In today’s threat landscape, security incidents are rarely the result of dramatic technical exploits. Increasingly, they begin with something far simpler: a helpdesk password reset.

We want to explain why our password reset procedures are deliberately rigorous and why that caution is essential to protecting your organisation.

The Real Risk: Social Engineering, Not System Failure

Over the past several years, a significant number of breaches affecting organisations and Managed Service Providers (MSPs) have originated from service desk interactions.

Attackers are no longer focused solely on finding technical vulnerabilities. Instead, they target people.

Through social engineering, threat actors contact helpdesks while impersonating legitimate users and attempt to persuade technicians to reset credentials without sufficient verification. In many widely reported incidents, attackers have successfully gained access by:

• Impersonating employees over the phone (VERY easy with free AI tools)
• Spoofing email addresses to submit password reset requests
• Using publicly available information to “verify” their identity
• Targeting privileged or administrative accounts to maximise impact

Once access is obtained, the damage can escalate quickly. This includes privilege escalation, data exfiltration, lateral movement across systems, identity theft or ransomware deployment.

Our Responsibility as Your MSP

As a Managed Service Provider, we maintain privileged access to your systems. That access is necessary to support and manage your environment, but it also carries significant responsibility.

A compromised helpdesk interaction can become a gateway to your entire infrastructure.

For that reason, we no longer treat a password reset as “routine”.

Even when additional steps introduce slight delays, our obligation is to ensure that credentials are never reset without robust and defensible verification.

What Our Password Reset Process Requires

To protect your organisation, our process includes:

• A formally logged support ticket before verification begins – this can be via email, phone or any of the usual methods.
• Verified call-backs using stored and pre-validated contact details
• Mandatory multi-factor authentication (MFA) enforcement
• Additional approval checks for privileged or administrative accounts
• Full documentation of the verification and authorisation process for our team
• We NEVER store client passwords and advise that once reset, they are changed immediately.

These controls are not optional, and they are not bypassed for convenience.

Why This Matters

A single improperly verified password reset can lead to:

• Account compromise
• Data breach
• Business disruption
• Regulatory exposure
• Reputational damage

The strictness of our process is proportional to the level of risk.

While the procedure may occasionally feel cautious, it exists to protect your organisation from exactly the types of incidents currently affecting businesses across all sectors. The news of several recent high profile compromises demonstrates how real and current this threat is.

Security Is a Shared Responsibility

Strong processes are only effective when supported by accurate information and user awareness.

We ask that you:

• Ensure user contact details remain accurate within our systems
• Communicate to your staff that verification steps are mandatory
• Support a security-first culture when interacting with service desks

Security controls are most effective when both provider and client operate with aligned expectations.