Human Two Factor Authentication (H2FA)
A colleague of mine used to say: “Just pick up the phone and call…”
“But I just sent them an email” I’d reply.
“Forget the email. You don’t know if they got the email…When they’ll get it... If they’ll read it. This is important”, she’d insist. “Pick up the phone and call.”
She was always right. Countless times, the conversation was the same. “No, I never got that email.” The voice would say. “Thanks for checking in though. I’ll get on it…” or something to that effect. We’ve all been there.
Thanks to that sage advice, we rely on H2FA, or Human Two Factor Authentication, for all actions of consequence. If you’re not sure what that means this article is for you.
First, for anyone not familiar, “two-factor authentication” is a method of confirming users' claimed identity by using a combination of two different factors: 1) something you know (eg. Password) and 2) something you have (eg. phone or an app).
Cyber criminals are continuously refining their social engineering tactics, figuring out new and innovative ways to deceive and manipulate. Don’t believe me? Google “deep fake voice” and see what’s been going on. To stay one step ahead, we’ve gone back to basics - pick up the phone and make a call! Easy to say, a bit more difficult to implement, but absolutely critical in the face of today’s crook. Here’s how it works:
Set the guidelines. Because every organization’s different, so there’s no one-size fits all approach. Make the decision with your team on the parameters. Is it only financial transactions? Does it extend to operational requests? What about atypical requests?
Set the workflow. If the request comes through by email, respond with a text. If you get a text, send an email. And (for those deep-fake phone callers) if you get a phone call, that’s it…send a text.
Make it policy and roll it out. The process becomes part of the employee handbook, and rolled out to all employees company wide. Employees should understand their roles/responsibilities & be periodically tested.
This is not about getting people in trouble, rather creating guidelines, hardening security, and protecting your business.
Does this add time to your day? Yes. But a clearly written policy with easy to execute controls can quickly be adopted and become second nature overtime.
Now consider the implications of a fraudulent wire transfer or payroll disbursement. It happens all the time, and unlike a Ransomware or a DDoS attack, when money is transferred it is near impossible to recoup the loss.
Hopefully this simple tactic will keep your company that much safer. If we can ever be of help or service, send us an email or give is a call. Stay safe online!