The password reset request is probably one of the most common tickets your Service Desk receives and yet end-users probably don't give a second thought to the accumulated costs involved.
It's not just the end users that might not be giving the password reset process much thought either, but do you know what it is costing your business? Does your Finance Director know?
Designing a password reset process that is secure enough for your organisation but not too overly complex can be a tricky situation. A password reset request can be seen as an insignificant task to most users. In reality, password resets cost organisations time, energy and money while also presenting potential security risks. The most common reason for a password reset is a forgotten password. Each reset task takes up IT Service Desk support resources whilst the user is left locked out and unproductive.
In a US-based survey, a cost of $420 per employee, per year is lost to password management. In the same survey, almost 40% of the users reported having more than 50 password resets in a single year. That is a lot of lost time, money, productivity and end-user satisfaction.
In addition, there is the risk of security breaches as a recognition of poor password reset processes and management. Failing to properly verify a password reset can lead to fatal cyberattacks. Data security has become big headline news far too often. Not only do such breaches present a PR tsunami but they carry significant penalties for organisations who have failed to protect data of EU citizens under the GDPR regulation.
So, given the importance of what might seem like a simple request for the end-user but a potential security and a financial black-hole for those in the know, what can be done to improve your password reset process?
What is more difficult than remembering a 16 character length password with a mix of uppercase, lowercase letters, numbers and special characters? Remembering 20 of them! Workplace users have to remember all of their personal logins as well as their professional account passwords. If you help users minimise the number of passwords they need to remember, you will undoubtedly help reduce password reset requests going forwards. Linking application passwords to Active Directory should result in a demonstrable drop in password resets.
Having a good password process and reset tools is a good start, but many users are tempted to pick up the phone and have their password reset immediately. Just as a good self-service password reset tool would have, your Service Desk needs a verification protocol that can be employed on phone reset request tickets.
This consists of security questions that have been pre-set when a user joins so that Service Desk staff can ask a series of questions without learning the full answer to the security question itself. For example, a user might have chosen to answer the question ‘What was your grandfather’s occupation?’, the Service Desk analyst can ask for the first and 4th character in the answer, key it in and get the verification they need in order to move ahead with the reset.
Self-service tools can be time and cost savers, but only if they actually get used. Self-service adoption is often overestimated in many areas of IT support and uptake can be underwhelming, if not handled carefully. Unless you employ auto-enrolment (for example by a popup wizard that asks for security question data before a user can access the network), then you will have very low numbers utilising the self-service option. Even with the enrolment in place, you will find that many users still prefer to simply pick up the phone and have a human reset their password for them.
I hope these tips have helped you and your business going forward and what best suits your organisation. All businesses can benefit from a password reset process review on a regular basis to ensure that time, resources and money are maximised and risks minimised.