Incident Response: The Critical Role of the Help Desk

Article Incident Response
Incident Response


End users are considered the first line of defense against cybersecurity attacks. This is why it is so critical for organizations to invest in ongoing training for staff to ensure they understand how to identify potential risks and report any suspected incidents to the appropriate teams as soon as possible. But, with so much focus given to training and reminding employees to report, report, report, have you potentially overlooked the next step? What process is followed when that initial report is made to your designated help desk regarding a suspicious incident or potential compromise?

Help desk and service desk personnel provide much more than just basic troubleshooting and technical support. They are the primary connection between organizational staff and the IT/Security teams and, because of this, they have a unique insight into what is happening across the entire user community. Their ability to connect and support end users and understand how to respond appropriately when a report is assigned to them is critical. With appropriate training, they can also make a significant impact in the prevention or early identification of security breaches.

Information Gathering/Diagnosing the Issue

End users call in with all types of technical issues, account lock outs, strange pop-up messages, slow machines, corrupted or missing files, etc. When an incident report is made, help desk personnel need to be able to quickly understand what is happening and begin identifying, isolating, and diagnosing the issue. It is important for help desk staff to have detailed guidance regarding what information needs to be gathered from a user during that initial report, as well as instructions for if/how employees should continue their operations/work. Below are some questions that should be asked:

  • What is the user’s ID number, contact information, equipment number, etc.?
  • When (date/time) was the issue first noticed?
  • What are the circumstances (text of error messages, pop-ups, inability to access files, etc.)?
  • Can the user provide screenshots of any notifications?
  • What types of data are involved (e.g. payment card data, personally identifiable information, protected health information, student records, research data, etc.)?
  • What steps or actions has the user taken since noticing the issue (e.g. did they re-start their system, change their password, try logging in to other applications, etc.)?
  • With the shift to remote working due to the COVID-19 pandemic, questions may now also include:
  • Is the employee using a personal or organizational device?
  • Is the employee onsite or working remotely from another location?
  • Is or was the employee logged into the VPN?
  • If the employee is working remotely, are they capable of bringing the device into the office for analysis?

During the information gathering phase, it is also important that help desk staff are trained to question and instruct users in a way that reinforces good cybersecurity best practices. For example, the help desk should never ask a user for their personal password to a system or application.


Immediate recommendations made by help desk staff can have a significant impact. An initial reaction from the support team when a user device appears to be infected with malware might be to shut the device down. However, in the event of malware or a ransomware attack, it is actually important not to unplug a machine or turn it off, but rather discontinue use immediately and disconnect the workstation from the network to limit exposure. Unplugging or turning a workstation off can destroy potential evidence that may be valuable during the forensic investigation. Common scripts and references can be developed for the Help Desk to more quickly identify a high risk or high impact incident and what steps should be taken in response. The impact of these attacks can be limited by help desk staff informing users how to correctly and quickly react when they are targeted.

Help desk staff should receive training on how to identify possible patterns if they receive multiple calls with the same or similar issue, so those reports can be tagged and assigned appropriately. For example, if there are an increased number of workstations running slowly, or the same application is crashing for multiple users, this can be the first sign of a wider network issue or attack.

Escalating to Appropriate Teams

Once as much relevant information has been gathered in the initial incident report, the help desk staff will determine if and where the support ticket should be directed next. The help desk team are the front line so they need to be able to quickly evaluate incident reports and escalate to the appropriate teams, especially when there is the potential for a high risk situation. The faster you can identify a potential malware attack within your organization, the less impact it can have.

Help desk tickets should always be assigned by priority. For example, if the help desk receives a call from an end user stating that they received a ransomware message on their device and, during the initial information gathering, two issues are discovered – a failing battery on the laptop and several file shares that have been encrypted. Clearly the locked file share issue should be addressed as high and the other ticket regarding the battery can be lower priority. If the incident involves a possible compromise of sensitive data (e.g. PHI, payment cards, etc.), again this should immediately be flagged as a high priority. Letting users know how their ticket is being prioritized can also help set user expectations for when their particular issue will be resolved and when they will be updated.

If help desk personnel are not identifying and prioritizing issues appropriately, they may inadvertently spend time trying to resolve a user issue they are not qualified to handle or improperly escalate a security incident thereby increasing the time and cost associated with it. Ensure that all support teams have a copy of the latest Incident Response Plan and specific guidance so they know when to escalate tickets and to whom. Consider including members from the help desk team in your next tabletop exercise so they can practice their role.

Depending on the situation, the potential for repeat, or the expected impact on other users, closing the loop on security incidents with your help desk team promotes continued learning and streamlines future incident responses. Once an incident has been contained or escalated to another team, review what happened and look for areas of potential improvement, provide template language to refer to if similar reports come in, and define the proper assignment of these tickets to ensure they are addressed quickly. Proactive incident management is another way to ensure your help desk is responding as accurately and efficiently as possible. For example, if a system or application has a planned update, it can be beneficial to alert the help desk so they are aware and can be prepared for any possible user issues that come into their area.

Help desk personnel have a very important role in helping to protect organizational information and prevent costly data breaches. Doing all we can to ensure they are trained properly and have the tools to properly execute their responsibilities is the best way that we can support them – and protect our organization.

Did you know that help desks can also be a major entry point for attackers through social engineering?

Please reach out to us if you would any support.

Some additional guidance from the Security Advisor team:

[Hobby]: The help desk is usually the first point of contact for users. If someone needs help connecting to the network or installing an application, or just wants to report that something is “not working,” they usually call the help desk. Your help disk is probably in the best position of any team in your organization to know what’s happening on your network and notice any trends.

At this point we’ve probably all deployed any number of cybersecurity protections like antivirus solutions and firewalls, but with 450,000 new potential instances of malware being registered EACH DAY (Av Test), it’s really a question of “when” not “if” your organization is going to be impacted. When that time comes, it’s very likely your help desk will be the main point of contact with your users.

So, you know that at some point you will need to respond to an incident and you know your help desk will be a critical part of that response. Start planning and training now, and include the help desk in your preparations. A prepared help desk can often recognize and respond quickly to threats that baffle even the most advance security tools, and will play a crucial role in leading your users through any response.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.