Canadian Cybersecurity Network Remember when Wayne Gretzky, "The Great One," famously said he skates to where the puck is going to be, not where it is? Cybersecurity professionals need to embrace this concept. Most of our current security measures are focused on where the puck is now, protecting online and mobile applications. Meanwhile, clever hackers are targeting areas where our defenses are weak: the call center, chatbots, and video calls. These oft-neglected targets are a hat trick of opportunities for fraudsters. Terrifyingly, many people call their bank's call center and are verified with easy-to-guess security questions that can be easily found on social media. Or worse yet, verification relies on voice ID that can be easily mimicked by AI-generated voices. We wouldn’t bank with a financial institution that does not have multifactor authentication (MFA) like biometrics or SMS codes protecting their website and mobile banking, but we still accept these outdated and insecure practices when we pick up the phone. Expecting fraudsters to play nice and only attack us where we have a goalie in place is a losing strategy, since they are finding places where our defensive players aren’t. Today’s fraudsters are scoring against the call center, chatbots, and video calls - all of which have insufficient or sometimes no identity verification in place. The FBI has released an advisory on a particularly effective game plan being used by a Russian hacker group named "Scattered Spider." This team of hackers has been calling help desks and impersonating real employees whose profiles were found on LinkedIn. The attackers convinced help desk employees to reset passwords and grant access to sensitive systems. Once inside, they accessed critical systems and data, causing significant operational disruptions and millions in financial losses to companies ranging from energy infrastructure to financial institutions and even well-known Vegas resorts. The victims of these attacks had their heads down and were left dazed after a big financial hit. To meet these rising cybersecurity threats, we need to be aware of those dirty areas and put our defenders where they can break up plays that cost us goals. The help desk staff getting drafted are our team’s enforcers. Ensure they are first-round picks, not beer league irregulars. You get what you pay for in your first line of defense. Enhanced training for help desk employees is crucial, ensuring they can recognize fraudulent calls and understand the importance of thoroughly verifying a caller’s identity. Budgeting appropriately for technology is as important as making sure you have money for helmets and pads. No team would take the ice without proper protective gear, and no organization should face the digital landscape without investing in robust cybersecurity measures. Establishing and enforcing standardized procedures for caller verification is essential. Employees should follow the team playbook for every interaction. Help desk teams must be coached to follow the game plan. A key strategy employed by fraudsters is to elicit a false sense of urgency to coerce help desk agents into breaking the rules. Without any referees to call penalties, the help desk must keep their heads in the game and avoid coughing up the puck, no matter how urgent it seems. Business rules can reduce the stick handling you need your help desk to do. These rules can be enforced with technology and ensure callers are who they say they are before high-risk actions are taken. Leveraging technology to aid in identity verification can further bolster defenses, such as advanced call monitoring systems that flag suspicious activity or secure, encrypted communication channels for help desk interactions. Regular audits of help desk interactions can help identify gaps in identity verification processes, reinforcing training and ensuring compliance with established procedures. Leadership plays a crucial role in fostering a culture of security within an organization. As with coaching, it’s essential for leaders to set priorities. Focusing on cybersecurity and providing the necessary resources and support for robust user authentication processes is critical. This includes investing in technology and training and creating an environment where employees feel empowered to adhere to security protocols, even if it means delaying service to verify identities thoroughly. As cyber threats continue to evolve, so too must our defenses. The weakest link in security defense is often the human element. By focusing on strengthening identity validation processes for help desk interactions, organizations can significantly reduce their vulnerability to social engineering attacks. It’s a proactive step that requires investment and commitment but can ultimately safeguard against the potentially devastating consequences of a security breach. Implementing hardware tokens or authenticator apps in your MFA strategy can greatly improve your defense for help desk interactions. MFA are the shot-blockers to your helpdesk’s goalie – an additional layer of protection keeping the puck out of your own net. In the matchup against cybercrime, we need to play the right way. Ensuring that help desk employees are well-equipped to validate identities effectively is not just a best practice—it is a critical component of a comprehensive cybersecurity strategy. By addressing this often-overlooked vulnerability, organizations can build a more resilient defense against the ever-present threat of cyberattacks. Applying compliance frameworks to all vectors of attack can help keep your opponent off the scoreboard. Ongoing maintenance of your cybersecurity program is like training for the next season. Even if you win the cup this year, there’s no guarantee that you have a dynasty on your hands. Your opponent is continually coming up with new offensive strategies, so you must ensure your team is always prepared. This maintenance includes technology upgrades, ongoing team training, and playbook reviews. There are no Zamboni drivers to clean up the ice, intermissions, or off-season breaks. Your organization needs to keep moving and training to stay ahead of the bad guys. When your cybersecurity practices are robust and protect the security of your employees, customers, and their data, you will be well on your way to the Cybersecurity Hall of Fame! Just a few thoughts from a hockey fan in cybersecurity. To learn more, Book a demo  with us today.

The Health Sector Cybersecurity Coordination Center (HC3) within the Department of Health and Human Services (HHS) is at the forefront of healthcare cybersecurity. In April 2024 HC3 put out an urgent alert titled “Social Engineering Attacks Targeting IT Help Desks in the Health Sector”. The full document can be found here: Help Desk Social Engineering Sector Alert . The alert outlines examples of some recent, high-profile attacks targeting healthcare IT help desks. Threat actors are employing sophisticated tactics to manipulate help desk agents into providing unauthorized access to corporate resources, posing significant risks to data integrity and organizational security. Amidst these threats, Caller Verify has emerged to bolster security measures. Caller Verify extends Okta Multi-Factor Authentication (MFA) to contact centers and IT help desks for hospitals, providing a robust defense against social engineering attacks. Let's explore how Caller Verify can effectively combat these threats: Out-of-band Authentication NIST (the National Institute of Standards and Technology) recommends using out-of-band authentication channels  to enhance security during the authentication process. Out-of-band authentication involves verifying a user's identity using a separate communication channel or device from the one being used for the primary transaction or interaction. This approach helps mitigate the risk of attacks, such as man-in-the-middle attacks, by separating authentication data from the main communication channel. These may include methods such as: sending authentication codes via SMS or email sending push notifications to a user's mobile device time-based one-time passcodes (TOTP codes) on a mobile device dedicated hardware tokens By leveraging out-of-band authentication for caller verification, organizations can enhance the security of their authentication processes and reduce the risk of unauthorized access and fraud.    Modern Identity Verification Caller Verify modernizes help desk methods for caller authentication. Instead of relying solely on easily compromised security questions or personal information, Caller Verify can utilize more trustworthy out-of-band authentication factors such as TOTP codes and push notifications. Requiring callers to authenticate themselves via phishing resistant verification factors significantly reduces the likelihood of unauthorized access by malicious actors. Real-Time Caller Authentication With Caller Verify, organizations can authenticate callers in real-time, ensuring that only authorized individuals gain access to sensitive systems and data. By verifying the authenticity of callers before granting access, organizations can thwart social engineering attempts, even when threat actors possess partial employee information obtained through public sources or previous data breaches. Unified Verification Experience Caller Verify offers a unified verification experience across all communication channels, streamlining the authentication process for both callers and help desk staff. Whether callers reach out via phone, email, or chat, Caller Verify ensures consistent and robust identity verification measures are in place, regardless of the communication medium used. Mitigation of Social Engineering Tactics The sophisticated social engineering tactics used in recent breaches are blocked in organizations protected by Caller Verify. By requiring out-of-band authentication, Caller Verify adds layers of security that make it significantly harder for threat actors to succeed in their malicious activities. Proactive Security Measures Caller Verify empowers organizations to take proactive security measures against evolving social engineering threats. By providing user awareness training and implementing policies and procedures for enhanced security, organizations can stay ahead of emerging threats and ensure their help desk staff are equipped to identify and thwart social engineering attempts. In conclusion, Caller Verify emerges as a powerful ally in the fight against social engineering attacks targeting healthcare IT help desks. By fortifying identity verification processes, providing real-time authentication, and offering a unified verification experience, Caller Verify helps organizations mitigate risks and safeguard sensitive data from malicious actors. As organizations continue to prioritize cybersecurity, solutions like Caller Verify play a vital role in enhancing resilience and protecting against evolving threats. To learn more, Book a demo  with us today.