Lack of security training among help-desk staff is handing passwords on a platter to info-thieves, according to Malcolm Fry, an IT service management expert and help-desk consultant with 30 years experience in the field.
Fry said most help desks are trained to hand out passwords to absent-minded users, not spot callers who intend to abuse the system. "With all those passwords being reset at help desks all over the world, the odds are there are criminals who are getting great service."
Fry suggested help-desk staff should be versed in verbal strategies similar to the smuggler-identification techniques taught to customs officials.
Rather than criticise help desks for the situation, Fry pointed the finger of blame at corporate auditors. They should recognise the security hole and plug it by improving either their organisation's software or their processes.
"I'm saying if you're going to authorise help-desk people to issue what is highly confidential information in the form of passwords, the help desk should have training in the kinds of questions that help determine the authenticity of the caller.
"In my experience, in the vast majority of cases, they are trained in the software but not how to ask questions that check out if the caller is genuine."
The problem was one of several deep-seated issues that are slipping unrecognised through the reassuring net of statistics generated by help desks, Fry said. He flagged the lack of attention given to analysing and addressing the root causes of problems that crop up with monotonous regularity on help-desk screens.
"The biggest single weakness in IT is the lack of root-cause analysis and poor asset management. If I know how to fix something, I should take the next step and stop it from happening again."
What help desks offer are "dozens and dozens of work-arounds", which may not fix the root cause of a problem. But they see the user's phone call as the problem and consider it solved when the call is dealt with.
In reality, the underlying difficulty might generate another 50 calls that day and, from the organisation's point of view, is far from being solved, Fry said.
The situation is further blurred by help-desk statistics, which tend to focus on performance figures such as numbers of calls answered rather than the quality of the solutions offered, he said.
Fry was commenting during an Asia-Pacific tour to brief business executives on how to achieve strategic advantage through infrastructure management. The seminars were sponsored by the Macquarie Graduate school of Management and global software company Peregrine Systems.
Fry also criticised help-desk statistics for failing to come to grips with some of the core productivity issues. "It's something nobody talks about but every help-desk call represents two people who are tied up not doing productive work for the company -- the help-desk staffer and the employee who is calling.
"There are estimated to be at least 200,000 people on help desks in the US alone so at any one time that is 400,000 people [on each end of the call] who are not productively engaged for their organisations.
"People look at help-desk statistics but the real cost is the person at the other end who isn't working, and probably wasn't working for five minutes before he even called the help desk while he tried to solve it himself."