Service Desks: The Front Door You Might Not Be Watching?

Let’s start with an uncomfortable truth: most organisations treat their help desk as a utility, not a security function. It’s the place people call when they need day-to-day IT help – not really the “glamorous” frontline of cyber defence. 

However, that quiet, polite voice on the end of the phone often holds the keys to your entire digital estate. And let me tell you, when those keys are handed over too easily, the results can be catastrophic.

Don’t forget, every breach has a human moment; it’s the instant someone says “yes” when they should have said “no”.

Just ask Marks & Spencer… Earlier this year, the retailer’s systems were compromised after attackers reportedly exploited weaknesses in a third-party support provider. Analysts suspect the Scattered Spider group (known for social engineering and deepfake impersonations) managed to manipulate help desk processes to gain access. The fallout was enormous: operational disruption, sensitive data exposure, and market losses running into the hundreds of millions (recent reports indicate M&S’s profits down by 99%.)

The story may have faded from headlines, but there’s always new ones to take its place (case in point: Jaguar Land Rover), and the lessons remains. The weakest link in most cyber strategies is still the human one – and help desks / service desks are among the most exposed.  

The invisible frontline

Service desks are often left out of boardroom cyber discussions. Security budgets go towards new detection & response technologies, DLP solutions, automation/AI tools and quantum encryption for all! (OK, kidding on that last point). Meanwhile, though, the people trusted to verify identities, reset credentials, and manage MFA are often left operating on outdated procedures, minimal training, and base tools. Scary stuff!

It’s an easy oversight to make. After all, help desks exist to help, i.e., to solve user problems quickly and keep business flowing. It’s this helpful instinct that attackers prey on, however. They know how to sound convincing, urgent – even familiar. They research internal structures, mimic email signatures, spoof phone numbers, and now, increasingly, use deepfake audio to impersonate staff.

When a well-meaning agent hears what sounds like a senior colleague begging to “urgently reset MFA access” to meet a deadline, the instinct is to oblige.
Of course, in that moment of trust, your defences can crumble.

MFA Is only as strong as its weakest voice

Multi-factor authentication is one of the strongest controls we have, but it is notinfallible and there are tools out there to effectively bypass such authentication. This is why putting conditional access policies on the front end of the authentication process is so important in today’s threat landscape.

Addiitonally, attackers know they don’t have to go up against these security controls if they can simply persuade a help desk agent to disable or override them. This is how the “locked-out employee” ploy has become one of the most effective ways to sneak past otherwise watertight defences.

The problem isn’t limited to MFA, either. Many service desks still verify users based on data that’s easily stolen or guessed (think email addresses, job titles, or phone numbers found in old breach dumps or even on LinkedIn).
Without standardised verification protocols, one shift might demand an employee ID and a secondary code, while another might wave through access on the strength of a name and department.

Make no mistake: that inconsistency is pure gold for attackers.

When support becomes a security risk

The M&S case shows just how far-reaching the consequences of service desks sitting outside formal security governance can be. You see, once the attackers gained initial access, sources suggest they escalated privileges, exfiltrated data, and reportedly deployed ransomware. Pretty soon, what began as a routine request soon escalated into full system compromise.

For me, the real tragedy here is how predictable this pattern has become. Similar attacks have hit retailers, telcos, and government agencies – often through outsourced service desks.

These are organisations that spend a fortune on prevention technologies, but when the people handling authentication aren’t trained, empowered, and integrated with the security team, those investments can be undone by one well-crafted phone call.

As an attacker, why bother with sophisticated zero-days when you can simply for access?! In short: the human layer has become the easiest exploit.

Shoring up the gate

So, what can leaders do differently to help mitigate this risk?

The answer – inevitably – isn’t more fear mongering, but more discipline and structure.

Service desks need to operate within the same rigor as any other security-sensitive function. This means:

• Identity verification must be multilayered and unique: No single piece of information should be enough to confirm who someone is.
• No MFA override should happen without a second pair of eyes: Manager approval or peer verification adds vital friction.
• Access should be truly least-privilege: Help desk staff shouldn’t hold blanket admin rights, only what they need, when they need it.
• Every action must leave a trail: Logging and auditing aren’t about blame; they’re about accountability and visibility.
• Training can’t be a once-a-year webinar:Simulated social engineering exercises are the best way to test and reinforce awareness.

This isn’t bureaucracy for its own sake. It’s operational hygiene; the digital equivalent of washing your hands before surgery.

Where service desks fit in the cyber kill chain

If you map a modern attack, the help/service desk often appears in the middle of the sequence. First, the attacker gathers intelligence: names, job titles, schedules. Then comes weaponisation – spoofed emails or calls designed to sound familiar. Delivery is that ‘convincing’ help-desk interaction we’ve already mentioned, the point where deception meets process.

Once trust is exploited and a password reset or MFA disablement is granted, the attacker has a valid credential, practically a golden key. From there, privilege escalation and data theft are only a few clicks away. By the time your SOC detects suspicious activity, the damage is already done: the attacker has walked straight through a door opened in good faith.

For executives and boards, mitigating this risk is all about reframing the service desk as part of the security perimeter.

If your service provider runs the desk, they should be held to the same standards as your internal security teams (I know ours is here at Littlefish).

Ask your service desk the uncomfortable questions:

• How are identities verified?
• How often are staff tested against real-world attack scenarios?
• Are suspicious calls logged, escalated, and analysed?
• Do service desk engineers have the authority (and the confidence) to say no to a senior-sounding voice?

Your cyber resilience really depends on those answers

Rethinking the “service” in service desk

In truth, the help desk has evolved. It’s no longer just a convenience layer for users; it’s a critical control point for identity, access, and response.

The most mature organisations are integrating their service desks directly with threat intelligence feeds and SOC workflows, turning them from reactive support into active defence.
That shift requires investment, process maturity, and above all, respect. The people who answer those “I’m locked out” calls are the first and often the last line of defence between your business and the next headline-grabbing breach.

If you still think the help desk is peripheral to security, know this: you’re already behind the curve. The gatekeepers are your new guardians, and they should be treated that way.

Please do get in touch to find out more about our secure-by-design service desk and our expert, proactive cyber security services.