As the representatives of all things IT, support techs should be teaching end users proper IT practices in everything they do. The best way to teach good security practices is to establish a set of help desk best practices that focus on physical and password security, and then consistently maintain them to help develop a culture of security in your organization.

Physical security
The importance of adequate physical security was recently reaffirmed to me by an incident that happened at a friend’s company. The company is located in a quiet, suburban office park in a nicer part of town. They have key-code locks on all exterior entrances and key locks on the main interior entrance. You would think this would provide adequate security, but one Saturday night, an individual (or more likely a group of individuals) entered the office and stole about 25 laptops.

This is not an uncommon occurrence. In a May 2001 survey of TechRepublic members, the largest number of those who took the survey and had lost computer equipment said the equipment was lost on corporate property.

In the same survey, about 20 percent of the respondents said building security was high on their wish list for 2002 along with asset management and inventory tagging (Figure A).

Figure A
Equipment locks aren’t popular, but they could save a company money.

Mobile computers, such as the laptops stolen from the company above, are probably the most vulnerable pieces of equipment distributed to end-users. The analyst firm Gartner estimates the costs associated with a stolen $3,500 laptop to actually be $6,300. That figure includes estimates of costs to procure and deploy replacements, dealing with police and insurance claims, data replacement and recovery, and lost productivity.

Security measures such as cable locks and asset tags on all equipment contribute subtly to establishing a culture of security in end users. Support pros can emphasize physical security with end users by ensuring that equipment locks are used and by purposely checking asset tags when they make trips to end users’ desks.

Support pros can also encourage end users to guard their laptops by explaining security issues to end users before they take their laptops on the road. Ensure all the proper software is installed and review security tips with traveling users. To help you with this task, check out our download “Sample FAQ PowerPoint for traveling laptop users.”

It’s also a good idea to have end users tape business cards to their machines. Check out the article “Teach users these five laptop security musts” for more ideas about laptop security.

Press those positive password policies
As a support tech, you’ve probably heard plenty of password horror stories—passwords taped to monitors or freely shared among users. TechRepublic columnist Jeff Dray once worked for a major United Kingdom telecommunications company where he saw user IDs and passwords posted on a dry-erase board in a company office, where they “were clearly visible from the pub across the road.”

While that’s an extreme example of poor password protection, it isn’t uncommon for end users to tell support techs their passwords during a visit. In another article, columnist Jeff Davis offered three points of advice that ring true for support techs:

  • If the user has left you his or her password on a note stuck to the monitor, the password needs to be changed.
  • If a user dictates the password aloud for you, the password must be changed before you leave.
  • If your service call requires you to change the user’s password, make sure the user changes the password again before (or immediately after) you leave. That way, you can always credibly say, “I don’t know what that user’s password is,” and you can never be accused of misusing someone else’s access.

Davis also recommends that you make sure that end users know how to change passwords so that they can change them if needed before the network administrator forces a change.

Help desk security best practices
Follow these tips for establishing security best practices:

  • Secure mobile equipment with cable locks both in and away from the office.
  • Place asset tags in obvious places on equipment to subtly remind end users, visitors, and would-be thieves that all equipment is tagged and tracked.
  • Have traveling users tape their business cards to their laptops.
  • Instruct users not to post their password in a visible location.
  • Inform users not to share their passwords with anyone, even the IT support staff.
  • If an end user tells a support pro his or her password, require the user to change it at the end of the support call.
  • If the support tech must change an end user’s password, require the user to change the password again before the support tech leaves the site.

How do you encourage security?

Does your organization have a set of best practices that encourage security? What are they? What do you do to encourage end-user security practices during help desk calls or desktop visits? Share your ideas in the discussion below.