you are walking toward the building where the IT offices are located. As you get to the door, you notice that there is someone behind you carrying four pizza boxes. You hold the door so they can get in.
Inside the phony pizza boxes is an array of wireless network gear designed to capture as much information as possible, as well as a couple of small cameras. After walking around inside the IT offices for a bit, the fake pizza delivery person exits the building.
I’ve described one of the oldest and easiest ploys used by people who are trying to penetrate your security. It’s a very basic form of social engineering, and it works. And in case you were thinking that wireless isn’t a particularly good attack vector, Gartner has said that Wi-Fi will be the default connection for non-mobile devices (including desk phones) in 40 percent of enterprises by 2018. Would you like fake pizza guy eavesdropping on internal phone conversations?
A popular YouTube video (warning: mild profanity) shows a woman getting unauthorized access to a cell phone account by acting stressed and having crying baby sound effects in the background. This is known as a Vishing attack—phishing via voice. In this scenario, the woman plays on the customer service representative’s desire to help. Security measures in place—sending a personal identification number (PIN) via text—are bypassed to resolve the issue.
Could this scenario be played out in your support center?
The answer is very likely “Yes.” Your staff is hired and trained to be helpful; it’s what they do. Too often, information security is viewed as someone else’s job, and the goals of security (to protect) and support (to assist) are often at direct odds.
The goals of security (to protect) and support (to assist) are often at direct odds.
Consider some ways in which social engineering attacks could be directed against the support center:
I forgot my password and security questions—Manual password changes done via telephone
I can’t get into the file share I need
Can’t you make an exception just this once?
I left my ID card home and can’t get into my building. Can you call someone to come and open the door?
Here are some things you can do to minimize risk:
- Talk regularly about security with your team
- Log every contact—if a breach happens, this can help trace the origin
- Train the staff—HDI courses contain security management components specifically in the context of the support center
- Share information internally about suspicious calls or activity
- Develop a good working relationship with the information security office
- Abide by and enforce all applicable security policies—every time
How does this fit into customer service?
One of the best services we can provide for our customers, whether they are internal or external, is keeping their personal information—and the information needed for the business—safe. The first line of assistance should also be the first line of defense.
Roy Atkinson is HDI's senior writer/analyst, acting as in-house subject matter expert and chief writer for SupportWorld articles and white papers. In addition to being a member of the HDI International Certification Standards Committee and the HDI Desktop Support Advisory Board, Roy is a popular speaker at HDI conferences and is well known to HDI local chapter audiences. His background is in both service desk and desktop support as well as small-business consulting. Roy is highly rated on social media, especially on the topics of IT service management and customer service. He is a cohost of the very popular #custserv (customer service) chat on Twitter, which celebrated its fifth anniversary on December 9, 2014. He holds a master’s certificate in advanced management strategy from Tulane University’s Freeman School of Business, and he is a certified HDI Support Center Manager. Follow him on Twitter @HDI_Analyst and @RoyAtkinson.