As reports of people being swindled out of their life savings through phone scams come across our news feeds, many of us wonder how someone could be so naive as to allow others to take advantage of them in such a preposterous manner. Yet many of us fail to realize that we are sitting targets for hackers to infiltrate our computers and demand a ransom or even steal the confidential data we have stockpiled on behalf of our firms and clients, and even our personal information.
If you received a call from someone who addressed you by name and stated that the monitoring software alerted them that there is a threat on your computer and they requested to start a remote session to gain access to fix your computer before infecting others in the firm, how would you react? Would you be able to decipher whether the call was legit or a malicious threat? For times such as these, it is becoming a standard IT practice to implement challenge response systems.
What is a challenge response system?
A challenge response system can be implemented in many forms. You have likely unknowingly participated in some forms, such as the CAPTCHA tests that many websites employ to determine you are a human by clicking on all of the squares that contain a picture of a bike or a car or the like. Your cellphone uses a challenge response system to verify it is you via biometrics such as a thumbprint or facial recognition. While these are great tools, they don’t necessarily work well to validate the specific identity of someone on a phone call or via email.
Though there are many ways to conduct such a safety measure, one of the easiest and least expensive methods is through a code word. Just as many families have an established code word with their children to thwart stranger danger, the same can be easily implemented within a firm. Obviously, with so many parties involved, the word should be rotated on a regular basis. This passcode can be stored in a variety of secure places, making it easy for those with legitimate access to the system to ensure the correct code was used.
Challenge response systems are best used when they are performed in a two-way manner to verify the identity of both parties. This means whoever is the recipient of the request should be the one to request the code word from the other party. Therefore, if an “IT person” contacts an attorney to gain access to fix something, the attorney should request the code word to ensure it is a valid “IT person” that should have access to the system. Likewise, if an “attorney” contacts an IT person to request assistance with something on their computer, the IT person should request the code word to authenticate that the requestor is actually who they purport to be. As firms grow in size and IT team members change, it can be difficult to simply know everyone by name or voice alone.
The hassle protects your castle
While this extra step may feel like an incredible hassle amid the seemingly 47 other passwords already required to use your computer, it is important to remember that it is there as a reinforcement of protection to not only you, but to your entire firm and client base. No exceptions should be granted to those who find this process burdensome, because one vulnerability in the system exposes everyone to the threat. If the code word option becomes too much of a disruption, there are alternative options that may be administered but will likely come accompanied with a higher price tag.
It is unfortunate that we live in a world that requires additional proactive steps of protection, but it is reality. As Kevin Mitnick, a convicted hacker-turned-computer security consultant, plainly states, “Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems.”
Since we cannot just get rid of the weakest link, we must strengthen it, and that often requires what may feel like jumping through hoops. Rather than grumble about the inconvenience, consider the time, money and effort that would be exerted on recovering the data as a result of data breaches you are avoiding.•
• Deanna Marquez — firstname.lastname@example.org — is a co-owner of Indianapolis-based legal tech company Modern Information Solutions LLC. Areas of service include traditional IT services, software training and litigation support including trial presentation services. Opinions expressed are those of the author.