The new frontline: strengthening identity verification in regulated industries | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales

The new frontline: strengthening identity verification in regulated industries

When service desk checks fail — and how to fix them
Softcat PPT Background Corner Lit Radial Teal Gradient RGB Softcat PPT Background Corner Lit Radial Teal Gradient RGB

Abi Dakin

GRC Lead

Imagine this:

You’ve invested in the latest security stack. Next-gen firewalls, cloud-native threat detection, the works. You’ve tightened your access controls, trained your teams and passed every audit.

Then, with a single phone call, an attacker walks straight through your defences.

This isn’t hypothetical. For retail, insurance, finance and healthcare, it’s become the most common breach scenario. A motivated criminal gathers just enough personal details — job titles, phone numbers, reporting lines — to sound credible. They phone your service desk; claim they’ve been locked out and convince someone to reset their password or issue a fresh MFA token. In fifteen minutes, they’re inside.

No exploits. No malware. Just persuasion.

It’s uncomfortable to admit that the weakest point in your environment might be a polite helpdesk analyst trying to assist a ‘colleague’. But that’s exactly why this tactic is so effective.

The changing face of verification

Traditional service desk verification was built for simpler times. You asked a few security questions, cross-checked a record or two and called it good enough.

But today, the stakes are higher. An attacker who gains access to a single retail user account can divert payments or compromise thousands of customer records. In insurance, the same tactic can expose sensitive claims data. For a bank or healthcare provider, it can be catastrophic.

And yet, in many organisations, service desk verification hasn’t evolved to match the sophistication of the threat.

Move beyond the compliance checkbox

It’s tempting to view verification as a compliance checkbox — something you document for regulators, roll out some training for and assume will hold up under pressure.

But the reality is that compliance and resilience aren’t the same. Compliance is about proving you have a process. Resilience is about ensuring that process still works when an attacker is deliberately trying to break it.

A knowledge-based question such as “What’s your employee number?”, sounds secure until you remember how many phishing emails and LinkedIn profiles make that information trivially accessible.

It’s time to accept that a one-size-fits-all verification won’t cut it anymore.

Adopt an adaptive verification model

What’s needed is an approach that adapts verification to the risk and context of each interaction.

If a retail store associate needs to reset a password for a stock system, perhaps self-service MFA is enough. But if a finance team member is resetting credentials linked to payment workflows, you need to raise the bar — hardware tokens, conditional access policies or supervised verification calls.

This doesn’t mean making life harder for everyone. It means applying more friction where the stakes demand it, and offering simpler, faster options where the risk is lower. The same principle applies to fallback methods. A robust self-service password reset process can cover 80% of scenarios. But for the remaining 20% — the lost devices, the forgotten tokens — you need secure, auditable alternatives.

Callback verification, dedicated verification platforms, or voice biometrics aren’t optional extras. They’re your safety net.

Why now?

Threat actors have discovered this tactic scales beautifully. It doesn’t require sophisticated tooling or high investment. It relies on human nature, and it succeeds precisely because many organisations are still relying on outdated processes.

Meanwhile, regulators are tightening expectations. Whether it’s PCI DSS for payment environments, GDPR for customer data, or sector-specific mandates like FCA rules, the message is the same: you must prove that your identity controls are not only in place but effective.

The role of technology partners

Addressing this challenge isn’t about buying a single product. It’s about rethinking how your service desk fits into your broader security and compliance posture.

At Softcat, we’re helping organisations in regulated industries step back and re-examine:

  • Who needs which type of verification.
  • Where friction is acceptable — and where it isn’t.
  • How to blend self-service tools, hardware security keys and fallback workflows into a coherent whole.
  • How to future-proof processes as new regulations and technologies emerge.

The organisations that succeed in this next phase won’t be the ones with the flashiest tech stack. They’ll be the ones willing to treat verification as a strategic capability, not an afterthought.

Because in an era where attackers target people first, the real frontline isn’t your firewall — it’s your service desk.

If you’re ready to strengthen your frontline and build a verification process that’s resilient, compliant and user-friendly, we’d love to help you start. Our experts can help you assess your risks and design an approach that protects what matters most. Please get in touch with your Softcat Account Manager, or contact our Sales team!